Protection of Personal Information Seminar presented by Adv. Alan Lambert Sunnyside Hotel 25 October 2012 Agenda • • • • • • Introduction. Purpose, definition and application. Conditions for lawful processing. Exemptions from the processing Conditions. Supervision. Prior authorisation, codes of conduct, direct marketing, automated decision making and transborder transfers. • Enforcement, offences, penalties and administrative fines Introduction • POPI is set to become law shortly and will bring South Africa in line with other jurisdictions that have similar legislation (such as the 1995 EU Directive, currently under review). • POPI will place a significant compliance burden on companies and public bodies, as such bodies are likely to possess substantial personal data records (electronically and hard copy). Introduction • POPI will become South Africa’s primary legislation dealing with the processing of personal information. • POPI will significantly affect the manner in which companies collect, store, process and disseminate personal information. Privacy laws around the globe Chapters 1 & 2 of the Bill Purpose, definitions and application Sections 1 - 7 TH!NK PRIVACY Purpose of POPI • POPI: – gives effect to the constitutional right to privacy; – regulates the manner in which personal information may be processed; and – provides rights and remedies to protect personal information. • Promotes the protection of personal information processed by the private and the public sectors. What is personal information? (“PI”) • PI relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including, but not limited to: – race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person; What is PI? – education, medical, financial, criminal or employment history; – the biometric information of the person; – personal opinions, views or preferences; – id number, symbol, e-mail address, physical address, telephone number or other particular assignment to a person; – private or confidential correspondence; – the personal views, opinions or preferences of the person; – a name if it appears together with other PI or if disclosure of the name itself would reveal PI about the person; and – the views or opinions of another individual about the person. PI in the workplace • POPI applies to PI that employers may collect and keep on any person who might wish to work, work, or has worked for the employer. Such people include: – – – – – – – applicants (successful or unsuccessful); former applicants (successful or unsuccessful); employees (current and former); agency staff (current and former); casual staff (current and former); temporary staff (current and former); and contract staff (current and former). What is processing of PI? • Is any operation or activity, whether or not by automatic means, including: – collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; – dissemination by means of transmission, distribution or making available in any form; – merging, linking, as well a restriction, degradation, erasure or destruction. Processing lifecycle What is a record and responsible party? • A record is any recorded information regardless of form or medium, including: – writing, electronic information, label, marking, image, film, map, graph, drawing, tape; and is • in the possession or under the control of a responsible party; • whether or not it has been created by the responsible party; and regardless of when it came into existence. • A responsible party is a public or private body which determines the purpose and means of processing PI. Other key concepts • ‘consent’ – any voluntary, specific and informed expression agreeing to the processing of PI; • ‘data subject’ – means the person to whom the PI relates; • ‘de-identify’ – means to delete any information that: – identifies the data subject; – can be used or manipulated to identify the data subject; – can be linked to other information to identify the data subject; Application provisions • POPI applies to the processing of PI by a responsible person domiciled in the Republic and where processing happens in the Republic*; • POPI will override other legislation that contains inconsistent provisions relating to the processing of PI. • If other legislation provides for more extensive conditions for the processing of PI the other legislation will prevail. *unless the processing is used solely to forward PI through the Republic. Rights of a data subject • A data subject has the right (amongst others): – to object, on reasonable grounds, to the processing of his, her or its PI; – to be notified that PI has been accessed or acquired by an unauthorised person; – to establish whether a responsible party holds PI and request access to it; – to request the correction, destruction or deletion of his, her or its PI. Information excluded • POPI excludes processing of PI: – for purely personal or household activity; – that has been de-identified to the extent that it cannot be reidentified again; – by or on behalf of a public body and: • which involves national security; or • the purpose of which is the prevention, detection, investigation or proof of offences; – solely for the purpose of literary or artistic expression, to the extent that the right to privacy is balanced with the right to freedom of expression; – by Cabinet, its committees and Executive Council of provinces. TH!NK PRIVACY Chapter 3 of the Bill Conditions for the lawful processing of personal information & Processing of special personal information Sections 8 to 35 Some things to keep in mind … Staff training Company policies & procedures Company documents IT systems Organisational structure Security Condition 1. Accountability • The responsible party must ensure that the conditions set out in Chapter 3 are complied with at the time of: – determining the purpose; – collecting the PI; and – during the processing itself. Condition 2. Processing limitations • PI must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject; • PI may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive. Condition 2. Processing limitations • PI may only be processed if; – the data subject consents to the processing; – processing is necessary for the conclusion or performance of a contract to which the data subject is a party; – there is a legal obligation to do the processing; – processing protects the legitimate interests of the data subject; – processing is necessary for the proper performance of a public law duty by a public body; – processing is necessary for the pursuit of legitimate interests of the responsible party. Condition 2. Processing limitations • A data subject may object, at any time, on reasonable grounds, to the processing of their PI. The responsible party may then no longer process the PI. • PI must be collected directly from the data subject except if: – the information is contained in a public record or has deliberately been made public by the data subject; – the data subject has consented to the collection from another source; Condition 2. Processing limitations • collection from another source would not prejudice a legitimate interest of the data subject; • collection from another source is necessary: – – – – – to maintain law and order; to enforce legislation concerning the collection of revenue; for the conduct of court or tribunal proceedings; in the interests of national security; to maintain the legitimate interests of the responsible party. • compliance would prejudice a lawful purpose of the collection; or • compliance is not reasonably practicable in the circumstances of the particular case. Condition 3. Purpose specification • PI must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party. • The data subject must be made aware of the purpose of the collection. • Records must not be retained any longer than is necessary for achieving the purpose for which it was collected unless; – – – – further retention is required by law; the responsible party reasonably requires to keep it; retention is required by a contract between the parties; the data subject consents to the further retention. Condition 3. Purpose specification • Records may be retained for longer periods for historical, statistical or research purposes if the responsible party establishes appropriate safeguards against the information being used for any other purpose. • PI must be destroyed, deleted or de-identified as soon as is reasonably practical. • Destruction or deletion must be done in a manner that prevents its reconstruction in an intelligible form. Condition 3. Purpose specification • A responsible party must restrict processing of PI if: – its accuracy is contested by the data subject , until the accuracy is verified; – the responsible party no longer needs the PI for achieving the purpose for which it was collected, but needs to be retained for purposes of proof; – the processing is unlawful and the data subject opposes its destruction or deletion. • Where a restriction is lifted, the data subject must be informed to the lifting. Condition 4. Further processing limitation • Further processing must be compatible with the purpose for which it was collected. Account must be taken of: – the relationship between the purpose of the further processing and the purpose for which the PI was collected; – the nature of the information; – consequences of further processing for the data subject; – any contractual rights and obligations; and – the manner in which the information was collected. Condition 4. Further processing limitation • The further processing is not incompatible if: – the data subject gives consent to further processing; – the information is available in a public record or has been made public by the data subject; – further processing is necessary: • • • • to avoid prejudice to the maintenance of law and order; to comply with an obligation imposed by law; for the conduct of proceedings in any court or tribunal; or in the interest of national security. Condition 4. Further processing limitation – further processing is necessary to prevent or mitigate a serious and imminent threat to: • public health or safety; or • the life or health of the data subject or another individual. – the information is used for historical, statistical or research purposes and the responsible party ensures that further processing is carried out solely for such purposes; or – the further processing is in accordance with an exemption granted by the Regulator. Condition 5. Information quality • A responsible party must take reasonably practical steps to ensure that PI is complete, accurate, not misleading and updated where necessary. Condition 6. Openness • When collecting PI the responsible party must take reasonably practicable steps to ensure the data subject is aware of : – – – – the information being collected; the name and address of the responsible party; the purpose for which the information is being collected; whether or not the supply of the information is voluntary or mandatory; – the consequences of failure to provide the information; – any particular law authorising the requiring of the collection; Condition 6. Openness – the right of access to and the right to rectify the information collected; – the fact that, where applicable, the responsible party intends to transfer the information to a third country/international organisation and the level of protection afforded by that third country/organisation; and – the right to object to the processing of the information. • This must done prior to collecting PI if the PI is collected directly from the data subject, or in any other case as soon as is reasonably practical after collection. Condition 6. Openness • It is not necessary to comply with the condition of openness if: – the data subject consents to the non-compliance; – compliance will prejudice the