Werksmans presentations on popi

Follow this event on Twitter: #WerksmansPOPI

Noticing Noticed Notices

Neil Kirby

16 May 2013


WHO?

Information Officer

2


WHY?

The purpose of the Act

(section 2)

3


WHAT?

Security compromises

Requests in respect of data-correction

Compliance: encourage and ensure

Regulator liaison

Chapter 6 investigations

Promotion of Access to Information Act No. 2 of 2000

4


CHAPTER 6

Prior authorisation processing

Notification required-once-off

Written and detailed

Await reply in respect of investigation

4 weeks : more detailed investigation

13 week limit

Results

5


IN ADDITION

Deputies

Regulations : responsibilities

Manner and forms

Complaints, investigations, search & seizure, information notice, assessments, enforcement notice, appeals and a section99(1) action

6


THANK YOU

Neil Kirby16 May 2013

Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are

advised to consult professional legal advisors for guidance

on legislation which may affect their businesses.

© 2013 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.


When you speak you begin with “A, B, C”. When you

comply you begin with “Don’t bother me”?

Ina Meiring

16 May 2013


Duties and responsibilities of the Information Officer

Section 55(1): “An information officer’s responsibilitiesinclude—

(a) the encouragement of compliance, by the body, withthe conditions for the lawful processing of personalinformation;

(b) dealing with requests made to the body pursuant tothis Act;

(c) working with the Regulator in relation toinvestigations conducted pursuant to Chapter 6 inrelation to the body;

(d) otherwise ensuring compliance by the body with theprovisions of this Act; and

(e) as may be prescribed”

9


Conditions for lawful processing

Condition 1:

Accountability

The responsible party must ensure that the conditionsfor lawful processing and all the measures that giveeffect to such conditions, are complied with at the timeof the determination of the purpose and means of theprocessing and during the processing itself.

10


Processing limitation (2)

Personal information must be processed lawfully and in areasonable manner that does not infringe the privacy ofthe data subject.Adequate, relevant and not excessive (purpose) (minimal)Only if –

the data subject consents to the processing;processing is necessary: contract to which the data subject isparty;processing complies with an obligation imposed by law onthe responsible party;processing protects a legitimate interest of the datasubject;processing is necessary for the proper performance of apublic law duty by a public body; orprocessing is necessary for pursuing the legitimateinterests of the responsible party or of a third party towhom the information is supplied.

11


Processing limitation (2)

The data subject may withdraw consent and may objectto the processing of personal information (unlesslegislation provides for such processing).

Personal information must be collected directly from thedata subject, unless –

the information is contained in or derived from a public record or has deliberately been made public by the data subject;

the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;

collection of the information from another source would not prejudice a legitimate interest of the data subject;

12


Collection directly from the data subjectPersonal information must be collected directly from the data subject, unless

collection of the information from another source is necessary—

to avoid prejudice to the maintenance of the law by any public body,including the prevention, detection, investigation, prosecution andpunishment of offences;

to comply with an obligation imposed by law or to enforce legislationconcerning the collection of revenue as defined in section 1 of theSouth African Revenue Service Act, 1997 (Act No. 34 of 1997);

for the conduct of proceedings in any court or tribunal that havecommenced or are reasonably contemplated;

in the interests of national security; or

to maintain the legitimate interests of the responsible party or of athird party to whom the information is supplied;

compliance would prejudice a lawful purpose of the collection; or

compliance is not reasonably practicable in the circumstances of theparticular case.

13


Purpose specification (3)

Personal information must be collected for a specific,explicitly defined and lawful purpose related to afunction or activity of the responsible party.The data subject must be aware of the purpose of thecollection of the information.No records must be retained any longer than isnecessary for achieving the purpose for which theinformation was collected or subsequently processed,unless—

required or authorised by law;the responsible party requires the record for lawfulpurposes;required by a contract between the parties thereto;orthe data subject has consented to the retention ofthe record.

14


Further processing limitation (4)

Further processing of personal information must be inaccordance or compatible with the purpose for which itwas collected

The responsible party must take account of—

the relationship between the purpose of the intendedfurther processing and the purpose for which theinformation has been collected;

the nature of the information concerned;

the consequences of the intended further processing forthe data subject;

the manner in which the information has been collected;and

any contractual rights and obligations between the parties

15


Information quality (5)

The responsible party must take reasonablypracticable steps to ensure that the personalinformation is complete, accurate, notmisleading and updated where necessary.

