Post on 27-Mar-2022
transcript
3
WHAT IS POPIA?
The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa’s
comprehensive data protection legislation. POPIA aims to balance your
constitutional right to privacy, against other competing rights and interests,
especially the right of access to information.
THE LINGO YOU’VE GOT TO KNOW
Personal Information: information identifiable to any person.
The data subject: the person to whom the information relates.
The responsible party: the person who determines why and how to process the
information.
The operator: a person who processes personal information on behalf of the
responsible party.
Processing: any operation performed on personal information.
Information Regulator: the body created by POPIA to monitor and enforce
compliance by public and private bodies.
EXCLUSIONS
There are certain circumstances where POPIA does not apply. These are called
“exclusions”. We have listed them below.
Personal/household activity: This includes any notes, lists, and other personal
information collected and stored for private use.
Deidentified information: This means that you are unable to identify a person just
by looking at this kind of information.
4
National security: If the processing of personal information, such as a criminal
record, is necessary for the safety of the country, certain relaxations in
compliance would apply.
Journalism: Journalists acting in line with their code of ethics would be exempt
from compliance with certain provisions.
Art and literature: Compliance restrictions are relaxed when the processing is
solely for artistic or literary purposes.
7
WHY COMPLY
PERSONAL INFORMATION IS AN ASSET
Securing this asset1 becomes something which is marketable and may lead to
increased business. This is because if you are treating personal information in a
better way than your competitors, customers are likely to gravitate to you. If you
need convincing, check out this abridged version of the Cambridge Analytica
scandal. 2
ENTRY INTO THE INFORMATION ECONOMY
Personal Information cannot be exchanged with companies who don’t comply
with strict data protection laws. Non - compliance will probably lead to only a
limited number of compliant businesses agreeing to do business with you.
REPUTATION
Becoming POPIA compliant will increase transparency which in turn will inspire
trust in any entity. People place immense value on trust, and fostering that trust
will inevitably make your business more popular.
COST SAVING
Investigations into information governance often reveal inefficient processes and
systems, which, when streamlined, will increase efficiency and productivity.
1 A 2019 study valued personal data at about $1,000.00 a year. https://www.statista.com/chart/18433/the-price-of-personal-information/ 2 https://www.vox.com/policy-and-politics/2018/3/23/17151916/facebook-cambridge-analytica-trump-diagram
8
LAWFULNESS
Not least of all, there are severe penalties imposed for non–compliance. The
Information Regulator can impose administrative fines of up to R10 million, or
even, in certain instances, imprisonment.
HOW TO COMPLY
ASSESS
Identify any gaps in compliance by conducting a thorough gap analysis.
PLAN
Identify processes and procedures that need to be put in place in order to ensure
compliance.
DEVELOP
Create and/or update your policies and align your procedures with your
compliance plan.
IMPLEMENT
Train and educate all role players. Every person MUST have an accurate and
complete idea of what is expected of them in terms of ensuring personal
information is protected.
MONITOR
Establish checks and balances to monitor compliance and identify any shortfalls.
REACT
Have clear, practical and compliant reaction plans in place for any kind of breach.
10
WHICH PRIVACY LAWS APPLY TO MY ORGANISATION?
The Promotion of Access to Information Act, or PAIA was established to promote
the right of access to information and to promote transparency and accountability
within both the public and private sectors of society in order to more fully realise
South Africa's goals of an open and participatory democracy.
The Regulation of Interception of Communications Act, or RICA regulates the
interception of communications, the monitoring of radio signals and radio
frequency spectrums, and the provision of communication-related information in
the records of telecommunication service providers. It regulates law enforcement
where interception of communications is involved and prohibits the provision of
telecommunication services which do not have the capability to be intercepted. It
also requires telecommunication service providers to store communication-
related information.
The General Data Protection Regulation, or GDPR is the European Union’s (“EU”)
version of POPIA. The GDPR's primary aim is to give control to individuals over
their personal data. It also aims to simplify the regulatory environment
for international business by unifying the regulation within the EU. If you transfer
data to another country, that country needs to have privacy laws at least equal to
POPIA. The GDPR is one of the few regulations that provide data protection
similar to POPIA, so transferring personal data to the EU will not breach POPIA.
