Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEMINAR: Copyright 2012 All rights reserved. This presentation and/or any part thereof is intended for personal use and may not be reproduced or distributed.

Similar presentations


Presentation on theme: "SEMINAR: Copyright 2012 All rights reserved. This presentation and/or any part thereof is intended for personal use and may not be reproduced or distributed."— Presentation transcript:

1 SEMINAR: Copyright 2012 All rights reserved. This presentation and/or any part thereof is intended for personal use and may not be reproduced or distributed without the express permission of the author/s.

2 The Protection of Personal Information Bill Allan Hannie Cape Town 28 February 2013

3 Purpose of Bill  Give effect to the constitutional right to privacy while protecting the free-flow of information and advancing the right of access to information  Regulate the manner in which personal information is processed in harmony with International Standards  Provide rights and remedies for non-compliance  Create measures, including the establishment of an Information Regulator, to promote and enforce the protection of personal information 24/10/2012 PPI Presentation 3

4 When Does the Bill Not Apply? The Bill does not apply to the processing of personal information eg:  for a purely personal or household activity  that has been de-identified to the extent that it cannot be re-identified again  by courts or for a public body and for national security (including anti terrorism, defense and public safety); or to prevent, detect, investigate or prove and prosecute offences and execute sentences provided that adequate safeguards legislated  for exclusively journalistic, literary or artistic expression to the extent necessary to reconcile in the public interest the right to privacy with the right to freedom of expression  Processing by journalists, if subject to code of ethics, (with adequate safeguards) then that code applies 24/10/2012 PPI Presentation 4

5 Condition # 1: Accountability  Responsible Party responsible for compliance and must ensure that all measures in place to give effect to conditions prescribed for processing of personal information including special information  Offence if Responsible Party inter alia failed to take reasonable steps to prevent (unlawful or unauthorised) processing of account number (unique identifier assigned by financial institution to access funds or credit facilities) 24/10/2012 PPI Presentation 5

6 Condition # 2: Processing Limitation  Processing must be lawful, reasonable (not infringe privacy) and not be excessive having regard to purpose  Processing can only be done if consent obtained necessary for contract to which data subject party to comply with legal obligation to protect legitimate interest of data subject necessary for performance of public law duty (public body) necessary for pursuing legitimate interests of Responsible Party or third party to whom information supplied  Direct collection unless, consent obtained, in public domain, no prejudice, necessity in law or not reasonably possible to collect directly  Consent - voluntary, specific and informed expression of will 24/10/2012 PPI Presentation 6

7 Condition # 3: Purpose Specification  Collection of information must be: for a specific purpose which relates to an activity of the responsible party with the data subject being aware of the purpose of the collection and  Records of personal information must be retained for no longer than required unless required by law, reasonably required, agreed (in contract) or with consent  Can be retained longer for historical, statistical or research purposes provided appropriate security safeguards  If a record used to make a decision about the data subject then the record must be retained for a prescribed or reasonable period to allow for requests for access  Personal Information must be destroyed or de identified when no longer authorised to retain 24/10/2012 PPI Presentation 7

8 Condition # 4: Further Processing Limitation  Information may not be processed further in a way that is incompatible with the purpose for which it was collected  Further processing allowed if – consent obtained derived from public record or deliberately made public by data subject legally necessary necessary to prevent or mitigate serious and imminent threat to public safety or life or health of data subject or another individual for historical, statistical or research purposes and solely for this purpose and not published in any identifiable form exemption obtained from regulator 24/10/2012 PPI Presentation 8

9 Condition # 5: Information Quality  Responsible party must take reasonably practicable steps to ensure that the information is complete, accurate, not misleading and up to date  Must have regard to purpose for which information is collected or further processed 24/10/2012 PPI Presentation 9

10 Condition # 6: Openness  Responsible Parties must document its processing operations in the manual contemplated in PAIA (as amended by Bill)  Responsible party must take reasonably practical steps to ensure that data subject aware, inter alia, of the following: the information being collected and its source the name and address of the responsible party the purpose for which the information is being collected whether mandatory or voluntary to supply information and the consequences of failure to provide information if the information transferred outside RSA or to international organisation and the level of data privacy/protection there rights to object and rectify information and complain to regulator  Similar exclusions eg. consent, no prejudice and not reasonably practicable to inform, apply here too 24/10/2012 PPI Presentation 10

