Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implications of the PoPI Act for the higher education sector

Published byShinta Budiman Modified over 6 years ago

Similar presentations

Presentation on theme: "Implications of the PoPI Act for the higher education sector"— Presentation transcript:

1 Implications of the PoPI Act for the higher education sector

2 Protection of Personal Information (POPI) Act No. 4 of 2013
Protection of Personal Information (POPI) Act No. 4 of Gazetted in late 2013, with partial commencement in April 2014 POPI IS LAW – ACT NOW! What should you be asking? Protection of Personal Information (POPI) Act No. 4 of 2013. Gazetted in late 2013, with partial commencement in April 2014. Now is the time to get things moving in terms of compliance with the Act. Once the Act is made effective, companies will be given a year’s grace period to comply with the Act, unless this grace period is extended as allowed by the Act. The President has signed a proclamation declaring some parts of the Protection of Personal Information Act No 4 of 2013 effective from 11 April 2014 (74Kb PDF) The sections that became effective deals with the appointment of the Information Regulator. The National Assembly approved the appointment of members to the Information Regulator on 7 September 2016.  The Regulator will be responsible for education, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation. Adv Pansy Tlakula was appointed as the Information Regulator with effect from 1 December Adv Lebogang Stroom, and Johannes Weapond were appointed as full-time members and  Prof Tana Pistorius and Sizwe Snail were appointed as part-time members. They will serve a term of office of five years. Protection of Personal Information Act, No 4 of 2013 The Protection of Personal Information Act was signed into law in November 2013, after being introduced in the National Assembly during The Act aims to promote the protection of personal information by private and public bodies and provide for minimum conditions that should be followed in the lawful processing of information. The Act also provides for the establishment of an Information Regulator. The President signed a proclamation which was gazetted on 11 April 2014 where the effective date of certain sections of the Act was proclaimed as 11 April 2014. The following sections are in effect from 11 April 2014: section 1 which deals with the definitions in the Act; Part A of Chapter 5 which deals with the establishment of the Information Regulator, the powers, duties and functions of the Regulator, appointment and terms of office of members of the Regulator, appointment of staff and the chief executive officer; section 112 dealing with the fact that the Minister may make Regulations relating to the establishment of the Regulator and that the Regulator may make Regulations in terms of certain areas; and section 113 dealing with the procedures for making Regulations by the Minister and the Regulator. This is just the first step of the implementation of the Protection of Personal Information Act. Once section 114 is enacted all processing of personal information must conform to the requirements in the Act within one year after that date.

3 Does the POPI Act apply to the University?
Now is the time to get things moving in terms of compliance with the Act Does the POPI Act apply to the University? Does the University have to register an Information Officer? The POPI Act is applicable to every business in South Africa that collects, uses, stores or destroys personal information of a data subject (see definition below), which is entered into a record by the business using automated and non-automated means. This Act requires every business to register an Information Officer with the Information Regulator. Prof Marlene Verhoef, Institutional Registrar is appointed as the University’s Information Officer.

4 What are the obligations for the University under POPI
Some of the obligations are: only information that’s needed security measures relevant & up to date Only what you need as long as you need data subject - available upon request only to collect information that you need for a specific purpose apply reasonable security measures to protect it; ensure it is relevant and up to date only hold as much as you need, and only for as long as you need it allow the data subject of the information to see it upon request

5 Important definitions
Personal information … is any piece of information that relates to a living, identifiable human being - anything that you can look at and say "this is about an identifiable person". Data subject A data subject is the person to whom the personal information relates. Personal information is extremely wide stated and is information relating to an identifiable, living natural person or juristic person and includes, but is not limited to: Demographic information History: Biometric information: Opinions of and about the person , telephone, address, etc. Private correspondence etc. age, sex, race, birth date, ethnicity etc. Contact details employment, financial, educational, criminal, medical history, blood type, etc. What is a data subject? A data subject is the person to whom the personal information relates.

6 Processing and the principals
All activities concerning personal information = processing Accountability Processing limitation Purpose specification Further processing limitation Openness Security safeguards Data subject participation What is processing? Processing is very widely stated and includes a vast number of activities whether or not undertaken by automatic means, concerning personal information. What is the information processing principles? The information processing principles which form the core of POPI are: Accountability the University must ensure that the information processing principles are complied with; Processing limitation processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed; Purpose specification Personal information must be collected for a specific, explicitly defined and lawful purpose relating to a function or activity of the University; Further processing limitation This is where personal information is received from a third party and passed on to the responsible party for processing.; Openness Certain prescribed information must be provided to the data subject by the University including what information is being collected, the name and address of the responsible party, the purpose for which the information is collected and whether or not the supply of the information by the data subject is voluntary or mandatory. Security safeguards The University must secure the integrity of personal information in its possession or under its control by taking prescribed measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information. Data subject participation A data subject has the right to request the University, free of charge: 1. whether or not the University holds personal information about the data subject and can request the record or a description of the personal information held; 2. to correct or delete personal information that is inaccurate, irrelevant, excessive, misleading or obtained unlawfully; and 3. destroy or delete a record of personal information that the University is no longer authorised to retain.

7 Two last remarks & practical guide
Do I need to provide an opt in or opt out for direct marketing? Yes. The University should make use of both opt in and opt out options to make sure that the data subject understands and knows what he or she is consenting and objecting to. So where is the “stick and carrot” for POPI? The University has twelve months to become fully compliant or face the prospect of some potentially stiff penalties (including fines of up to R10 million) or worse, reputational damage and loss of customers. That’s the “stick” part of the deal. (CONFIRM WITH WERNER) The “carrot” aspect is the opportunity to boost confidence in the University by demonstrating the way sensitive personal data is managed. This means showing that the University has processes and procedures in place to handle effectively and securely all aspects of what’s covered in the POPI Act.

8 How we do it at the NWU want to share with the conference attendees, the kind of requests you receive and how you go about dealing with them; if possible the number of requests you get in a month and lastly as an add on, how you go about updating the alumni database and the number we have on the system. And some of the challenges that we come across from the request we received....

9 Example application form on the NWU web
Or

10

Download ppt "Implications of the PoPI Act for the higher education sector"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The Protection of Personal Information Act 2013 Personal Information is your business 25.09.14 KOMESHNI PATRICK TECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG.

The Protection of Personal Information Act 2013 Personal Information is your business KOMESHNI PATRICK TECHNOLOGY LAWYER/DIRECTOR/ENDCODE.ORG.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.

Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.

Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
Managing Risks Associated With Privacy Alison Baker- Senior Associate Hall & Wilcox 24 November 2006 819234.3.

Managing Risks Associated With Privacy Alison Baker- Senior Associate Hall & Wilcox 24 November
DEPARTMENT: AGRICULTURE SELECT COMMITTEE ON LAND AND ENVIRONMENTAL AFFAIRS AGRICULTURAL PRODUCE AGENTS AMENDMENT BILL 30 September 2003.

DEPARTMENT: AGRICULTURE SELECT COMMITTEE ON LAND AND ENVIRONMENTAL AFFAIRS AGRICULTURAL PRODUCE AGENTS AMENDMENT BILL 30 September 2003.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.

OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
EU Data Protection IT Governance view Ger O’Mahony 12 th October 2011.

EU Data Protection IT Governance view Ger O’Mahony 12 th October 2011.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Legal issues The Data Protection Act 1998. Legal issues What the Act covers The misuse of personal data By organizations and businesses.

Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.

IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.

Similar presentations

Ads by Google