Presentation is loading. Please wait.

Presentation is loading. Please wait.

PERSONAL INFORMATION BILL

Published byEknath Anand Modified over 5 years ago

Similar presentations

Presentation on theme: "PERSONAL INFORMATION BILL"— Presentation transcript:

1

2 PERSONAL INFORMATION BILL
COMMENTS ON THE DRAFT PROTECTION OF PERSONAL INFORMATION BILL by RANDHIR NAICKER 24 March 2006

3 CONTENT Brief History and Objectives of the Draft Bill
Privacy in South Africa Common Law Right Constitutional Right Provisions of the Draft Bill 8 Core Principles of Information Protection Special Personal Information Other Provisions Conclusion

4 8 CORE PRINCIPLES OF INFORMATION PROTECTION
1. Information can only be collected or stored if it is necessary for or directly related to a lawful, explicitly defined purpose and does not intrude upon the privacy of the data subject to an unreasonable extent. 2. Information must be collected directly from and with the consent of the data subject. 3. Data subjects must be informed of the purpose of any such collection and of the intended recipients of the information, at the time of collection. 4. Information must not be kept for any longer than is necessary for achieving the purpose for which it was collected. 5. Information must not be distributed in a way incompatible with the purpose for which it was collected. 6. Reasonable steps must be taken to ensure that the information processed is accurate, up to date and complete. 7. Appropriate technical and organisational measures have to be taken to safeguard the data subject against the risk of loss, damage, destruction of or unauthorised access to personal information. 8. Data subjects are allowed a right of access to their personal information and a right to demand correction if such information should turn out to be inaccurate.

5 S 14 - CONSTITUTION Everyone has the right to privacy, which shall include the right not to have: their person or home searched; their property searched; their possessions seized; or the privacy of their communications infringed. Section 14 is divided into 2 parts. The first relates to a general right to privacy and the second protects against specific forms of infringement.

6 EXCLUSIONS S 4. This Act does not apply to the processing of
personal information- (a) in the course of a purely personal or household activity; (b) that has been de-identified to the extent that it cannot be re-identified again; (c) that has been exempted from the application of the information principles in terms of sec 33.

7 TERMS OF REFERENCE “Data Subject” means the person to whom the personal information relates. “Personal Information” means information about an identifiable, natural person, and in so far as it is applicable, an identifiable, juristic person, including and not limited to: information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; information relating to the medical history of the person; any identifying number, symbol or other particular assigned to the person; the address, fingerprints and blood type of the person; the views or opinions of another individual about that person; the name of the person where it appears with other personal information relating to the person or where the disclosure of the name itself would reveal information about the person; but excludes information about a natural person who has been dead for more than 20 years.

8 TERMS OF REFERENCE “Processor” means the person or body which processes personal information for the responsible party, without coming under the direct authority of that party. “Processing” means any operation or any set of operations concerning personal information, including in any case the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of information. “Record” means any recorded information regardless of form or medium and includes any writing on any material, information produced, recorded or stored by means of any computer equipment. “Responsible Party” means the natural person, juristic person, administrative body or any other entity which, alone or in conjunction with others, determines the purpose or and means for processing personal information.

9 PRINCIPLE 1 – PROCESSING LIMITATION
S 9 (1) Personal information may only be processed where the: (a) data subject has given consent for the processing; or (b) processing is necessary for the performance of a contract or agreement to which the data subject is party, or for actions to be carried out at the request of the data subject and which are necessary for the conclusion or implementation of a contract; or (f) processing is necessary for upholding the legitimate interests of the responsible party or a third party to whom the information is supplied.

10 PRINCIPLE 1 – PROCESSING LIMITATION continued
S 10 (1) Personal information must be collected directly from the data subject unless in terms of s 10(2), inter alia: (b) the data subject authorises the collection of the information from someone else, or (c) non-compliance would not prejudice the interests of the data subject, or (d) compliance would prejudice a purpose of the collection; or (f) compliance is not reasonably practicable in the circumstances of the particular case; or (g) the information – (i) will not be used in a form in which the individual concerned is identified; or (ii) will be used for statistical or research purposes and will not be published in a form that could identify the individual concerned.

