The Protection of Personal Information Act 2013 Personal Information is your business KOMESHNI PATRICK TECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG

Contents  Definitions  Aims  Exemptions  Key Role Players for POPI  8 Conditions of POPI  POPI and Consent  POPI and Notification  Giving PI Away  POPI for Business  PI & Cybercrime

What is Personal Information (PI)?  Section 1  Identifiable, living, natural person or identifiable, existing juristic person  Race, sex, gender, name, sexual orientation, age, mental health  Medical, financial, criminal or employment history  address, physical address, telephone number, location information, online identifier  Biometric information  Personal opinions, views or preferences  Private correspondence  Opinions of another individual about the person  name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

What is Special Personal Information?  Section 1  The religious or philosophical beliefs  race or ethnic origin  trade union membership  political persuasion  health or sex life or biometric information of the person  The criminal behaviour of the person to the extent that such information relates to—  The alleged commission by the person of any offence  Any proceedings in respect of any offence allegedly committed by the person or the disposal of such proceedings

What is Processing?  Sections 1 and 4 of POPI  Processing means any activity whether by automatic means or not, concerning personal information, including  The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;  Dissemination by means of transmission, distribution or making available in any other form; or  Merging, linking, as well as restriction, degradation, erasure or destruction of information;  Processing must be for a defined and legitimate purpose that is clear to the DS from whom you are collecting the PI

The Protection of Personal Information 4 of 2013 (POPI) Aims:  Protection of PI processed by private and public bodies  Minimum requirements for processing of PI  Establishment of Information Regulator  Codes of Conduct  Rights protection against SPAM and automated decision-making  Regulate cross-border flow

Exemptions from POPI Personal & Household Personal address book Personal Computer De-identified & cannot be re-identified Anonymous Surveys Course Evaluation Public Bodies involved in national security Prevention and detection of unlawful activities Terrorism, money laundering, offenses Judicial Function of a Court Section 166 of the Constitution Terrorism Terrorist & Related Activities Act 33 of 2004 Journalistic, literary, artistic Freedom of Expression (S16 Constitution) Codes of Ethics govern PI infringements

Key Role Players for POPI The person to whom PI relates Data Subject Public or private body or any other person which determines the purpose of and means for processing PI Responsible Party Person who processes PI for a RP in terms of a contract or mandate, without coming under the direct authority of that party Operator Any person legally competent to consent to any action or decision being taken in respect of any matter concerning a child Competent Person A juristic person established in terms of the Act accountable to the National Assembly and appointed by the Minister of Justice Information Regulator

8 Conditions of POPI RP to ensure conditions for lawful processing Accountability Minimality – adequate, relevant and not excessive Consent, Justification, Objection Collection directly from Data Subject Processing Limitation specific, explicitly defined and lawful purpose Records of PI must not be retained longer than is necessary for achieving the purpose Exemption: record required by law, historical, statistical or for research destroy/delete/de-identify a record of PI once purpose achieved Purpose Specification To be compatible with original purpose of collection if not, consent for further processing is required Further Processing Limitation

8 Conditions of POPI RP must take steps to ensure PI is complete, accurate and not misleading Information Quality Records of the processing cycle for operations must be maintained and made available to the DS Obligation on RP to notify the DS upon collection of PI Openness Integrity and confidentiality of PI must be maintained to prevent loss, damage, unauthorised destruction, unlawful access or processing Operator must notify RP if there are reasonable grounds to believe that the PI was accessed by an unauthorised person and the RP has to notify the Regulator and the DS Security Safeguards Right to be informed - DS can be requested free of charge if PI held Where DS requests copy of the record, the RP can charge a fee DS can request correction or deletion of PI that is inaccurate, irrelevant, out of date, excessive, incomplete, misleading or unlawfully obtained Data Subject Participation

POPI and Consent Consent from DS for processing PI Consent can be withdrawn at any time. Where the DS is a child, consent is needed from a Competent Person General Consent Section 11 For records to be retained longer than is needed for achieving the purpose of the data processing, the DS must consent. Retention of Records Section 14(1)(d)

POPI and Consent The RP must restrict processing of information if: The accuracy is contested by DS and RP has to verify the PI Purpose is achieved but retain PI for proof The processing is unlawful and the DS requests restriction rather than destruction The DS requests PI be transmitted to another automated system Restriction on processing Section 14(7) May only be processed: With DC consent or Competent Person’s consent For purposes of proof To protect a right of another natural or legal person For public interest

POPI and Consent Further processing of information that is inconsistent with the original purpose of collection can only occur if the DS consents. Further Processing Section 15(3)(a) The DS can consent to not being notified when their information is collected. Notification of Collection Section18(4)(a)

POPI and Consent The DS must consent to the processing of special personal information. Special Personal Information Section 27 Information regarding religious or philosophical beliefs can be processed only by religious or spiritual institutions to which the DS belongs without consent. Consent from the DS is needed when this data is supplied to third parties. Religious Beliefs Section 28(3)

