Welcome all delegates to PoPIA Workshop …...• POPIA was a Bill up to November 2013 when it received the assent of the President and appeared in the Government Gazette as Act No

Welcome all delegates to

PoPIA Workshop

Centurion Golf Estate

12 April 2018

2

Presented by

Dr Peter Tobin

CGEIT, PMIITPSA, PMP

POPI Act Compliance

For

Local Government

3

Workshop Introduction

• Welcome, introduction to delegates

• Workshop administrative arrangements

• Workshop objectives & agenda

• Review of delegate materials

April 2018 Copyright Dr Peter Tobin, 2018

4

Workshop Objectives

Demonstrate a clear understanding of

• What you need to do about Protection of Personal Information

• Where Protection of Personal Information rules apply

• Who needs to take action on the POPI Act

• When to take action on Data Privacy & Protection of Personal Information

• How to apply POPI Act compliance in practice


5

Agenda - Morning session up to tea break

• Topic 1: Workshop Introduction - 08:30 to 08:45


• Workshop Objectives & Agenda

• Workshop administrative arrangements & review of delegate materials

• Topic 2: Introduction to the Protection of Personal Information Act

(POPIA) - 08:45 to 09:30

• History and evolution of POPIA legislation in South Africa

• The 8 conditions of POPIA

• Other compliance requirements

• Topic 3: Why POPIA matters - 09:30 to 10:15

• Compliance with laws and regulations

• Codes of conduct

• POPIA “Stick & Carrot”


6

Agenda - Morning session up to lunch

• Topic 4: What you need to do about Data Privacy & POPIA - 10:40 to

11:30

• What are Data Privacy & POPIA?

• What is the scope of impact?

• What action is required?

• Topic 5: Where Data Privacy & POPIA rules apply - 11:30 to 12:15

• Types of organisation

• Global geographic context

• Data and data subjects


7

Agenda - Afternoon session up to tea break

• Topic 6: Special issues re Data Privacy & POPIA - 13:00 to 13:45

• Cloud computing

• Bring Your Own Device

• Mobile devices

• Topic 7: Practical examples of POPIA non-compliance - 13:45 to 14:45

• Violation examples presentation

• Violation examples exercise

• Violation examples and discussion


8

Agenda - Afternoon session up to close

• Topic 8: Summative assessment - 15:00 to 15:45

• 20 question multiple choice assessment

• Workshop closure activities - 15:45 to 16:30

• Personal action plan

• Workshop feedback

• Recognition of achievements

• Closing ceremony including team and individual photographs

Day closes at 16:30


9

Review of materials

• Please refer to your workshop materials


10

Agenda - Morning session up to tea break

• Topic 1: Workshop Introduction - 08:30 to 08:45


• Workshop Objectives & Agenda

• Workshop administrative arrangements & review of delegate materials

• Topic 2: Introduction to the Protection of Personal Information Act

(POPIA) - 08:45 to 09:30




• Topic 3: Why POPIA matters - 09:30 to 10:15

• Compliance with laws and regulations




11

Introduction to the Protection of Personal Information Act (POPIA)


• Privacy is addressed in the Constitution of the Republic of South Africa,

1996 - Chapter 2: Bill of Rights, section 14 Privacy

• Everyone has the right to privacy, which includes the right not to have

a) their person or home searched;

b) their property searched;

c) their possessions seized; or

d) the privacy of their communications infringed.


12


• Access to information is addressed in the Constitution of the Republic of

South Africa, 1996 - Chapter 2: Bill of Rights, section 32 Access to

Information

• 32. Access to information

• Everyone has the right of access to

a) any information held by the state; and

b) any information that is held by another person and that is required

for the exercise or protection of any rights.


13


• POPIA was a Bill up to November 2013 when it received the assent of the

President and appeared in the Government Gazette as Act No. 4 of 2013

• In April 2014 partial commencement of the POPI Act occurred to support

the establishment of the Information Regulator South Africa (InfoRegSA)

• The InfoRegSA core team took office in December 2016

• Full commencement of POPIA is expected in 4Q2018

• There will be a 12 month transition period, unless extended by the Minister


14



• They are modeled on the principles found in the OECD and EU approach

• Accountability

• Processing Limitation

• Purpose Specification

• Further Processing Limitation

• Information Quality

• Openness

• Security safeguards

• Data Subject Participation


15


• Accountability = assigning ownership in your business;

• Processing Limitation = processing information for lawful reasons and in a

manner that does not infringe privacy;

• Purpose Specification =only obtaining and holding personal information

for a specific purpose;

• Further Processing Limitation = Further processing of personal information

must be compatible with the purpose for which it was collected;


16


• Information Quality = information is complete and accurate;

• Openness = being honest about collection and processing;

• Security safeguards = using reasonable technical and organisational

measures;

• Data Subject Participation = an individual may request the information is

accessed, deleted or corrected.


