1. ONLINE PRIVACY & DATA PROTECTION VERINE ETSEBETH

2.  INTRODUCTION  TRADITIONAL VERSUS ONLINE DATA PROTECTION “We leave data everywhere we go” “What happens to our data happens to ourselves” Who controls our data controls our lives”

3.  CHALLENGES FACING ONLINE DATA PROTECTION  INTERNATIONAL LEGISLATIVE DEVELOPMENTS IN RESPONSE TO ONLINE PRIVACY CONCERNS  Individual country response: 1. EU 2. UK 3. CANADA 4. AUSTRALIA 5. USA

4.  ESSENTIAL MEASURES INTRODUCED BY COUNTRIES:  1. Consent requirement mechanism  2. Access requirement mechanism  3. Onward transfer provisions  4. Notice requirement mechanism  5. Information security mechanism  6. Spam regulation

5.  importance of online privacy  physical world privacy vs. online privacy  past – personal information kept under lock & key in offices  now – electronically available, anywhere, anytime, anyplace  Problem (1) electronic data is easily transferable (2) businesses share information in-discriminatorily Solution to the problem = Legislature introduced PROTECTION OF PERSONAL INFORMATION BILL (PPI Bill)

6. Natural persons & Juristic persons individual  any individual business entity  any business entity  For example:  Close Corporations  Private & Public Companies  Partnerships  Businesses that have been incorporated

7.  personal information information about an identifiable person – e.g.:  gender, religion, race, etc  fingerprints, blood type (DNA)  medical records

8.  data subject  the person who provides information about himself/herself  data controller  the person who collects, processes, stores and uses information  third party  person to whom data is disclosed

9. SA does not have separate legislation dealing exclusively with privacy protection Applicable law is fragmented Mirrors the EU Data Protection Directive

11.  The data controller must disclose to data subject the purpose(s) for which it is going to use the collected information  Purpose must be stated with relative degree of certainty  Purpose may not be defined in general, vague terms

12.  Before the data controller will be entitled to collect, use or process any personal information, it must obtain the prior written consent from the data subject to do so  Consent requirement = key feature of PPI Bill  Without consent no data that might have been collected may be used in any manner  Unlawful usage can result in huge fines & possibility of imprisonment

13.  Data controller must ensure that data which is collected is accurate, current and up-to- date  Two token identification generally required in SA

14.  When collecting, using and/or processing the personal information the data controller must at all relevant times inform the data subject of his/her rights  This would entail informing the data subject EXACTLY which statutes protect him/her & what remedies are available to him/her if they feel their rights have been violated

15. A data controller may not retain the personal information collected for any period longer than is necessary for the stated purpose The period for which the data controller decides to retain the information must therefore be reasonable & justifiable. KEY QUESTION = can you motivate why you are still retaining the data collected to a court of law? Position in America

16. A data controller must destroy any collected information that is no longer needed or used by them. Destruction ≠ deletion

17. 8. CROSS-BORDER TRANSFER OF INFO

18. data controller must take adequate security measures to protect the confidentiality, integrity and availability of the information (cia) confidentiality: no unauthorised persons should be permitted to view the information encryption and cryptography integrity: no unauthorised person may alter the information encryption and digital signatures availability: information must be readily available on demand digital signatures & pki

19. any questions???