In taking the steps referred to the responsibleparty must have regard to the purpose forwhich personal information is collected orfurther processed.

16


Openness (6)

A responsible party must –

maintain documentation of all processing operations;

ensure that the data subject is aware of –the information being collected;the name and address of the responsible party;the purpose ;whether or not the supply of the information bythat data subject is voluntary or mandatory;the consequences of failure to provide theinformation;any particular law authorising requiring thecollection of the information;

17


Openness(6)

A responsible party must ensure that the data subject isaware of-further information such as the—

recipient or category of recipients of the information;nature or category of the information; andexistence of the right of access to and the right torectify the information collected;

the right to object to the processing of personalinformation;the right to lodge a complaint to the InformationRegulator and the contact details of the InformationRegulator.

18


Security safeguards (7)

A responsible party must secure the integrity andconfidentiality of personal information in itspossession or under its control by taking appropriate,reasonable technical and organisational measures toprevent—

loss of, damage to or unauthorised destruction ofpersonal information; and

unlawful access to or processing of personalinformation.

19


Operator

A person who processes personal information for a responsibleparty in terms of a contract or mandate, without coming underthe direct authority of that party.

An operator or anyone processing personal information in behalfof a responsible party or an operator must-

process such information only with the knowledge orauthorisation of the responsible party; and

treat personal information which comes to their knowledgeas confidential and not disclose it,

unless required by law or in the course of the properperformance of their duties.

20


Security measures

A responsible party must, in terms of awritten contract between the responsibleparty and the operator, ensure that theoperator which processes personal informationfor the responsible party establishes andmaintains the security measures referred to insection 19.

The operator must notify the responsible partyimmediately where there are reasonablegrounds to believe that the personalinformation of a data subject has beenaccessed or acquired by any unauthorisedperson.

21


Data subject participation(8)

A data subject has the right to—

request a responsible party to confirm, free of charge, whetheror not the responsible party holds personal information aboutthe data subject; and

request from a responsible party the record or a description ofthe personal information about the data subject held by theresponsible party, including information about the identity of allthird parties, or categories of third parties, who have, or havehad, access to the information—

(i) within a reasonable time;

(ii) at a prescribed fee, if any;

(iii) in a reasonable manner and format; and

(iv) in a form that is generally understandable.

22


Checklist

The nature (and volume?) of personal informationprocessed within your organisation and whether it iscomplete, accurate and up to date. You will have toundertake an audit of human resources, IT (for securityand contingency measures), marketing, customer salesand support.Do you have a data privacy policy which also addressesinformation security (security safeguards) ? Does thispolicy describe sufficient physical, technological andorganizational data security measures? This policyshould also address the conditions for lawful processing(and further processing) within your organisation andwithin the Group.Do you disclose personal information to third parties(e.g. sub-contractors) and do you have contracts andsecurity measures in place to ensure data privacy?

23


Checklist

Do you have a process for notification of securitycompromises (assuming you have addressed disasterrecovery, and risks of unauthorised access).

Have you established who will be appointed asInformation Officers and deputy information officers anddo they do know what their obligations under POPI willbe? Does your business understand when notificationsto the Regulator must be made?.

Have you reviewed your employment contracts toaddress data privacy and information security?

24


Checklist

Have you reviewed the terms and conditions of productsand services sold to customers to deal with yourcompliance obligations under POPI (e.g. consentsrequired)?

Do you have a process in your organisation to deal withcomplaints about inaccuracies of personal information orwhen a data subject wishes to exercise any of therights under clause 5 of POPI?

Do you or will you provide training to employees andhow will the policy be communicated within yourorganisation and to external parties?

25


Checklist

Do you transfer data outside the borders of SA and doesyour policy provide for this?

Have you reviewed your marketing procedures andprocesses to determine compliance with POPI (andother applicable law)?

Do you have a document retention policy which alsoaddresses destruction thereof within a certain period?The document retention policy should take into accountany personal information retained.

26


Quick wins

27

Get there! Empower your people

Designate role, prepare appointment documentation for Information Officer

Review or prepare standard templates for data sharing or processing in agreements

Inventory of databases and flows

Review or prepare template data transfer contracts

Review or revise or prepare privacy policies and notices directed at customers andbusiness partners

Review or prepare notices directed at employees with respect to processing ofemployee data

Assess where notifications are required

Review or prepare data processing contracts

Direct marketing: implement protocols for opt-in/opt-out processes...