legitimate interest of the data subject; – non-compliance is necessary: • • • • to maintain law and order; comply with obligations imposed by law; for the conduct of proceedings in any court or tribunal; or in the interest of national security. Condition 6. Openness – compliance would prejudice a lawful purpose of collection; – compliance is not reasonably practicable or the information will: • not be used in a form in which the data subject may be identified; or • be used for historical, statistical or research purpose. Condition 7. Security safeguards • A responsible party must secure the integrity and confidentiality of the PI in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent: – loss, damage or unauthorised destruction of the PI; – unlawful access to, or processing of the PI. • Due regard must be had to generally accepted information security practices and procedures – generally and industry specific. Condition 7. Security safeguards • A responsible party must take reasonable measures to: – identify foreseeable internal and external risks to PI in its possession or under its control; – establish and maintain appropriate safeguards against risks identified; – regularly verify that the safeguards are effectively implemented; and – ensure that safeguards are regularly updated in response to new risks. Condition 7. Security safeguards • Anyone processing PI on behalf of a responsible party must: – treat the information as confidential and not disclose it unless required by law; – apply the same security measures as the responsible party; – the processing must be governed by a written contract ensuring safeguards are in place; and – if domiciled outside the Republic, comply with local protection of personal information laws. • It is the responsible party’s duty to ensure compliance with the above. Condition 7. Security safeguards • Where there are reasonable grounds to believe that PI has been accessed or acquired by any unauthorised person the responsible party must: – notify the Regulator; and – the data subject. • Notification must be done as soon as possible after the discovery of the compromise. Condition 7. Security safeguards • Notification to the data subject must be in writing and communicated in at least one of the following ways: – mailed to last known physical or postal address; – e-mailed to last known e-mail address; – placed in a prominent position of the responsible party's website; – published in the news media; or – as may be directed by the Regulator. • The notification must contain enough data to allow the data subject to take protective measures. Condition 8. Data subject participation • Access to PI: – request confirmation, free of charge, whether or not the responsible party holds PI about the data subject; and – request the record or description of the PI, including information about the identity of all third parties who have had access to the information – a non-excessive fee may be charged. – a responsible party may or must refuse to disclose information in terms of parts 2 and 3 of PAIA. Condition 8. Data subject participation • Correction of PI – data subject may request responsible party to: • correct or delete PI that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; • delete or destroy PI that the responsible party is no longer authorised to retain. Special personal information • A responsible party may not process special PI unless: – processing is carried out with the consent of the data subject; – processing is necessary due to legal obligations; – processing is for historical, statistical or research purposes to the extent that: • the purpose serves public interest; or • it would be impossible or involve disproportionate effort to ask for consent: and • sufficient guarantees are provided to ensure that the processing does not adversely affect the privacy of the data subject to a disproportionate extent. Special personal information – the information has deliberately been made public by the data subject; or – provisions of sections 28 to 34 are complied with. • The regulator may, upon application, and by notice in the Gazette authorise a responsible party to process special PI if such processing is in the public interest and appropriate safeguards have been put in place. Section 28: Religious and philosophical beliefs • The prohibition does not apply if the processing is carried out by: – spiritual or religious organisations if the special information concerns data subjects belonging to those organisations; and – the special information may not be supplied to third parties without the consent of the data subject. Section 29: Race or ethnic origin • The prohibition does not apply if the processing is carried out to: – identify data subjects and only when this is essential for that purpose; and – comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination. Section 30: Trade union membership • The prohibition does not apply to the processing by the trade union to which the data subject belongs if such processing is necessary to achieve the aims of the trade union. • No PI held by a trade union may be supplied to third parties without the consent of the data subject. Section 32: Health or sex life • The prohibition does not apply to the processing carried out by: – medical professionals, healthcare institutions/facilities or social services if such processing is necessary for the proper treatment and care of the data subject; – insurance companies, medical aid schemes, medical aid scheme administrators and managed health care organisations if the processing is necessary for: Section 32: Health or sex life • assessing the risk to be insured or covered and the data subject has not objected to the processing; • the enforcement of any contractual rights and obligations. – schools, if such processing is necessary to provide special support for learners; – administrative bodies, pension