17



18



19



20



• Special PI

• Children

• Rights of Data Subjects

• Information Officer Appointment

• Electronic Direct Marketing

• Transborder flows


21

Why POPIA matters

• Compliance with laws and regulations• Basic Conditions of Employment Act 75 of 1997

• Companies Act 71 of 2008

• Compensation for Occupational Injuries and Diseases Act 130 of 1993

• Consumer Protection Act 68 of 2008

• Electronic Communications and Transactions Act 25 of 2005

• Employment Equity Act 55 of 1998

• Income Tax Act 58 of 1962

• Insolvency Act 24 of 1936

• Labour Relations Act 66 of 1995

• Occupational Health and Safety Act 85 of 1993

• Promotion of Access to Information Act 2 of 2000

• Protection of Personal Information Act 4 of 2013

• The Regulation of Interception of Communications & Provision of Communication-Related

Information Act 70 of 2002

• Skills Development Levies Act 9 of 1999

• Unemployment Insurance Act 63 of 2002

• Value Added Tax Act 89 of 1991


22

Why POPIA matters



23

Why POPIA matters


• POPIA stick: reactive and based on a negative impact for non-

compliance

• Fines

• Reputation damage

• POPIA carrot: proactive and based on a positive impact for compliance

• Product and service innovation

• Reputation enhancement


24

Agenda - Morning session up to lunch

• Topic 4: What you need to do about Data Privacy & POPIA - 10:40 to

11:30




• Topic 5: Where Data Privacy & POPIA rules apply - 11:30 to 12:15





25

What you need to do about Data Privacy & POPIA


• Data privacy

• Is part of ethical business approach

• Requires leadership and accountability

• Demonstrates integrity

• Thrives with direction & oversight

• POPIA

• Is a specific legal interpretation that looks at personal information only


26



• POPIA addresses living individuals and juristic entities

• All organisations that process personal information

• Exemptions apply

• Certain activities of the state

• Journalistic activities

• International law enforcement

• Regulator may also exempt for specific reasons

• Household activities


27


POPIA Act impact areas


1. Acquisition & disposition to other parties of personal information

2. Appointment of Information Officer

3. Company newsletters, notice boards

4. Company secretary5. Competitor information6. Compliance audits7. Consent records / denial

records8. Contract management /

procurement

9. Contractual agreements

10. Creditors

11. Day-to-day email and other

communications

12. Debtors

13. Document retention periods

14. General Accounting systems including

payroll

15. Government and community relations

16. Human Resources, including induction,

training, record keeping

17. Insurance policies

28


POPIA Act impact areas


18. Legal affairs19. Maintenance records20. Marketing, including

implications for documentation and on-line resources

21. Media and public relations22. Newsletters to subscribers23. On-site and off-site

information storage24. Other relevant legislation (e.g.

CPA, ECTA, LRA, OHSA, SDL, UIA)

25. PAIA Manual

26. Personal information destruction policies and procedures

27. Policy management28. Privacy Notices29. Safety and security, including access

control30. Sales, including records

management, proposals and contracts

31. Service agreements, in particular IT outsourcing

32. Surveys and competitions, 33. Time management systems34. Web site

29



• A comprehensive review of the current state of compliance

• This typically reveals one or more gaps between the current and required

level of compliance

• “Reasonable and appropriate” is key


30


• Board responsibilities

• Governance starts at board or governing body level

• Board needs to set direction and provide oversight

• Looks at risk and value

• Takes long term, externally oriented view

• Hold ultimate accountability to external and internal stakeholders


31


• Executive management responsibilities

• POPI Act defined Designated Head as accountable through the

Promotion of Access to Information Act (PAIA)

• Accountability for Designated Head (CEO) cannot be delegated in

private organisations

• Accountability can be delegated for public bodies

• Both public and private bodies may appoint deputies to assist with

compliance activities


32


• Other responsibilities

• Multiple roles can be defined both inside and outside the organisation,

e.g.