Review/develop internal protocols and processes


THANK YOU

Ina Meiring16 May 2013






Houses of straw, houses of sticks and houses of bricks

Ahmore Burger-Smidt


Obligations for the Protection of Personal Information can have a significant impact on business...

The way that any organisation processes and handles the personal information of its customers, employees, business partners and service providers is crucial

Non compliance with the duties imposed by legislation may result in regulatory action, civil liability, damage to reputation and, in extreme cases, even criminal prosecution

Follow this event on Twitter: #WerksmansPOPI 31

National Comprehensive Data Protection/Privacy Laws and Bills 2012


The big picture programme

32

Privacy Programme

POLICY & PROCEDURES

• Employee, Customer and Partner Policies and Procedures

• Enterprise-Wide Standard Operation Procedures

PRIVACY ANALYSIS

• Life-cycle based Data Flow Analysis (information acquisition, use, storage, distribution and destruction) with multiple options (organizational, business unit, geography, process, system or employee or customer data)

• Risk-based Assessments and Gap Analysis

• Risk Prioritisation

CULTURAL TRANSFORMATION

• Governance• Enterprise Directives (Policies,

Processes, Guidelines, Scenarios, Taxonomy)

• Value-Adoption Assessments• Web-enabled tools (dynamic

content/role and activity based)

SOLUTION SET DESIGN

• Policy & Procedures• Cultural Transformation• System/Product Architecture• Detailed Roadmaps (Prioritisation,

inter-dependencies and estimated resources and time)

PRIVACY STRATEGY

• Brand Opportunities• Regulatory Environment• Governance• Communications Plan• Strategic Roadmaps

SYSTEM ARCHITECTURE

• Strategy (data location, centralised vs decentralized)

• Functional requirements• Technical Specifications• Development• Implementations• Change Management• Quality assurance

MONITORING & REPORTING

• Processes• Regulatory safe Harbour• Extended Enterprise• Systems/Applications• Internal Audit Programs• Web-based monitoring tools• Incident Response

PRIVACY FRAMEWORK

• Methodology• Tool-based Framework • Detailed Requirements Analysis

(brand, regulatory, policy)


The 5 Key principles

33

Know what you have- files and computorsWho, how, what, where

Who has access

Keep only what you needLegitimate business need

What does the law require

Protect the information that you keepPhysical and electronic security

Network security, laptop, firewalls, remote access

Take stock

Scale down

Lock it

Pitch it

Plan ahead

A plan to respond to security incidentsWho in the team will lead

Step-by-step guideline

Properly dispose of what you don’t needDisposal processes, effective disposal

Process and Policy


Implementing the 5 key principles: Werksmans methodology

34

Applicable legislative landscape

ResponsibilitiesDuties

Types of records

Processes

Werksmans insight

POPI

Compliance Road-map

Close existing gaps

Compliance officerPolicies and procedures

Incident management process

Training

Alignment with legislation

Security / processes and procedures

Security

Ownership

Current state Desired state


What does this look like

35

3. Resource planning

4. Empowerment: Documentation

1. Situation Assessment

2. Risk Management

Understand current practices, arrangements

and agreements

As-Is – To-Be Report

Identify philosophy and overall strategy

Add to business process map

Formulate change and communication strategy

Risk Management Plan Organisation specific resource plan

Compliance culture StrategicOutcome

OperationalAnalysis

Outcome

Understand way forward Enable staff and empower organisation

Define “people” privacy structure

Draft job descriptions as identified

Draft and amend customer facing documentation

Draft call centre scripts

Awareness

Ability to hold staff accountable

Embed risk management tool

Formulate overarching HRPlan

Training- workshop and online

Draft/Review operator contracts

Information classification

Identification of types of processes

Define implementation dependencies

Design and implement risk management tool

Draft security compromises process

Draft step guide to information requests

Draft special information processing procedure

Draft Policies

Draft standard agreements or templates for intra-group

data transfersDraft documentation - trans

border information transfers


Only once you understand …..

36

Storage

Use

Sharing

Archive

Acquisition

Destruction

Information Management

Lifecycle


The way forward should suit your specific business

37

Text

Your POPI approach

POPI compliance should never be an impediment to your business. POPIcompliance should have:

• a relevant approach

• practical approach

• innovative and creative outcome

• Allow your business to focus on strategy, risk management, corporate governance and future growth!