11
CHOOSE A FRAMEWORK
There are a number of potentially viable frameworks to choose from. A
framework is essentially a basic structure that you can base your privacy
compliance program on. It saves you having to reinvent the wheel. You are not
obliged to follow one: you can extract those elements that best suit your
organisation. Here are three examples:
GAPP – Generally Accepted Privacy Principles;3
ISO27001 – ISO/IEC 27001 Information Security Management;4 and
NIST – National Institute of Standards and Technology.5
3 https://iapp.org/media/presentations/11Summit/DeathofSASHO2.pdf 4 https://www.iso.org/isoiec-27001-information-security.html 5 https://www.nist.gov/cyberframework
12
Employees
DESIGN YOUR PRIVACY TEAM
WHAT SHOULD YOUR PRIVACY TEAM LOOK LIKE?
WHAT ARE THE DUTIES OF THE INFORMATION OFFICER AND DEPUTY
INFORMATION OFFICER?
The Information Officer of a public body is the head of that public body. This
means that for a national or provincial government department it is the Director-
General or the equivalent official of that department who is the Information Officer.
For a municipality the municipal manager is the Information Officer. In the case of
any other public body the Chief Executive Officer is the Information Officer. In the
case of a private body, the Information Officer is by default the owner of the
business.
THE INFORMATION OFFICER HAS THE DUTY AND RESPONSIBILITY TO:
- encourage compliance with the conditions for the lawful processing of
personal information in terms of POPIA;
- deal with requests made in terms of POPIA;
- work with the Information Regulator in relation to any investigations to be
conducted; and
- otherwise ensure compliance by the body with the provisions of POPIA.
Higher
Management
13
THE INFORMATION OFFICER IS RESPONSIBLE FOR ENSURING THAT:
- a compliance framework is developed, implemented, monitored and
maintained;
- a personal information impact assessment is done to ensure that adequate
measures and standards exist in order to comply with the conditions for the
lawful processing of personal information;
- a manual is developed, monitored, maintained and made available as
prescribed in terms of POPIA and PAIA (this should be made available on
your website as well as at your offices for public viewing during normal
business hours). These manuals must also be made available for copy, at
payment of a fee which fee does not exceed R3.50 per page. The manual
must specify inter alia:
- the purpose of the processing of personal information;
- a description of the categories of data subjects;
- the recipients to whom the personal information may be supplied; and
- the planned trans-border or cross-border flows of personal
information.
- internal measures and systems are developed to process requests for
information; and
- internal awareness sessions are conducted regarding the provisions
of POPIA.
Information Officers are also required to appoint Deputy Information Officers to
assist them in the performance of their responsibilities and duties and to ensure
that the requests for information are dealt with in an effective and efficient manner.
There is no limitation on the number of Deputy Information Officers that an
Information Officer may appoint.
14
WHAT SKILLS AND TRAINING WOULD BE REQUIRED?6
All role players must be able to:
- articulate the requirements of POPIA;
- demonstrate an understanding of the conditions for the lawful processing of
personal information;
- identify the technical and organisational measurements necessary for
protecting personal information;
- describe the various roles and the responsibilities of the personnel who
should be concerned about the protection of personal information,
- understand the effort needed to meet the requirements of POPIA and the
conditions for the lawful processing personal information it contains.
APPOINTING POPIA CHAMPIONS IN EACH DEPARTMENT AND REPORTING
TO HIGHER MANAGEMENT
Best practice is for organisations to have Deputy Information Officers and privacy
champions in each business area. If POPIA compliance is not written into a
number of people’s job descriptions, POPIA compliance won’t work.
6 https://www.ppmattorneys.co.za/implementing-effective-privacy-training-in-organisation/
16
DATA ASSESSEMENTS
RECORDS OF PROCESSING ACTIVITIES: THE “STATE ON THE GROUND”
It is crucial to list your processing activities and describe them. Here is a template
to assist:
Name of Processing
Responsible Party
Work stream
Purpose for processing
Legal basis for processing
Categories of Data Subjects
Approximate volume of Data processed
Categories of Personal data processed
Categories of Recipients/ personal data
Data location (hard and soft copies)
Communication channels used
Where is data sent? (Include 3rd Countries)
What safeguards exist for 3rd countries.
Data Retention Period
Data deletion mechanism (including disposal) and description
Brief description of technical and organisational security measures
Comments
This first step will allow you to proceed further with the gap assessment.