Internal and External Audit

Information and Record Owners

Service providers & Operators

Employees


33


Step 1: Initiate

• Set yourself up for success by formalising your compliance activities

• Establish a compliance preparation project

• Ensure you have proper authorisation and funding: we recommend a project

charter is drawn up and approved by the project sponsor

• Update and sign the Project Charter

• Update and sign the Information Officer and Deputy Information Officer

appointment letters

• Develop a preliminary plan of action

• Ensure you identify and engage your stakeholders


34


Step 2: Assess

• Develop a solid business case based on impact area identification, costs and

benefits of your compliance preparation project (optional)

• Complete a structured compliance assessment in terms of the requirements

in the POPI Act

• Use the IACT-Africa Compliance Assessment Tools to discover areas for

remediation to address the requirements of the POPI Act; this can include

up to 17 assessments and hundreds of assessment questions depending on

what is reasonable and appropriate

• Document the assessments completed


35


Step 3: Consider

• In light of the Step 2 assessments, consider the areas that require remedial

action to achieve an acceptable level of risk in terms of achieving

compliance

• Consider what process, procedural, documentation, technical and

contractual changes need to be made

• Consider the entire Personal Information (PI) life cycle from acquisition

through ultimate disposal

• Consider all the organizational and technical factors for success (e.g. HR, IT,

processes)

• Obtain approval for a plan to achieve the required level of compliance


36


Step 4: Translate

• Translate your plans into action, with clearly defined objectives and

milestones to achievement

• Translate the conditions for lawful processing into specific evidence of your

remediation plan taking effect

• Translate your short term compliance preparation project into a long term

compliance commitment

• Translate the cost of compliance into the benefits of compliance


37

Where Data Privacy & POPIA rules apply


• No organisation is exempt

• Regardless of size

• Regardless of ownership structure

• Regardless of sector

• Certain exemptions apply as previously discussed


38



• Global and regional initiatives have been underway for some years

• Key for SA is the status of our trading partners

• Biggest impact is likely to be from the EU General Data Protection

Regulation


39




40


• Regional geographic context

• Some countries on the continent are more advanced than South Africa

e.g. Ghana, Tunisia, Mauritius

• There are multiple regional initiatives

• SADC

• ECOWAS

• East Africa

• AU


41


• Regional - Privacy laws in Africa


42


• Global

geographic

context


43


• POPI Act role definitions

• Data subject: Living individual or juristic entity from whom PI is collected

or about whom PI is processed

• Responsible Party: Organisation or individual processing the PI

• Operator: Service provider processing on behalf of the Responsible Party


44



• Data: Personal information is broadly defined, includes about or leading

to a data subject

• Data includes “Special” personal information of a more sensitive kind

e.g. medical & criminal

• Data subjects: Living individual or juristic entity

• Data subjects include customers, suppliers, employees, other

stakeholders; citizens; companies; government entities


45


The POPI Act: 50 types of PI


46


The POPI Act: 20 record types


47


The POPI Act: Processing types


48

Agenda - Afternoon session up to tea break

• Topic 6: Special issues re Data Privacy & POPIA - 13:00 to 13:45

• Cloud computing

• Bring Your Own Device

• Mobile devices

• Topic 7: Practical examples of POPIA non-compliance - 13:45 to 14:45

• Violation examples presentation

• Violation examples exercise

• Violation examples and discussion


49

Special issues re Data Privacy & POPIA

Cloud computing

• Transborder refers to PI leaving South Africa

• There are no restrictions on PI entering South Africa

• Transborder PI restrictions are intended to protect PI in other jurisdictions

• This protection can be achieved through various means

• Proof of adequate protection

• Contracts (binding agreement)

• Binding Corporate Rules


50


Cloud computing

• Cloud computing carries specific and different risk to on-site management

of PI

• Multiple standards and frameworks exist e.g.

• ISO

• COBIT®5 Security

• ENISA

• CSA

• NIST


51


Bring Your Own Device

• Ownership of the device does not alter the need to protect the data

subject PI

• BYOD should be included as part of an overall risk assessment

• BYOD can be addressed by a combination of organisational (e.g. policies,

training, monitoring & oversight) and technical (e.g. electronic measures)

remediation steps


52


Mobile devices

• Should be included as part of an overall risk assessment

• Represent a potentially high level of probability of loss or compromise

• Represent a potentially high level of impact if compromised

• Some devices could be eliminated (e.g. USB sticks)