POPI and Consent Information regarding trade union membership can be processed only by the trade union or its controlling body to which the DS belongs. Consent from the DS is needed when this data is supplied to third parties. Trade Union Membership Section 30(2) Information regarding political persuasion can be processed only by institutions founded on political principles to which the DS belongs without consent. Consent from the DS is needed when this data is supplied to third parties. Political Persuasion Section 31(2)

POPI and Consent Processing PI regarding children can only occur with the consent from a person who has legal competency to make decisions regarding that child. Information regarding Children Section 34 Processing for direct marketing is prohibited unless the DS gives consent. To request consent, the RP may approach the DS for consent only once and only if the DS has not previously withheld consent. Direct Marketing Section 69

POPI and Consent RP may not transfer PI to a third party in a foreign country unless the DS has consented or the transfer benefits the DS and it is impractical to obtain consent and the DS would likely give consent. Foreign country should have similar processing protection as POPI. Foreign Country Transfer Section 72(1) The Minister has the power to create regulations regarding the manner and form within which the DS’s consent must be obtained or requested for direct marketing. Minister’s Powers Section 112(2)(f)

POPI and Notification Notification to DS when collecting personal information Notification to DS when collecting PI Section 18 The Operator must notify the RP immediately where there are reasonable grounds to believe that the personal information of a DS has been accessed or acquired by any unauthorised person Security measures regarding information processed by operator Section 21

POPI and Notification Where there are reasonable grounds to believe that the personal information of a DS has been accessed or acquired by any unauthorised person, the RP must notify the Regulator and the DS Notification of Security Compromises Section 22 The RP must notify a DS, who has made a request for correction or deletion of record of the action taken as a result of such request Correction of personal information Section 24

POPI and Notification RP must notify and obtain prior authorization from the Regulator for processing for the following: for a purpose other than the original purpose as intended at collection with the aim of linking the information together with information processed by other responsible parties process information on criminal behaviour process information for the purposes of credit reporting or transfer special PI or the PI of children to a third party in a foreign country that does not provide an adequate level of protection. Responsible party to notify Regulator if processing is subject to prior authorisation Section 58

Giving Your PI Away Shopping online Subscribing or registering Competitions, prizes, rewards Online games and virtual worlds Social Media Online Browsing Employment Name Surname address telephone number postal address city Education credit card number ID number physical address

POPI for Business Financial Education Transport Gaming Social Media Advertising Music Telecoms Credit Sports Mapping Insurance IT Banking Medical Personal Information is your Business

POPI for Business 1 POPI Strategy 2 Appoint an Information Officer 3 Privacy Policy 4 Consider who the Data Subjects are Limit the collection type and amount to the purpose 3 Third party Transfer 4 Cross-border transfer 5 Direct Marketing Practices 6 Special Personal Information 7 Children’s Personal Information 8 Directories

POPI for Business -Obtain consent DS to use PI for the specified purpose -Network Security – integrity and safekeeping -Limit access per business role -Ensure that there are back-up and business continuity plans -Access Security at all points -Access to Information Procedure (correction, objections to processing, copy of records, identity of third parties who access their PI) -Procedures for updating details to ensure accuracy and completeness -Ensure Records retention management processes (deletion or de-identification) -Incident Management Process Creating Business Process

POPI for Business Well managed brand Strengthens the brand Conveys that the business understands its legal obligations to the client Builds trust in the brand

POPI for Business Privacy infringement Loss of Intellectual Property Defamation Loss of sensitive information Security compromise - issues of national security Financial loss POTENTIAL FOR LITIGATION Brand Damage

PI and Cyber Crime Cybercrime PI

PI & Cybercrime Lloyd’s 2013 Risk Index Report Cyber security has moved from 12 th position to 3 rd position as a global concern to business. The 2013 Norton Report South Africa has the third highest number of cybercrime victims following Russia and China. PwC’s Global State of Information Security Survey 2014 reported a rise of 25% in security incidents with a 51% rise in spend on security. Overall, this makes up only 4% of the IT spend.

PI & Cybercrime South Africa’s National Cyber Security Policy Framework was passed in March months later Department of Communications appointed the National Cyber Security Advisor in October 2013 Goal co-ordinate government actions on cyber security and ensure co-operation between government, the private sector and civil society on addressing cyber threats

PI & Cybercrime The Electronic Communications and Transactions Act years later No cyber inspectors to enforce cyber security Wolfpack Information Risk’s report – The South African Cyber Threat Barometer 2012/13 no national computer security incident response team no national response team to co-ordinate a cyber defence strategy Annual losses in 3 sectors = R2.65 billion

PI & Cybercrime India Sponsored training for “cyber warriors” South Korea 5000 cyber specialists are developed annually United Kingdom 11 centres established for cyber skills development allied to the universities South Africa ?

Komeshni Patrick Thanks, Questions?