THANK YOU

Ahmore Burger-Smidt16 May 2013






BORDER CROSSINGS: Cross Border Data Transfer

Section 72 of POPI

Tammy Bortz

16 May 2013


INTRODUCTION

Internet: massive movement of data between jurisdictions

Benefits:

ability to move data around depending on where there is processing capacity/resources

transfer data to jurisdictions where data processing cheaper

Business enabler:

Service providers rely on the internet as their biggest business tool. Over the years huge growth in revenue generated by online service providers: e-commerce (able to reach many more customers – no longer need a physical presence), cloud computing (and in turn end users who use cloud services)

Consumers: communication tool, wider choice of goods/services (which in turn creates competition)

Business: process data in different regions based on resources, no longer need staff/operations in centralized location, scale down on IT spend

40


INTRODUCTION

SMME’s: no longer require costly infrastructure and resources: easy access to email, accounting packages, and ERP all via the internet – turn on and off based on need -

cloud services

cheap and easily accessible advertising platforms: Facebook, linked in etc.

Africa: access to Internet growing (laying of fibre): enables online access to educational resources/medical resources

Increase international trade

41


LEGAL OBSTACLES

Data transfer impeded by global data privacy laws

No one global data protection law/data framework –businesses that wish to transfer data between jurisdictions have to familiarizes themselves and navigate through a patchwork of laws and global rules

Certain jurisdictions – far more prescriptive than others as to the basis on which personal information can enter and leave its jurisdiction as well as how the data of its citizens should be protected

“data protectionism”- governments have in place laws that enable them to have control over data sitting in their jurisdiction – favor local interests and competition

42


MAJOR PLAYERS: EUROPEAN UNION

Data Protection Directive: Directive 95/46/EC

Each EU member country must pass its own national law which is in compliance with the directive

Many have such legislation – UK most well know

Others: Finland, Germany, Ireland, Isle of Mann

Cannot transfer personal data out of the EU unless target jurisdiction has “adequate protection” ie laws in place that offer same level of protection as that offered by the EU

Exceptions to this are (“adequate protection”):

White listed countries

US-EU Safe harbor

Use of EU approved data export agreements/model contract clauses

Binding corporate rules

43


MAJOR PLAYERS: EUROPEAN UNION

Findings of adequacy: Canada, Guernsey, Jersey:

Participation in Safe Harbor scheme

Standard/Model Contractual Clauses: directive issued by EU Commission 2001/2004/2010.

Transfers made in terms of an agreement which contains these clauses - target company deemed to have adequate controls in place

Binding Corporate Rules

44


BINDING CORPORATE RULES

Binding Corporate Rules or "BCRs"

allow multinational corporation, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection laws.

BCR’s were developed as an alternative to the Safe Harbor principles (which are for US organizations only) and the EU Model Contract Clauses.

Must be approved by the data protection authority in each EU Member State (such as the Information Commissioners Office in the UK) in which the organization will rely on the BCR’s.

Examples of organizations who have BCR’s: Citigroup, Accenture, Novartis, Phillips

45


MAJOR PLAYERS: USA

USA: no overriding legislation that protects personal information of US citizens

Legislation at industry level

Safe Harbor: US organizations that participate in the safe harbor scheme are “white listed” – ie, EU will allows transfer of personal data to the US

Obama Administration: 2012 issues framework for national protection of personal data legislation – aligns with EU data protection principles

Purpose: to enable seamless transfer of data between the USA and EU member states

46


SOUTH AFRICA

Currently, no single overriding data protection law in place which regulates cross border data transfer – this will change once POPI passed into law.In particular, EU will regard RSA as a jurisdiction which has an adequate level of protectionCurrent restrictions on outward transfer

Constitution and Common Law and which grants rights to privacy to South African citizens and under what circumstances such rights can be overridden –

ConsentNecessity

Contracts: Contractual clauses which may prevent data transferConfidentiality undertakings

Legislation for regulated industriesFinancial Advisory and Intermediary Services Act , as read with its Codes of ConductNational Health Act

47


SOUTH AFRICA

Financial Service Providers

o “The Codes of Conduct for Administrative and Discretionary[FSP’s] (Government Gazette 25299, 8 August 2003]: FSP’s maynot without [investors] prior written approval, sell to or provide athird party with an [investors] details unless obliged to by, or interms of any law

o “General Code of Conduct for Authorised [FSP’s] andRepresentatives (Government Gazette 25299 8 August 2003) : anFSP may not disclose any confidential information acquired orobtained from an [investor] or in regard to such [investor] unlessthe written consent of the [investor] has been obtainedbeforehand or disclosure of the information is required in thepublic interest or under any law.”

