Protection of Personal Information Act 4 of 2013 (POPIA) - June 2021
Sibusiso Mtatase Manager: Compliance Management Function
Topics to address
Introduction
• The Act defines the person or organization that decides what Personal Information (PI) is processed as the "responsible party" (RP). It is the EU GDPR’s data controller equivalent.
• The Act refers to the person (or other legal entity) that the PI is about as the "data subject".
• An “operator” would then be the person processing the PI for the RP.
• POPIA is a South African legislation covering PI. Together with the Promotion of Access to Information Act, 2000 (PAIA), it is designed to protect PI and cater for Data Subjects’ right to access to their PI.
Overview of Protection of Personal Information Act 4 of 2013 (POPIA)
• To give effect to the Constitutional right of privacy and the safeguarding of PI.
• POPIA imposes much tougher restrictions on how PI must be used and caters for how access should be granted.
• Provision of the minimum requirements for lawful processing of PI
• Almost all organisations deal with PI – even if it is only for their employees – so it is almost certain to affect all organisation. POPIA limits the use of PI, demands consent which must be “informed” before use, and let Data Subjects to withdraw their consent.
• To provide rights and remedies to ensure that PI is not abused
• To establish the Information Regulator
Promulgation of POPIA- 1 July 2020
Compliance
Grace
period ends 30 June 2021
• All the provisions are in force now except:
• Sections relating to the amendment of laws and the effective transfer of functions under PAIA to the Information Regulator (effective date 30 June 2021)
• The repeal of data privacy provisions in the Electronic Communications and Transactions Act (effective date 30 June 2021)
Incident Reporting
Immediate Steps
• Dedicated POPIA Email Address: privacy@cput.ac.za
• Governance structure (Info Committee)
• Info Breach Response Plan with strict timelines
Consequences
• Administrative fines
• Penalties (fine or imprisonment for a period not exceeding 10 years/ R10 million for serious offences and 12 month or
• Civil action for damages
• Disciplinary action by CPUT for noncompliance with Policies
Overview of Protection of Personal Information Act 4 of 2013 (POPIA)
Covers PI of Natural Persons and Juristic Persons.
Identifiable information (if disclosed by itself it would reveal of the person).
What counts as PI?
Name and Address
Credit; criminal; education; employment; financial or medical history
Some PI that might not seem obvious include the person's own views and opinions, and the opinions of others about the person.
Even ‘informal’ information held on a Data Subject is covered.
The law applies to any data processor that is domiciled (legally based) in South Africa. It also applies if the data processor is outside of South Africa "but makes use of automated or non-automated means in the [country]."
8 Conditions of Lawful Processin g
Accountability
• In simple terms, this condition says that the University must make sure to comply with all eight conditions, not only when processing PI but when deciding what PI to process and why.
• Basically, accountability is important through all stages of interaction with PI.
• This condition sets out a principle of minimality, meaning only processing PI that is relevant and only to the point needed for the stated purpose. It also says the University must get prior consent to process PI unless doing so is a legal requirement. The burden of proof is on the University to demonstrate the consent. The data subject can withdraw consent at any time.
• Typically, PI can only be collected directly from the data subject or from public records. The key exceptions (avoiding prejudicing criminal investigations) will not usually apply to Universities.
Processi
ng
Limitatio
• This example from TransUnion's Privacy Policy explains an exception to the consent and direct collection principles:
• The University must give a specific, lawful purpose for collecting PI. The University must make the data subject aware of this reason and must only retain the PI for as long as needed to meet this purpose.
Purpose Specifica
tion
• This example from Interchange explains why it will collect and use different information depending on the purpose:
• After collecting the PI, the University can only process it in a way that is necessary for, and relevant to, the original stated purpose.
Further Processi ng
Limitatio
• General Rule: further processing must be in accordance with or compatible with the purpose for which it was collected the first time.
• The University must make sure the PI is "complete, accurate, not misleading and updated where necessary." Processes such as PAIA Manual may address some parts of this condition. Respective areas can have their own process in place for addressing this.
Informat ion Quality
Openness
• The University must keep adequate records (Documentation) of its PI processing. The University must make the data subject aware of a range of details about the processing. The data subject must be able to see these details before consenting to PI collection. The data Subject must be notified when their PI is been collected by the University if it is not collected directly from them.
• The University must make sure PI is not lost, damaged, destroyed or accessed without authorization. Complying with this rule will involve monitoring processes, putting safeguards in place, and then maintaining and updating those safeguards. If the University uses a third party to process PI, the University must make sure the third party follows this rule.
Security Safeguar ds
• If a data breach happens, the University must inform the Information Regulator and, if known, the relevant data subjects as soon as possible unless law enforcement officials ask the University to delay doing so.