17
GAP ASSESSMENT: THE INITIAL STEP TO YOUR COMPLIANCE JOURNEY
A gap assessment can be done in house or with the assistance of an external
consultant. Legal and IT expertise is required.
Documentation review:
Policies and procedures
Vendor contracts
Customer terms and conditions / contracts
Notices and consent forms
HR documentation
Interviews with key stakeholders:
POPIA Champions
HODs
Fact checking exercise
It is important when performing a gap assessment to check whether practices
within the organisation are aligned with the policies and procedures which have
been issued.
The result of this exercise will be a report on gaps to be closed within your
organisation.
It should be presented in a practical manner. Using a Red-Amber-Green (“RAG”)
format makes it visually easier to see the status of each issue.7 It allows you to
prioritise a list of actions in order to close the gaps based on risks involved.
7 https://www.intrafocus.com/2019/08/red-amber-green-reporting/
18
You will be able to design and undertake a remediation plan, based on this
assessment.
PERSONAL INFORMATION IMPACT ASSESSMENTS (PIIA)
It is a good practice to conduct a PIIA for any new product or service. This usually
describes the nature, scope, context and purposes of the processing; assesses
necessity, proportionality and compliance measures; identifies and assesses
risks to individuals; and identifies any additional measures to mitigate those risks.
A PIIA operates as a control mechanism and may identify irregularities or system
weaknesses regarding the organisation’s handling of personal data. These
weaknesses may include a lack of security, which may lead to inappropriate use
of personal information, the collection of unnecessary or irrelevant personal
information, or unnecessarily long retention periods.
19
Privacy related policies
A privacy-related policy is an internal document for employees and vendors,
presenting the privacy principles and standards within the organisation.
Main privacy-related policies that you should consider implementing:
Privacy Policy
Records Retention and Destruction Policy
Privacy Incident Management Policy
Promotion of Access to Information Act ("PAIA") Manual
Policy on Processing Sensitive or Children's Information
Data Sharing Policy
Contract Management Policy
Cross Border Data Flow Policy
Acceptable use policy
Privacy-related policies should be interfaced with other policies within the
organisation, such as human resources policies, supply chain management
policies, information security policies, document management which involve
privacy aspects.
You should focus on efficient ways to communicate policies within your
organisation:
clear and understandable language;
availability of the policies; and
training on the policies (workshops…).
20
PROTECTING THE RIGHTS OF DATA SUBJECTS
Data subjects’ rights are guaranteed under POPIA:
right to information about processing
right of access
right of erasure
right of processing restriction
right of objection to processing
right to complain to the regulator.
How to guarantee these rights at your organisation level:
Implement notices, informing the data subjects about processing and their
right in plain English language;
Require consent when needed or ensure that you have another clear and
fair legal basis for processing; where required, guarantee that the data
subject is given a fair choice about the processing of his or her data;
Make sure you have a PAIA manual in place with all required information;
and
Implement a data subject information access policy and related procedures,
and make sure your staff is sufficiently trained to engage with data subjects
and respond to their requests.
21
SECURITY SAFEGUARDS
Information security is a basis for privacy. POPIA makes information security a
priority. It is not just for your organisation (the responsible party), but also for
other organisations that may process personal information on your organisation’s
behalf (operators).
There are a number of information security frameworks that you can use to guide
your organisation on this requirement. For example ISO270001.
Examples of technical and organisational measures to comply with security
requirements include:
- Encryption;
- Access control;
- De-identification; and
- Secure destruction.
22
TRAINING AND AWARENESS
In many cases data breaches occur because of staff’s or vendors’ negligence or
oversight: The consequences of a data breach can be detrimental to a company
and includes, not only direct damages and sanctions, but also substantial
reputational harm.
Training your staff is part of your obligations under data privacy laws and is one
of the measures demonstrating your compliance. The mere occurrence of, as
well as the costs and consequences of data breaches and data incidents could
be drastically reduced by having appropriate awareness and training programs in
place for your organisation. Having a well-crafted training program which suits
your industry and organisation, as part of your privacy programme, is crucial.
To achieve this goal, the Information Officer is required to conduct or facilitate
regular training and awareness sessions.
Classroom training is the most common means of training but can be reinforced
by various complementary methods such as: channels, such as:
- Online learning through streaming, videos and websites;
- Workshops and simulations; and
- Posters, newsletters and email campaigns.