funds and employers if such processing is necessary for: • the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependant on the health or sex life data of the data subject: or • the reintegration or support of workers entitled to benefit in connection with any sickness or work incapacity. Section 32: Health or sex life • The information may only be processed subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject. • PI concerning inherited characteristics may not be processed unless: – a serious medical interest prevails; or – the processing is necessary for historical, statistical or research activity. Section 33: Criminal behaviour • The prohibition does not apply if the processing is carried out by bodies charged by law with applying criminal law. • The prohibition does not apply to responsible parties who process the information for their own lawful purposes to: – asses an application in order to take a decision about, or provide a service to, that data subject; or – protect their legitimate interests in relation to criminal offences which have been, or can reasonably be expected to be, committed against them or against persons in their service. Sections 34 & 35: Children • A responsible party may not process the PI concerning a child unless the processing is: – has the prior consent of a competent person; – necessary for the establishment, exercise or defence of a right or obligation in law; – for historical, statistical or research purposes to the extent that: • the purpose serves public interest; or • it appears impossible or would involve a disproportionate effort to ask for consent. Chapter 4 of the Bill TH!NK PRIVACY Exemption from conditions for processing of personal information Sections 36 to 38 Exemption • Processing of PI is not in breach of a condition if the Regulator grants an exemption by giving notice in the Gazette if the Regulator is satisfied that: • public interest outweighs, to a substantial degree, any interference with the privacy of the data subject; or • processing involves a clear benefit to the data subject or third party that outweighs, to a substantial degree, any interference with the privacy of the data subject. Public interest includes interest of national security, prevention, detection or prosecution of offences, important economic and financial interests of a public body and historical, statistical or research activity. Chapter 5 of the Bill Supervision Information Regulator & Information Officer Sections 39 to 56 TH!NK PRIVACY Information Regulator • The Bill provides for the “Information Regulator” that: – has jurisdiction throughout the Republic; – is independent, impartial and must exercise it’s powers without fear, favour or prejudice; – must exercise its powers and perform its functions in accordance with POPI and PAIA; and – is accountable to the National Assembly. Information Regulator • The powers, duties and functions of the Regulator are: – to provide education and give advice; – to monitor and enforce compliance; – to consult with interested parties; – to handle complaints; – to conduct research and report to Parliament; – to issue, make guidelines and approve codes of conduct; – to facilitate cross-border cooperation; and Information officer • PAIA is applicable with the necessary changes – the information officer of a private body is the CEO, or equivalent officer. • A private body must designate persons, if any, as deputy information officers to perform the duties required in terms of the Bill. • Deputy information officers must be registered with the Regulator. Information officer • An information office’s responsibilities include: – encouraging compliance for lawful processing of PI; – dealing with requests made pursuant to the Bill; – working with the Registrar in relation to investigations; – ensuring compliance with the Bill; and – as may be prescribed by the Regulator. Chapters 6 to 9 of the Bill Codes of Conduct Direct Marketing Automated Decision Making Transborder Information Flows Sections 57 to 72 TH!NK PRIVACY Prior Authorisation • Prior authorisation is needed only once and not each time that PI is received or processed, except where the processing departs from that which has been previously been authorised. • Prior authorisation is not applicable if a code of conduct for a specific sector has come into force. Codes of Conduct • A code must: – incorporate all 8 conditions for lawful processing; – prescribe how the conditions are to be applied, given the particular features of the sector or sectors; – specify appropriate measures for PI matching programmes if applicable; – provide for review of the code by the Regulator; and – provide for the expiry of the code. Codes of Conduct • A code may apply to any one or more of the following: – any specified information or class of information; – any specified body or class of bodies; – any specified activity or class of activity; or – any specified industry, profession, or vocation or classes thereof. Direct marketing • Direct marketing means unsolicited electronic communication. • The processing of PI for the purpose of direct marketing by any form of electronic communication* is prohibited unless the data subject: – has given consent; or – is a customer of the responsible party and if: • the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service; * Includes automatic calling machines, facsimile machines, SMS’s or e-mail Direct marketing • it is for marketing the responsible parties own similar products or services; and • if the data subject has been given reasonable opportunity to object, free of charge, at the time the information was collected or on the occasion of each communication for the purpose of marketing. • A responsible party may only approach a data subject whose consent is required, and who has not previously withheld such consent, once to gain consent and such consent must be in the prescribed