1 / 19

MARK HEYINK

MARK HEYINK. Is South Africa ready for POPI?. Date: 22/10 /2013. Protection of Personal Information. Right to be left alone Enshrined in sect 14 of Constitution Balances right of privacy with other rights, in particular access to information Prescribes minimum processing requirements

slade
Download Presentation

MARK HEYINK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MARK HEYINK Is South Africa ready for POPI? Date: 22/10/2013

  2. Protection of Personal Information • Right to be left alone • Enshrined in sect 14 of Constitution • Balances right of privacy with other rights, in particular access to information • Prescribes minimum processing requirements • Provides remedies to abuse of PI • Protects free flow of information • International harmony

  3. ICE Market Architecture Law Norms Prof. Lawrence Lessig

  4. Status of Protection of Personal Information Bill • Passed by House of Assembly 20th August • President to Assent • Transitional Period 1 year • Regulator will need to be appointed and established

  5. Definitions • Data Subject= person to whom personal information relates • Responsible Party= determines the purpose of and means for processing personal information • Operator= processes information on behalf of Responsible Party • Personal Information= information relating to an identifiable living natural person or juristic person • Processing=widely defined and includes collection, storage, communication, use, alteration and destruction • Record=any recorded information regardless of form or medium

  6. Application of POPIA • General law of application • Processing of personal information • Non automated if intended for filing system • Public and private bodies

  7. Accountability • The responsible party (person who determines purpose and means of processing) must ensure that conditions are complied with • Must identify PI being processed and ensure processing is managed appropriately • Operators must also be managed

  8. Processing Limitation • PI must be processed lawfully and in a reasonable manner that does not infringe privacy of data subject • Minimality • Adequate, relevant and not excessive • Consent, justification and objection • Sect 11 justifications

  9. Processing Limitation • Collection directly from data subject • Exception • public record or deliberately made public by DS • no prejudice to DS • enforcement of law • court proceedings • national interest

  10. Purpose Specification • Collection for a specific purpose expressly defined • Data subject aware of purpose and collection of PI [s 17(2)] • Retention for no longer than PI may be required • Some exceptions including, required by law and statistical, historical or research purposes

  11. Further Processing • Further Processing must be compatible with purpose for which PI initially collected • Sect 15 sets out guidelines which assist responsible party in determining compatibility of purpose

  12. Information Quality • Responsible party must take reasonably practicable steps to ensure information remains complete, accurate, not misleading and is updated where necessary • ECTA Chapter 3: Uncitral Model Laws on E Commerce and e Signatures • Information Security

  13. Openness • Openness promotes transparency and fairness • Maintain all documentation of processing operations • Data subject must be aware: • Information collected • Identity of Responsible party • Purpose of collection • Various other protections • Compliance not necessary in some instances sect 18(4)

  14. Security Safeguards • Responsible party must: • secure integrity of personal information • Apply GAISP • Ensure operators apply GAISP • Notification of security breaches • Regulator • Data subject

  15. Data-subject Participation • Data subject has the right to: • Access to PI; and • To request correction or deletion of PI • If responsible party disagrees with correction must still attach information to PI that the data subject has requested correction • Provisions of ss 18 and 53 of PAIA apply

  16. Information Security • Seeks to safeguard: • Confidentiality • Integrity • Availability • Must address • Technology • Process • People • MISS???

  17. Information Officer • Statutory Requirement • Must be a leader • Change of culture • Must know the organisation • Must understand the law • Will work with Regulator • PAIA

  18. Conclusion • We live in the Information Revolution • Dangers abound • Law is challenged • PPI Bill and Regulator a step in the right direction • This is only the first step • Education is critical

  19. THANK YOU The incidents related and examples provided in this presentation are based on fact, only names and dates have been changed to protect innocent (and not so innocent) people involved. Mark Heyink mark@heyink.co.za Tel 011 454 0449 Fax 011 454 0036 Cell 082 904 3774

More Related