Data workshop WhOSE DATA IS IT ANYWAY? Alexia Christie Cape Town – March 2017 © Webber Wentzel 2017

OPPORTUNITY RISK The open data movement DATA SHARING SEAMLESS ACCESS DATA SHARING OPPORTUNITY POPI + PAIA + KING IV + NHA + NCA + SECRECY BILL + CYBER BILL + MORE DATA SECURITY & ACCOUNTABILITY PROTECTION OF PRIVACY RIGHTS RISK

DATA SHARING continuum Uninhibited Access No Access Data Lake?

open data? BIG DATA OPEN GOVERNMENT OPEN DATA DATA LAKE DATA WAREHOUSE

Protection of personal information act (POPI) Privacy vs free flow of information Private and public bodies "Processing" includes use and sharing Responsible party = "public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information" Personal information vs special personal information (eg health) Exclusions: de-identified data national security, prevention/detection of unlawful activities (if adequate protection) by Cabinet and committees, Executive Council of province journalistic, literary or artistic expression Government Business B2G G2B G2G

popi – CONDITIONS Accountability Processing lawful, and reasonable manner re purpose: processing must be adequate, relevant and not excessive consent (voluntary, specific and informed) or justification (eg legitimate interest) collect direct from data subject (exceptions eg public record, consent, legitimate interest, necessary) 3. Purpose specific, explicitly defined and lawful purpose ensure data subject is aware of purpose 4. Further processing for or compatible with original purpose (exceptions eg consent, public record, necessary for national security, public health/safety, historical/statistical/research purposes)

popi – CONDITIONS 5. Information quality complete, accurate, not misleading and up to date 6. Openness notification to data subject: what, where and for what purpose (exceptions eg consent, legitimate interests, necessary for national security, historical/statistical/research) 7. Security safeguards appropriate reasonable technical and organisational security measures 8. Data subject participation data subject has right to access, correct and delete Prohibits processing of special personal information, and re children. Exceptions include: consent justification (eg historical/statistical/research in public interest or impossible to ask for consent, AND adequate guarantees) Regulator authorisation (public interest and appropriate safeguards)

promotion of access to information ACT? Private and public bodies Request access Grounds for refusal Public body may not refuse if consent, or informed in advance that will/may be made public Challenges with PAIA

What's happening abroad? United Kingdom In 2014, the Cabinet Office Data Sharing Policy Team proposed following safeguards: accreditation and registration of projects and individuals having access to de-identified data establish vehicle for public sector big data compliance with Data Sharing And Anonymisation Codes of Practice Current example of G2B data sharing: Driver and Vehicle Licensing Agency sharing information about licensed drivers with insurers. United States of America 2015 Cybersecurity Information Sharing Act Homeland Security's Automated Indicator Sharing Initiative Information relating to cybersecurity is shared on a B2G basis. Australia Regulate G2G and G2B sharing via Information Sharing Agreements. Australian Bureau of Statistics' Good Practice Guide for G2G sharing. Australian government's 2016 Guidelines for Sharing Personal Information G2B.

Where to next? Data has value Review legislation and practices re open data Why? – identify benefits (for citizens) What? - identify categories of suitable "open data" Who? manage – responsibility & accountability & trust access - for what purpose? Seek opportunities to share & valid information sharing path in law: access, use and protection

Legal Notice: these materials are for training purposes only and do not constitute legal or other professional advice