11 PRINCIPLE 2 – PURPOSE SPECIFICATION
S 11 Personal information must be collected for a specific, explicitly defined and legitimate purpose. S 13 (1) Subject to subsections (2) and (3), records of personal information must not be kept in a form which allows the data subject to be identified any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless- (a) another law requires or authorises the responsible party to retain the record; (b) the responsible party reasonably requires the record for purposes related to its operation; (c) the record is retained in terms of any contractual rights or obligations of the parties; (d) the data subject has authorised the responsible party to retain the record. S 13 (2) Records of personal information may be retained for periods in excess of those provided for under (1) only where the retention of these records are for historical, statistical or scientific purposes, and where the responsible party has Established appropriate safeguards against the records being used for any other purposes.

12 PRINCIPLE 3 – FURTHER PROCESSING LIMITATION
S14 (1) Personal information must not be further processed in away incompatible with purpose for which it has been collected in terms of principle 2. S14 (2) For the purposes of assessing whether processing is incompatible, as referred to under subsection (1), the responsible party must take account of the following: (a) the relationship between the purpose of the intended further processing and the purpose for which the information has been obtained; (b) the nature of the information concerned; (c) the consequences of the intended further processing for the data subject; (d) the manner in which the information has been obtained; and (e) any contractual rights and obligations existing between the parties.

13 PRINCIPLE 4 – INFORMATION QUALITY
S 15. The responsible party must take the reasonably practical steps, given the purpose for which personal information is collected or subsequently processed, to ensure that the personal information is complete, not misleading, up to date and accurate.

14 PRINCIPLE 5 – OPENNESS S 16 (1) Personal information may only be collected by a responsible party that has notified the Commission accordingly in terms of this Act, and which notification has been noted in a register kept by the Commission for this purpose. S 16 (2) Where a responsible party collects personal information about a data subject, the responsible party must take such steps as are in, the circumstances, reasonably practicable to ensure that the data subject is aware of: (a) the fact that the information is being collected; (b) the name and address of the responsible party; (c) whether or not the supply of the information by that data subject is voluntary or mandatory and the consequences of failure to reply; and (d) where the collection of information is authorised or required under any law, the particular law to which the collection is subject.

15 PRINCIPLE 6 – SECURITY STANDARDS
S 17(1) The responsible party must implement appropriate technical and organisational measures to secure- the integrity of personal information by safeguarding against the risk of loss of, or damage to, or destruction of personal information; and Against the unauthorised or unlawful access to or processing of personal information S 17 (2) The responsible party must take measures to: identify all reasonably foreseeable internal and external threats to personal information in its possession or under its control; (b) establish and maintain appropriate safeguards against the risk identified; (c) regularly verify that the safeguards are effectively implemented; and (d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. S 17 (3) The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or required in terms of specific industry or professional rules and obligations.

16 PRINCIPLE 7 – INDIVIDUAL PARTICIPATION
S 22 (1)Where a responsible party holds personal information, the data subject is entitled to - (a) request correction of the information; or (b) request that there be attached to the information a statement of the correction sought but not made. S 22 (2) A responsible party that holds personal information must, if so requested by the data subject or on its own initiative, take such steps (if any) to correct that information as are, in the circumstances, reasonable to ensure that, having regard to the purposes for which the information may lawfully be used, the information is accurate, up to date, complete, and not misleading.

17 PRINCIPLE 8 – ACCOUNTABILITY
S 23. The responsible party must ensure that the measures that give effect to the principles set out in this chapter are complied with.

18 SPECIAL PERSONAL INFORMATION
S 24. It is prohibited to process personal information concerning a person’s race, health or sexual life . . .except where the data subject has given his or her explicit consent to the processing of the information or as otherwise provided in this section. S 29(1). The prohibition on processing personal information concerning a person’s health or sexual life, does not apply where the processing is carried out by: (a) medical professionals, healthcare institutions or facilities or social services, provided that this is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned.

19 SOUTH AFRICAN LAW COMMISSION
Comments and submissions should be addressed to: The Secretary SA Law Reform Commission Private Bag X668 Pretoria 0001 Tel : (012) Fax : (012)

Download ppt "PERSONAL INFORMATION BILL"

Similar presentations

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PRIVACY IN SOUTH AFRICAN LAW Brendan Hughes 2 nd International Direct Marketing Conference September 2006.

DATA PRIVACY IN SOUTH AFRICAN LAW Brendan Hughes 2 nd International Direct Marketing Conference September 2006.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
The Protection of Personal Information Act

The Protection of Personal Information Act
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.
Privacy & Personal Information Prepared by the CBC Law Department CONFIDENTIAL – FALL 2011.

Privacy & Personal Information Prepared by the CBC Law Department CONFIDENTIAL – FALL 2011.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,

DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.

IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

Similar presentations

Ads by Google