Data Subject Participation
• Data subjects have the right to ask whether the University stores PI about them. If so, the data subject has the right to either the details or a description of the PI along with details of any third party who has had access to it.
• The University must provide these details in a reasonable time and any access fee must be reasonable.
• The data subject then has the right to ask for any errors in the PI to be corrected or, if relevant, destroyed. They can also object to the University processing PI for a specific purpose or for direct marketing.
PI May Be Processed If:
• Data subject consents (which the University as a RP MUST prove -Burden of Proof)
• Necessary for performance of a contract to which data subject is a party to
• In terms of an obligation imposed on a Responsible Party by law
• Legitimate interest of data subject
• Legitimate interest of Responsible Party or 3rd party to whom PI was supplied
• Necessary for performance of a public duty by a public body
The Act Does Not Apply to the Processing of PI:
• If it relates to a purely personal or household activity
• If the information has been de-identified
• If it is processed by a public body for purposes of national security and the investigation of
• For the purposes of journalistic, literary or expression in defined circumstances (there must be a code of ethics and adequate safeguards)
• Exemptions have been granted by the Information Regulator
Restrictions.
Certain types of PI have special restrictions on them. However, whatever type of PI the University is handling – if the law is not adhered to, the consequences can be serious.
• What are examples of ‘special PI’?
•The following are examples of ‘special PI’:
• Sex life or sexual orientation.
• Genetic data.
• Biometric data.
• Racial or ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade-union membership.
• Physical or Mental Health.
When can special PI be processed ?
Special PI can only be processed if certain conditions are met:
• Consent has been given explicitly.
• Information is required by law.
• PI already made public by Data Subject.
• For research purposes.
• For reasons of substantial public interest.
• Reasonable instruction by the Information Regulator.
•Any other conditions set out in Chapter 3 -
Part B – Section 27 of POPIA.
Special Personal Informati on
SECTION 26
Special Personal Information may not be processed
• Religious or philosophical beliefs
• Race or ethnic origin
• Trade union membership
• Political persuasion
• Health or sex life
• Biometric information about data subject
• Alleged criminal behaviour of data subject
SECTION 27
General Authorisation
• Data subject provided consent
• Processing needed for the establishment,
• exercise or defence of a right or obligation in law
Unless
• Necessary to comply with an obligation of international public law
• Historical, statistical or research purposes – it must serve the public interest ad appears to be impossible to ask for consent
SECTION 28-33
Specific Authorisation
•Authorisation concerning a data subject’s health or sex life (section 32)
Personal Information of Children
Section 34 Prohibits the Processing of PI Concerning a Child
Unless General Authorization Has Been Granted in Terms of Section 35:
Prior consent of competent person
The PI has deliberately been made public by the child with the consent of a competent person
It is for historical, statistical or research purposes to the extent that:
a. the purpose serves a public interest or
b. it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are
c. provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent
It is necessary for the establishment, exercise or defence of a right or obligation in law.
It is necessary to comply with an obligation of international public law.
Regulator may exempt processing of personal information
37. (1). The regulator may, by notice in the Gazette, grant an exemption to a responsible party to process PI, even if that processing is in breach of a condition for the processing of such information, or any measure that gives effect to such condition, if the Regulator is satisfied that, in the circumstances of the case:
a) The public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing; or
b) The processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.
(2). The public interest referred to in subsection (1) includes:
Exemptio ns
a) The interests of national security;
b) The prevention, detention and prosecution of offences;
c) Important economic and financial interests of a public body;
d) Fostering compliance with legal provisions established in the interests referred to under paragraphs (b) and (c);
e) Historical, statistical or research activity; or
f) The special importance of the interest in freedom of expression.
(3). The Regulator may impose reasonable conditions in respect of anyexemption granted under subsection (1).
Exemption in respect of certain functions
38. (1). PI processed for the purpose of discharging a relevant function is exempt from sections 11(3) and (4), 12, 15 and 18 in any case to the extent to which the application of those provisions to the PI would be likely to prejudice the proper discharge of that function.
39. (2). “Relevant function” for purposes of subsection (1), means any function:
a) of a public body; or
b) Conferred on any person in terms of the law, which is performed with the view to protecting members of the public against –
i. Financial loss due to dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate; or
ii. Dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity.