Booklets, pamphlets, FAQs and stickers can also be a cool way to convey a few
simple but necessary messages regarding privacy in the organisation.
The more creative and varied the communication channels are, the more effective
it is at conveying the message to the organisation. However, irrespective of
the variety of channels, the communication should be consistent at all levels.
23
It may be also beneficial to establish a privacy community to deliver privacy
messages throughout the organisation. This can be done, for example, by
appointing a “privacy champion” in each department, who follows up on training
and awareness within his/her own department and reports difficulties or specific
aspects. This makes it easier for the Information Officer to refine or accurately
customise the privacy training.
Privacy awareness amongst your team is an ongoing effort. The privacy training
should be part of the induction process in your organisation. Each member of
your team should receive initial training, and this training should be regularly
refreshed and updated.
Although privacy training has cost implications for your organisation, it will most
certainly reduce risks. It therefore makes sense to implement methods to
measure effectiveness of these programs.
As an example, a simple dashboard of your training and awareness could include
the following metrics:
- Percentage of the workforce which received training during a given period;
- Type of training received;
- Percent of training completed;
- Evolutions of results to quizzes or simulation exercises; and
- Evolution of the number of privacy incident reports.
25
HOW DO DATA BREACHES OCCUR?
The list below illustrates just a few common ways in which data breaches can
occur. This could be disastrous to any entity because the integrity of sensitive
data like customer information or internal business information would be
compromised. This could have a major reputational and financial impact on the
entity.
CRIMINAL HACKING
The most prevalent cause of data breaches does not require any kind of technical
knowledge. Criminals can purchase login credentials on the dark web and use
them to perform many nefarious activities. These include malware and SQL
injections, fraud, social engineering and phishing scams.
HUMAN ERROR
It is common for data breaches to occur even if there was no malicious intent.
This could happen by an employee sending an email or physical file containing
sensitive personal information to the wrong email address.
UNAUTHORISED USE
This can occur in two ways. In the first instance, an employee may misuse
information they have legitimate access to. Alternatively, an employee may
ignore company access restriction policies such as ensuring all electronic devices
are password protected.
PHYSICAL THEFT
Laptops, smartphones, tablets and hard drives are just a few of the electronic
devices stolen on a daily basis. If the device is not properly protected by
26
encryption software, the thief will have access to the organisation’s sensitive
information.
INCIDENT RESPONSE
INCIDENT RESPONSE
An incident response plan is a framework which provides clear instructions to all
role players about what to do when a data breach occurs. It should help detect,
respond to, and recover from issues such as cybercrimes and data losses. You
should conduct an assessment to identify any current data security gaps.
Before the breach: Plan ahead! Identify who will be affected by the breach and
what role each person within the organisation will play. Early detection is one of
the most effective ways to manage a data breach. Ensure that your employees
Incident occurs Assess the
situation
Investigate the incident
Assess the damage
Incident report Communication
27
are trained and aware of the plan, and that systems and data protection measures
are tested regularly.
When the breach occurs: Communicate! Ensure that the necessary parties within
the organisation are notified of the breach as soon as possible so they may take
the necessary measures to mitigate the damage. Determine the root cause of the
data breach and try to eradicate it. Consider whether you should bring your
lawyers on board to manage any investigation you initiate: this is because the
outcome of the investigation will then be priviliged and you will not be obliged to
hand the information over in the event of civil litigation or regulatory investigations
and prosecution.
After the breach: Respond! Bring affected systems back online carefully to avoid
further incidents. Use the breach to learn what parts of your plan are effective
and which areas require improvement.
28
REPORTING OBLIGATIONS
Section 21: The operator must notify the responsible party immediately if there
are reasonable grounds to believe that the personal information of a data subject
has been accessed or acquired by any unauthorised person.
Section 22: If there are reasonable grounds to believe that a data breach has
occurred, the responsible party must notify the Regulator and the data subject as
soon as reasonably possible after the discovery of the compromise. When
determining when ‘as soon as reasonably possible’ is, you should take into
account the legitimate needs of law enforcement or any measures reasonably
necessary to determine the scope of the compromise and to restore the integrity
of the responsible party's information system. You may only delay reporting if
certain public bodies, or the regulator, determines that notification will impede a
criminal investigation.