Embed Size (px)
Citation preview
Presentation by Verlie Oosthuizen
The Protection of Personal Information:PRIVACY BY DESIGN PROJECT
PROTECTION OF PERSONAL INFORMATION ACT, 4 of 2013
“POPI”
Protection of Personal Information Act (“POPI”)
• POPI was enacted in November 2013
• Commencement date still to be determined
• Entities have 1 year from the commencement date to become
compliant. This period may be increased to three years if
necessary.
• Information Regulator’s office currently being established –
appointments passed 07/07/2016
• Appointments with effect from 01/12/2016
• Will deal with both POPI and PAIA
What is “Personal Information”?
Information relating to identifiable, living natural persons and
identifiable, existing juristic persons, including information relating to:
– race, gender, sex, marital status, pregnancy, national, ethnic or social
origin, colour, sexual orientation, age;
– education, medical, financial, criminal or employment history;
– Image, ID number, email address, physical address, telephone number,
location information;
– biometric information;
– personal opinions or preferences of the person or opinions of another
about the person;
– name if it appears with other personal information OR if disclosure of
name would reveal something about the person
What is “Special Personal Information”?
Personal information concerning a person’s:
• religious or philosophical beliefs;• race or ethnic origin;• trade union membership;• political persuasion;• health or sex life;• biometric information;• criminal offences (or alleged offences) and proceedings
Who has “Personal Information”?
• HR departments – employee records;• Schools, colleges, universities; • Accountants who process payroll, conduct audit, prepare AFS, etc• Medical professionals, hospital and clinics; • Attorneys;• Banks and debit order processing companies;• Direct marketing companies;• Directory compilers;• Compliance and verification professionals;• Businesses holding third party information;• Businesses with mailing lists or offering online shopping;• Businesses holding completed credit applications, contracts,
service level agreements; etc
Exclusions from POPI
POPI does not apply to personal information which:
1. is obtained in a purely personal or household activity (e.g. domestic worker’s information, online dating information, etc);
2. has been de-identified (e.g. statistical info excluding names);
3. is collected by or on behalf of a public body involving national security or combating terrorist activities and money laundering (e.g. FICA Centre);
4. is collected by Cabinet;
5. relates to the judicial functions of a Court; or
6. is for journalistic, literary or artistic expression (within reason).
Exemptions from POPI
The Information Regulator may, on application, exempt any person
from complying with POPI if public interest outweighs the data
subject’s right to privacy.
Examples:
• in the interests of national security;
• the detection or prosecution of offences;
• important economic and financial interests of a public body;
• historical or research purposes or freedom of expression.
The Information Lifecycle
Privacy by Design
• European Commission has unified data protection within the European Union into a single law. This will become effective in 2017.
• The GDPR has adopted the Privacy by Design Principles developed in Canada by the Privacy Commissioner of Ontario Canada.
• The US Federal Trade Commission has also recognised this system of Privacy by Design
• This will be the way that they deal with data protection in general. Principles are adapted to suit particular businesses needs.
• There are 7 foundational principles. These have been used worldwide and have been translated into 31 official languages.
• This seems to be the international guideline for data protection best practice.
Privacy by Design Principles
• (1) PROACTIVE not reactive; PREVENTATIVE not remedial
• (2) Privacy as DEFAULT setting
• (3) Privacy EMBEDDED into design
• (4) Full Functionality – POSITIVE SUM not Zero Sum
• (5) End to End Security – FULL LIFE CYCLE PROTECTION
• (6) VISIBILITY and TRANSPARENCY - keep it open
• (7) RESPECT for user privacy – keep it USER-CENTRIC
Trilogy of Applications
• INFORMATION TECHNOLOGY– Use privacy enhancing technology– Use it to support privacy rather than treating it as
threat• ACCOUNTABLE BUSINESS PRACTICES
– Privacy protection should be seen as good for business and costs should not be limiting factor
– Not just a compliance issue• PHYSICAL DESIGN & NETWORKED
INFRASTRUCTURES– The physical design of areas where information is
kept should not be overlooked
Privacy Impact assessment
Important to do a privacy impact assessment and to look at the gaps and the risks in the business
1. Identify the aim of the assessment2. Describe the information flows3. Identify the privacy and related risks4. Identify the privacy solutions5. Sign off and record the PIA outcomes6. Integrate outcomes into the project plan