PI Transfers and Outsourcin g
POPIA provides that a responsible party may not transfer personal information about a data subject to a third party in a foreign jurisdiction unless:
• the recipient is subject to a law or contract which:
upholds principles of reasonable processing of the information that are substantially similar to the principles contained in POPIA; and
includes provisions that are substantially similar to those contained in POPIA relating to the further transfer of personal information from the recipient to third parties;
• the data subject consents to the transfer;
• the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of precontractual measures taken in response to the data subject's request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
• the transfer is for the benefit of the data subject and:
• it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
• if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
Personal Information Impact Assessments (PIIAs)
PIIA and
Readiness Assessments
POPIA Updates
& Readiness
Item 4(1)(b) of
the POPIA Regulations
A PIIA is a is a structured approach for the University to understand the PI risks associated with the processing activity and take appropriate steps to manage those risks. They cover a systematic description of the processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the responsible party (The University).
A PIIA should ideally be completed before July 2021 processing begins.
After the initial rounds PIIAs, as good practice moving forward, CPUT must conduct PIIAs for projects that are likely to result in a high risk to the PI and privacy of data subjects (i.e., whenever special PI is processed).
PIIAs should be kept to date and re-written should the project or system change substantially.
A PIIA helps to:
• Describe the nature, scope, context and purposes of the processing;
• Assess how necessary and reasonable the processing is;
• Identify and assess risks to data subjects; and
• Identify additional measures to mitigate those risks.
CPUT has produced some guidance on PIIAs and easy-to-use template. For more information on Guidance for PIIA please refer to CPUT Template for Personal Information Impact Assessment (PIIA).
Readiness Assessments
1. Details of Department and POPIA Obligation Owner
2. List the information that you process in the relevant categories
Examples
• Personal Information
• Special Personal Information
• Information about children
3. Nature of processing
• Collection
• Usage
• Who has access to the information?
• Who is information shared with?
• Storage
• Retention
• Destruction
4. Scope of processing
5. Source of information
• Volumes of information
• Frequency of receiving information
• Duration of processing
• Number of data subjects involved
• Transborder flows of information (list countries)
Data subject directly, 3rd party provider, sponsors etc.
6. Why do you process the information To establish the specific purpose
7. List your 5 biggest risks
Security Assessment Checklist
(Laptops
8 Conditions of Lawful Processing
Accountability
Processing limitation
Purpose specification
Use limitation
Information quality
Openness
Security safeguards
Individual participation
CPUT POPIA DOCUMENTS
Internal Standards
Align Policies and ensure that they are enforceable i.e. includes disciplinary action for noncompliance.
PAIA Manual, Privacy, Records Management & Information Security Policy
Incident Management (Data Breach Response
Retention and Destruction of Records (CPUT File Plan)
Risk Management
CPUT Policies Scope
PAIA Manual
• Information about CPUT
• Details of Information Officer
• Details of Information Regulator
• Records held by CPUT
• Forms to request records, correction, deletion, and copies.
Privacy Policy
• How information will be collected and used
• Consent to share with 3rd parties and purpose
• Right to withdraw consent
• Cookies
Records & Archives Management Policy
• Records & Archives Management (RAM) Framework that supports Corporate Governance by establishing proper recordkeeping practices and principles.
CPUT File Plan - Retention and Destruction of Records
• Schedules of records with retention periods
• Statutory timelines
• Destroy as soon as the record is no longer
• To archive is not to destroy
Breach Response
Reporting process example:
Step 2
• Inform line manager and Information Officer ( privacy@cput.ac.za ) immediately
• Secure personal information on the same day
Step 1
• Submit Incident Response form in prescribed format
• Conclude internal investigation within 24 hours
• Inform Information Regulator as soon as possible
• Inform Data Subject, where possible
Step 3
Accountability/ Oversight mechanism
CPUT Information Governance Committee (to be established)
Establish and review the effectiveness of your POPIA Information Governance Framework, strategies, and policies.
Coordinates internal and external reporting (Data Breach Response Plan).
Coordinates the University implementation of relevant initiatives, including overarching University policies such as the Privacy Policy.
Defines, assigns and or coordinates information roles and responsibilities. This helps the University to address information management risks.
Identifies and mitigates information asset risks, including risks associated with compliance, cybersecurity, access, privacy, business continuity, management and cost.
Works with your Human Capital team and key business areas to develop an information management workforce plan. This helps ensure the University has appropriately skilled and specialised staff.
Advises on allocating resources to effectively manage information assets throughout their life for as long as they are needed.
Identifies opportunities to improve information management, such as streamlining University processes or the sharing and reuse of information and data in line with POPIA.
Addresses high-level information asset issues that cannot be resolved by a working group or individual University areas.
Faculties, Division and/or Departments are also encouraged to have their own internal Information Governance Committees to address their internal matters inline with overall University Framework.
Accountability/ Oversight mechanism
POPIA Compliance Owners
These are the members of Management who are the heads of their respective Divisions, Departments and/or Faculties.
Questions to ask
• Do I have a POPIA Compliance Champion to manage PI compliance?
• Are PI protection standards and procedures in place and are they effectively implemented?