48


TRANSFER OUT: SECTION 72

A responsible party cannot transfer personal information to a third party who is in a foreign country. Exemptions:—

the third party who is the recipient of the information is subject to a law, binding corporate rules, binding agreement or a memorandum of understanding entered into between two or more public bodies, which provide an adequate level of protection that—

(i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;

consent;transfer necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;transfer necessary for the conclusion /performance of a contract concluded in the interest of the data subject between the responsible party and a third party; ortransfer is for the benefit of the data subject, and—

it is not reasonably practicable to obtain the consent of the data subject to that transfer; andif it were reasonably practicable to obtain such consent, the data subject would be likely to give it.

49


BINDING CORPORATE RULES/MOU

Available to public bodies

Must be approved by data protection authorities

“Binding corporate rules’’: personal information processing policies, within a group of undertakings (being a controlling undertaking and its controlled undertakings) which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country

Where the transfer is made in terms of a non-binding memorandum of understanding [BCR’s?] the public body remains accountable in terms of POPI for the protection of the personal information.

50


CONSENT

Must be voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

Guidance from the EU Commission as to what would be regarded as consent for purposes of this exemption –

individual must know why data is being transferred and where possible, to which jurisdictions

Not be given under duress

Specific for purpose for which given – cannot transfer for any other purpose

How and at what point must this consent be obtained?

Physical forms

Website

Point of Sale

51


PERFORMANCE OF A CONTRACT/IMPLEMENTATION OF PRE-CONTRACTUAL MEASURES

“Transfer necessary for the performance of a contract between the data subject and the responsible party or for the implementation of pre-contractual measures taken in response to the data subject’s request (transfer is a necessary step the individual has asked the organisation to take for purposes of contract conclusion)”

Examples

individual books a hotel in the USA through a South African travel agent. RSA travel agent will need to transfer the booking details to the USA to fulfil its contract with the individual.

customer of a South African credit-card issuer uses their card in Japan. It may be necessary for the card issuer to transfer some personal data to Japan to validate the card and/or reimburse the seller

A South African based internet trader (retailer) sells goods online. Goods are delivered direct to the customer from the manufacturer. If customer orders goods that are manufactured in the Ukraine, the trader needs to transfer a delivery name and address to the Ukraine to carry out the contract.

Transfer will not be regarded as necessary where due to the structure of the business ie: the company decides to locate a business operation off shore (here, transfer not necessary but convenient)

52


NECESSARY FOR THE CONCLUSION/PERFORMANCE OF A CONTRACT CONCLUDED IN THE INTEREST OF THE DATA SUBJECT

53

“The transfer is necessary for the conclusion or performance of acontract concluded in the interest of the data subject between theresponsible party and a third party””

“Interest” not definedWill be in the interest of a data subject if some benefit to the datasubject ie -

Lower cost of processing passed on the customerBetter securityImprove service offeringUse of offshore redundancy: decrease risk of outages


BENEFIT AND NOT PRACTICABLE TO OBTAIN CONSENT

54

Transfer is for the benefit of the data subject, and—

(i) it is not reasonably practicable to obtain the consent of the data subjectto that transfer; and

(ii) were reasonably practicable to obtain such consent, the data subjectwould be likely to give it

“Benefit”: lower cost of processing passed on the customer, bettersecurity, improve service offering, use of offshore redundancy, decreaserisk of outages“not practicable to obtain”

subjective enquiryExample: where thousands of customers/impossible to track allcustomersCompare cost of seeking consent against benefit to disclose

If practicable: data subject would give consentWhat data is being transferred?Would need to look at the purpose for which data being transferredWhat protection is afforded in the offshore jurisdiction?


TRANSFER IN

Transfer in

POPI: remove barriers for transfer from EU to RSA, USA where organization has subscribed to Safe Harbor

Current Position

Where does the data sit?

Are there any laws in such jurisdiction which may inhibit the inward transfer of such data to South Africa?

Assess this before transfer data to such jurisdiction

55


THANK YOU

Tammy Bortz16 May 2013





Date post:	31-Oct-2014
Category:	Technology
Upload:	werksmans-attorneys
View:	1,845 times
Download:	2 times

Werksmans presentations on popi

Technology