A short presentation that focuses on the proposed POPI law, how it impacts businesses, technology, IT depts & the cloud. It was based on a draft so some aspects may have changed.

1. Protection of Personal
Information Bill

2. Agenda
 Going to cover most of the law
 Purpose to give an overview and provide a starting point for further discussion
and action
 This is not about the Protection of State Information Bill aka “Secrecy Bill”

3. Disclaimer
 I am not a lawyer (duh) – this is about a law – thus you should have a lawyer
check and work with you on this.
 We are talking about a bill, not an act.
 Not covered:
 The legal aspects about the regulator and information protection officers.
 Code of conduct aspects.
 Unsolicited Electronic Communications aspects.

4. Goal of the bill
To promote the protection of personal information processed by public and private
bodies; to introduce information protection principles so as to establish minimum
requirements for the processing of personal information; to provide for the
establishment of an Information Protection Regulator; to provide for the issuing of
codes of conduct; to provide for the rights of persons regarding unsolicited
electronic communications and automated decision making; to regulate the flow of
personal information across the borders of the Republic; and to provide for matters
connected therewith.

5. One Page View
CollectInformation
Must collect
direct from
person
Some
exclusion
apply
ProcessInformation
Process
means
anything
Some limits
on what you
can process
Retention
Keep for as
short a time
as possible
Deletion
Delete so it
is not
recoverable
Security
Reasonable
security
steps must
be taken
DataSubjectParticipation
You can find
out who has
your data
You can
change your
data
Notification
Notification
must be
given if there
is loss or
damage to
data
Enforcement
Punishments

6. Timelines
 Section 14 of the Constitution: Every has a right to privacy
 Bill created in 2009
 Seven drafts to date
 Expected to be enacted in three to six months1
 Companies will have between six and twelve months to put the law into place.
1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login=

7. Who this applies to
 This is aimed at protecting the information of all citizens of the country – so you!
 Any company that processes or outsources data to third parties needs to
comply with it.
 As all organisations have information on staff, share holders etc… this means
all businesses are affected.

8. Who it doesn’t apply to
 is non-commercial, and non-governmental or related to household activities;
 has been de-identified to the extent that it cannot be re-identified again;
 is held by or on behalf of a public body, which involves national security or
deals with the identification of the proceeds of unlawful activities and the
combating of money laundering activities;
 is created exclusively for journalistic purposes.

9. What does it apply to?
‘‘processing’’ means any operation or activity or any set of operations, whether or
not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or
modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any
other form; or
(c) merging, linking, as well as blocking, degradation, erasure or destruction of
information;

10. Processing Limitations
 Must process lawfully
 Minimal set of data
 Relevant data only
 Give the purpose
 Consent must be given
 Required for the conclusion or performance of the contract
 You may opt out, at any time, and the processing must stop

11. Impact on the cloud?
 Applies to all people & companies that are within South Africa
and
 Applies to all people & companies that have systems that do processing in
South Africa
 There is additional consent need to store & process data outside of the borders
of the country

12. Collecting Information
has implications to further processing
 Must be collected directly from the data subject
 Except
 It is in a public record already
 The data subject has consented to collection from a third party
 Collection from a third party without consent, where it would not prejudice the data
subject
 Collection from a third party without consent where it is required
 For example getting a criminal record from the police

13. Retention
 Kept only for the processing
 Can be kept for longer if
 Required by law
 Required for functions/activities
 Agreed to in contract
 Historical, statistical or research provided appropriate safe guards

14. Retention for Decision Making
 Data must be retained for as long as the law says
 If there is not law, for a reasonable period
 This is so that access requests can be fulfilled

15. Destruction of Data
 Data must be destroyed ASAP
 Data must be destroyed in such a way it cannot be reconstructed

16. Security Measures
 Reasonable technical & organisational measures to prevent
 Loss of & damage to data
 Unlawful access
 What do you need to do
 Identify all risks (internal & external)
 Maintain & regularly validate safe guards
 Follow generally accepted information security practices

17. Notification of security compromises
 Must notify the regulator
 Must notify the data subject
 Must be done ASAP, except if instructured by SAPS, NIA or regulator to delay
 Notification must be done in one of the following ways
 Mailed to physical or postal address
 Emailed
 Placed on the web site
 Published in the news media
 As directed by the regulator
 Notification must contain enough information for the data subject to take protective measures
 Must, if known, contain the identity of the unauthorised person

18. Data Subject Participation
 A data subject, having provided adequate proof of identify, can request, free of
charge, if a company has information on them.
 A data subject, having provided adequate proof of identify, can request what the
information is & who it has been provided to.
 Reasonable cost can be applied but an estimate must be given first.
 Parts can be denied – requires compliance with grounds set out in PIPA

19. Data Modification
 A data subject can request the data to be changed or deleted
 The reasonable party must comply with it, and provide evidence of it.

20. You may not process parts of information
if they relate to
 Children
 data subject’s religious or philosophical beliefs, race or ethnic origin, trade
union membership, political opinions, health, sexual life or criminal behaviour.
 There are reasonable exceptions for example
 Religion: If the information is being processed by an organisation and the data
relates to belonging to that organisation. For example religious information &
churches
 Health: if the organisation is an insurance or medical organisation

21. Notification
 The regulator must be notified prior to initial processing, must include
 Name & address of who is using the data
 Purpose
 Description of data collected
 Who the data will be supplied to
 If it will leave South Africa
 Description of security measure

22. Enforcement
 Process: Complaint  Decision of Action  Investigation  Assessment 
Enforcement Notice  Appeal
 Can issue warrants and do search & seizure
 Offences: Obstruction, breach of confidentiality, failure to comply
 Penal sanctions: Imprisonment (up to 10 years) and/or fine
 Fine: R 10 million1
 Civil action can also be taken
1. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+B

23. Impact on other laws
Amendments & Repeals to
 Promotion of Access to Information Act, 2000
 ECT Act, 2002
 National Credit Act, 2005

24. Examples
 Blackberry with company information left on train & does not have a pin. The
company is at fault. 1
 Outsourced company doing storage of backups and loses the backup medium.
The backups contain customer information. The backup is not encrypted. The
company is at fault. 2
1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login
2. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+Bill

25. KPMG Cheat Sheet
 From:
http://www.kpmg.com/ZA/en/IssuesAndInsights/ArticlesPublications/Protection-
of-Personal-Information-Bill/Pages/default.aspx
 Broken down into the eight principals and has a number of easy to answer
questions about an organisation that can help comply.

26. Shorten List
 Have someone accountable in the organisation for the management of data, data information
policies & managing communication in this regard
 Have a document of data we collect
 Detail how & why it was collected, if further processing is needed and when it will be destroyed
 Include the why on the documents we use
 Educate staff on this
 Ensure we have security risk assessments for the data and that reasonable security is in place
in all areas
 Ensure people have a way to access & update their information