POPIA Compliance Champion
These are employees of the University with knowledge and expertise, nominated by POPIA Compliance Owners to manage compliance in their areas of responsibility.
Questions to ask
• Do I have the buy in of my POPIA Compliance Owner, HODs & Colleagues?
• Do I understand my role?
• Are PI protection standards and procedures in place and are they effectively implemented?
Employees
Questions to ask ourselves
• Do we know who is responsible for POPIA Compliance within our area who can report PI related matter to?
Additional to do list
Review Contracts - POPIA Clauses
• Ensure that parties are familiar with POPIA requirements
• Remind employees of their obligations as Operators
• Develop Breach notification processes
Update Consent Forms
Culture of Compliance
• Set the tone from the top (Executive Support)
• POPIA Compliance must become the new “business as usual”
• Regular Internal audits.
• POPIA must be a standing item on Meetings.
• Regular reporting to GEC, AROC and relevant Council committees.
What Else Can You Do?
• Apply a clean desk policy
• Limit different versions and delete what you do not need
• Store hard copies in rooms or cabinets that can lock
• Security updates on routers and other devices
• Do not share your Wi-Fi password
• Passwords protect emails as far as possible
• Triple check recipients before you send an email
• The Act is already law, but enforcement and regulation has not yet started. This will happen as of 1st July 2021, so we need to prepare.
• The law covers both information about humans and, in some cases, businesses in South Africa.
• We must meet eight conditions to lawfully process personal information:
Comply fully with the Act
Get prior consent to collect and process personal information
Summary
Give a specific, lawful purpose for collecting the data
Only process the data to serve the stated purpose
Keep the information accurate and up to date
Make sure the data subject is fully informed about our data use before they consent to collection and processing
Keep the data secure
Respond to data access requests in a reasonable time and without charging an unreasonable access fee
• Some types of data are classed as "special personal information." We should normally get specific and clear consent to collect this information. To avoid doubt, do not assume general consent covers this.
• The Information Regulator has produced several official forms for data subjects to make requests and objections. The University also has such forms available on its website under the PAIA Manual.
• The Information Regulator can order us to change our practices to comply with the POPIA. Failing to comply with this order can lead to a maximum prison sentence of 10 years.
• The Information Regulator can take civil action for a breach. This could mean the University have to pay financial damages that go beyond covering direct financial losses.
Without access to personal information, Universities wouldn’t be able to register, teach, or assess students, or conduct research. We wouldn’t be able to employ staff or communicate with alumni. But before you do anything with personal information, you should stop to think whether you are using the personal information responsibly. Treat personal information as if it were for your eyes only.
YOUR POPIA CHEAT SHEET
introduction to the Protection of Personal Information Act.
Personal information is very widely defined. It includes:
• Demographic information, like race, marital status, language, and religion
• Biometric information, like fingerprints, voice recognition or retinal scans
• Usernames and passwords
• Contact information, like Twitter handles and location information
• A person’s opinions and preferences
• Private correspondence
• Background information, like educational, financial, or employment records
• Criminal record
Some categories of personal information require extra care. They include:
• The information of minors
• Religious or philosophical beliefs
• Trade union membership
• Criminal behaviour
• Race or ethnic origin
• Sex life
• DNA
• Political opinions
The data subject is the person or entity to which the personal information relates. At a University, common data subjects include:
• Students
• Staff
• Alumni
• Applicants
• Research subjects
• Service providers
• Members of the public
The POPIA has an impact on everything we do with personal information throughout the information life cycle:
If you want to know more about our University’s POPIA compliance efforts, contact
We
• Each area of the University must have processes in place to ensure that the confidentiality, integrity, and availability of University information is protected. Employees will only be provided with access to data and information in accordance with the requirements of their particular role (Privacy-By-Design).
• There are three basic steps that everyone needs to follow.
Conclusio
n• First: every instance of personal information in our possession or under our control, must be identified, as we may be asked about this by a data subject or the regulator. We need to know where it is, how it is controlled and who has accessed this information. If asked, we need to be ready to respond. In short, we must not get caught holding personal information we know nothing about.
• Second: as much as we would prepare to comply with the conditions for the lawful processing of personal information, we also need to be ready to respond to issues of non-compliance. After all, this is what data subjects are going to complain about. Since the burden of proof is entirely on the University, regardless of whether it is its fault or not, we have to able to demonstrate all the steps that were actually taken in our attempt to comply with the conditions.
• Third: enable data subjects' rights and ensure our information security management is of a sufficiently high standard for the identified risks and compliant with the generally accepted standards for information security and data protection.
QUESTIONS and DISCUSSIONS ?
•Please feel free to interact.
•No question is a stupid question.