manner and form. Automated decision making • A data subject may not be subject to a decision which affects him, her or it to a substantial degree which is based solely on the basis of the automated processing of PI intended to provide a profile of such person unless: – the decision is taken in connection with the conclusion or execution of a contract; and – appropriate measures have been taken to protect the data subjects interests. – there must be an opportunity for the data subject to make representations about a decision made; and – the responsible party must provide sufficient information to enable the data subject to make such representation. Transborder information flows • PI may not be transferred to a third party in a foreign country unless: – the recipient is subject to a law or agreement which provides an adequate level of protection that: • effectively upholds substantially similar conditions for the lawful processing of PI; and • includes substantially similar provisions relating to the further transfer of PI to third parties in foreign countries; Transborder information flows – the data subject consents to the transfer; – the transfer is necessary for the performance or conclusion of a contract between the data subject and responsible party; – the transfer is necessary for the performance or conclusion of a contract concluded in the interests of the data subject between the responsible party and a third party; or Transborder information flows – the transfer is for the benefit of the data subject, and: • it is not reasonably practical to obtain consent; and • if it were reasonably practical to obtain consent, the data subject would be likely to give it. Chapters 10 & 11 of the Bill TH!NK Complaints and enforcement Offences, penalties and administrative fines PRIVACY Sections 73 to 109 Complaints • Interference with the protection of PI of a data subject consists of: – any breach of the conditions for lawful processing; – a breach of the provisions of a code of conduct; – non-compliance regarding: • • • • notification of security compromises; direct marketing; automated decision making; or transborder information flows. Complaints • Complaints must be made to the Regulator in writing. • On receipt of a complaint the Regulator must conduct a pre-investigation into the matter and may: – – – – decide to take no action; decide to conduct a full investigation; refer the complaint to the Enforcement committee; or refer the complaint to another regulatory body if it falls more properly within the jurisdiction of the other regulatory body. Complaints • The Regulator may, on its own initiative, commence an investigation. • Regulator has power to summon appearance of persons, require information under oath, enter and search premises and conduct private interviews. • If entrance is unreasonably refused, a warrant may be issued but only after 7 days have lapsed after written requesting entrance has been given. Enforcement • After completing an investigation into a complaint the Regulator may refer such matter to the Enforcement Committee for consideration, a finding and recommendations: – must consider all such referrals and make a finding; and – may make recommendations to the Regulator for any action that should be taken against: • a responsible party; or • an information officer or head of a private body. Enforcement • If the Regulator is satisfied that a responsible party has interfered with the protection of PI of a data subject, the Regulator may issue an enforcement notice requiring the responsible party to either: – take specified steps to within a specific period ; or – to stop processing PI specified in the notice within a specific period. • A responsible party may request amendments to, or cancellation of, an enforcement notice due to changed circumstances. • A responsible party may appeal within 30 days of receiving the enforcement notice to the High Court. Offences, penalties and fines • Any person who hinders, obstructs or unlawfully influences the Regulator or any person acting under the direction of the Regulator is guilty of an offence. • A responsible party which fails to comply with an enforcement notice. • For the above – Imprisonment not exceeding 10 years and/or a fine. Offences, penalties and fines • A responsible party which in purported compliance with an enforcement notice makes a statement knowing it to be false is guilty of an offence. • Any person who intentionally obstructs a person in the execution of a warrant is guilty of an offence. • For the above – Imprisonment not exceeding 12 months and/or a fine. Administrative fines • The Regulator may issue, by way of hand delivery, an responsible party (“infringer”)with an infringement notice. • Such notice must specify the amount of an administrative fine payable up to a maximum of R 10 million. • Within 30 days of receipt of such notice the infringer may: – pay the administrative fine; – make instalment arrangements to pay the fine; or – elect to be tried in court on a charge of having committed an offence in terms of the Bill. Administrative fines • Failure to comply with an infringement notice may result in the Regulator filing a statement with any competent court that the amount of the fine is correct, and such statement thereupon has all the effects of a civil judgement. • Administrative fines and prosecution are mutually exclusive. • Fines payable must be paid into the National Revenue Fund. Chapters 12 of the Bill Transitional arrangements TH!NK PRIVACY Section 114 Transitional arrangements • Expected timeframe for implementation: • the National Assembly approved the Bill on 11 September; • Bill was sent to the NCoP on 20 September; and • If the NCoP has no issues with the Bill it will probably be enacted within 2 months. • All processing of PI must within one year after the commencement of the Act be done in conformance with the Act. Any questions?