• Adequate protections would include encryption and other mobile device

management methods


53

Practical examples of POPIA non-compliance

Violation examples presentation


Loss or theft of paperwork 70

Data posted or faxed to incorrect recipient 83

Data sent by email to incorrect recipient 88

Insecure webpage (including hacking) 59

Loss or theft of unencrypted device 30

Insecure disposal of paperwork 15

Failure to redact data 13

Information uploaded to webpage 10

Verbal disclosure 3

Insecure disposal of hardware 2

Other principle 7 failure (security incident) 124

TOTAL 49754


UK Regulator incident report Oct-Dec 2015


55


Open computer data breach


56


Incorrect addressee data breach


57


Incorrect attachment data breach


58


Inaccurate addressee data breach


59


Disclosure of PI data breach


60


Sticky notes with PI data breach


61


Confidential documents data breach


62


Waste / recycle bin data breach


63


Smartphone unsecured data breach


64


Lost keys data breach


65


Lost digital items data breach


66


Open file data breach


67


USB data breach


68


Unsecured access card data breach


69


Forgotten printer document data breach


70


Forgotten PI on the whiteboard data breach


71


OK, now the real test……

• On the next slide you will see a number of possible data privacy violations

• Work with your partner to see how many you can identify

• Use your answer sheet to capture your observations

• CLUE: there’s more than 15 violations to find


© John Cato & Dr Peter Tobin, 2016. All rights reserved72

insert date

© John Cato & Dr Peter Tobin, 2016. All rights reserved73

insert date

14

74


Violation examples exercise


75



76



77



78



79



80



81



82



83


Violation examples and discussion


84


Global

• There are too many examples of failures to manage data privacy to mention

them all here

• Key examples well documented include

• Yahoo

• Talk Talk


85


Yahoo boss Marissa Mayer loses out on millions in bonuses over hacks

• An internal probe found that executives at the firm reacted too slowly after

discovering evidence of a security breach in 2014

• Security breaches at the internet giant exposed the personal information of

more than a billion users

• Yahoo! Is taking a $350 million hit on its previously announced $4.8 billion

sale to Verizon in a concession for security lapses that exposed personal

information stored in more than 1 billion Yahoo! User accounts


Source: news.sky.com 2 March 2017

86


The indictment charges two officers of the FSB, Russia's Federal Security

Service, and two hackers who allegedly worked hand-in-hand with them to

crack 500 million Yahoo user accounts….. The Russian government had no

official comment on the charges in the Yahoo case. Source: Reuters, 16 March

2017


87


National

• Several well publicized cases of data loss e.g.

Theft of passports and visa from UK High Commission

Theft of laptops from Office of Chief Justice

Theft of laptops from SABC parliament precinct office

• Suspected many more go unreported at present


88


Would you trust this person with your information?


“Chief Justice MogoengMogoeng’s offices burgled”

Luckily, this is not his office!

89


Chief Justice Mogoeng Mogoeng’s offices burgled


“Fifteen computers in the

human resources unit

which contained important

information about judges in

the country, officials in the

office of the chief justice, the

Constitutional Court, high

courts, Supreme Court of

Appeal and other specialists

courts were stolen.”

Points to ponder

• Risk assessment?

• Security policy?

• Security measures in place?

• Training?

• Threat monitoring?

• Data recovery?

• Data loss management?

Source: http://citizen.co.za/news/news-

national/1461845/chief-justice-

mogoeng-mogoengs-offices-burgled/

90

Agenda - Afternoon session up to close

• Topic 8: Summative assessment - 15:00 to 15:45

• 20 question multiple choice assessment

• Workshop closure activities - 15:45 to 16:30





Day closes at 16:30


91

Workshop assessment

• This is an individual assessment

• There are 20 multiple-choice questions

• 1 point for correct answers

• 0 points for blank or incorrect

• Good luck……..you need to be quick as the questions will not be shown for

long and no second views!


92

Workshop closure activities






93

Workshop close and next steps

• Please discuss with your neighbour your key learning points

• Start to make POPI Act compliance part of the way you work

• For more information about the POPI Act please visit http://smetoolkit.businesspartners.co.za/en/legalinsurance/compliance-popi

• Thank you for your attendance


http://www.southafrica.smetoolkit.org/sa/en/

94


A Moment (or two) of reflection

• What were my most significant learning opportunities from the workshop?

.......................................................................................................

.......................................................................................................

.......................................................................................................

• What did I already know that was reinforced by what I heard and saw?

.......................................................................................................

.......................................................................................................

.......................................................................................................


95


A Moment (or two) of reflection

• What previously held assumptions and beliefs were overturned?

.......................................................................................................

.......................................................................................................

.......................................................................................................

• What stimulated me most?

.......................................................................................................

.......................................................................................................

.......................................................................................................


96


Action Items List

• Top 3 things to STOP doing

.......................................................................................................

.......................................................................................................

.......................................................................................................

• Top 3 things to START doing

.......................................................................................................

.......................................................................................................

.......................................................................................................

• Top 3 things to CONTINUE doing

.......................................................................................................

.......................................................................................................

.......................................................................................................


97


Personal Action Plan

• Within 5 days I will:

.......................................................................................................

.......................................................................................................

.......................................................................................................

• Within 20 days I will:

.......................................................................................................

.......................................................................................................

.......................................................................................................


98


Workshop feedback

• Please complete the workshop feedback form to enable us to learn from

your experience

• We value your feedback which will be taken into account when planning

future programmes.


99


Awards and recognition


100


THANK YOU FOR YOUR PARTICIPATION

PLEASE TRAVEL HOME SAFELY


Documents

Welcome all delegates to PoPIA Workshop …...• POPIA was a Bill up to November 2013 when it received the assent of the President and appeared in the Government Gazette as Act No