11 Condition # 7: Security Safeguards  Integrity and confidentiality of personal information must be secure by appropriate, reasonable technical and organisational measures to safeguard against inter alia loss, destruction or unlawful access  Risks (internal and external) must be identified and appropriate safeguards developed and put in place  Operators must be authorised by responsible party and maintain confidentiality and above security measures  Security breaches must be notified to the regulator and data subject (where known) and sufficient information must be provided to data subject to take protective measures 24/10/2012 PPI Presentation 11

12 Condition # 8: Data Subject Participation  Data subject can request confirmation as to whether the responsible party holds information about him/her and the record or a description of the personal information and information on the identity of all third parties or categories of third parties who have or have had access  Request for access made in terms of PAIA and access can be refused on the grounds set out in PAIA  Data subject entitled to correct or delete personal information that is inaccurate, excessive, out of date, incomplete, misleading or obtained unlawfully 24/10/2012 PPI Presentation 12

13 Cross-Border Transfer of Personal Information  No transfer of personal information outside of SA unless: recipient is subject to a law, binding corporate rules or contract or MOU (between public bodies) which provides comparable (substantially similar) protection for the processing personal information (including in relation to further transfers) data subject consents necessary for performance of a contract with data subject, or contract with third party in the interest of the data subject; or transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the data subject’s consent but would likely have got such consent 24/10/2012 PPI Presentation 13

14 Direct Marketing  Processing of personal information for purposes of direct marketing (unsolicited electronic communications) prohibited unless - consent (in prescribed manner and form) of data subject obtained which need only be obtained once to existing customer provided (i) contact details obtained in context of sale of product; (ii) for similar products or services; and(iii) opt out provided when information collected and each subsequent communication details of sender and opt out contact details required 24/10/2012 PPI Presentation 14

15 Exemptions  Regulators may exempt by notice in the gazette a Responsible Party compliance with conditions if satisfied that public interest outweighs to a substantial degree the right to privacy clear benefit to data subject or third party that outweighs to a substantial degree the right to privacy  Public interest includes national security, prevention, detection and prosecution of offences, economic and financial interests of public body and special importance of freedom of expression  No need to comply with certain conditions (consent, direct collection, further processing limitation and notification) in discharge of relevant function - protection of public against eg. financial crimes and practices (incl. dishonesty, malpractice etc) and improper or incompetent professional conduct 24/10/2012 PPI Presentation 15

16 Codes of Conduct  Must be issued by Regulator on own initiative or on application by industry body/class  Must incorporate all the conditions for lawful processing or set out functional equivalents and prescribe how conditions are to be applied in the context of the relevant sector  Must also specify appropriate measures for any information matching programmes (comparing documents containing personal information of ten or more data subjects) or for protecting legitimate interests of data subjects in the case of automated decision making 24/10/2012 PPI Presentation 16

17 Enforcement Information Regulator  Independent Statutory Authority  Powers and duties (extensive) – can issue information notices, enforcement notices and apply to court for search warrants  Monitor and enforce compliance by responsible parties  Develop and issue codes of conduct for various sectors  Develop guidelines to assist with the application of the codes of conduct  Authorise exemptions and conduct investigations  Dispute Resolution (mediator) 24/10/2012 PPI Presentation 17

18 Civil Remedies  Either the data subject or the Regulator may institute an action for damages, whether or not there is intent or negligence  Defences Vis major Consent Fault on the part of the plaintiff Compliance not reasonably practicable in circumstances Authorisation by the Regulator  Court can award wide range of damages and all court orders must be published including settlement agreements 24/10/2012 PPI Presentation 18

19 Offences and Penalties  Offences Obstruction of the Regulator Breach of confidentiality Failure to comply with an enforcement notice or information notice  Penalties Obstructing or unlawfully interfering with the Regulator - fine or imprisonment for up to 10 years Other offenses – fine or imprisonment up to 12 months Administrative fines – up to R10Million 24/10/2012 PPI Presentation 19

20 Questions?


Download ppt "SEMINAR: Copyright 2012 All rights reserved. This presentation and/or any part thereof is intended for personal use and may not be reproduced or distributed."

Similar presentations


Ads by Google