Data Privacy_BMA Field Guide

4 WHAT IS POPIA 3 PROTECTION OF PERSONAL INFORMATION 5 6 9 CONTENTS TABLE OF WHO ARE THE ROLE PLAYERS? WHAT IS CONSIDERED ‘PERSONAL INFORMATION’? MUST MY ORGANISATION COMPLY WITH POPIA? introduction 12 WHO IS EXEMPT FROM POPIA? 13 HOW WILL POPIA AFFECT MY BUSINESS? 16 WHAT STEPS MUST MY ORGANISATION TAKE TO COMPLY WITH POPIA? 17 WHAT DOES POPIA MEAN WHEN IT COMES TO DIRECT MARKETING? 18 WHAT DO I DO IF PERSONAL INFORMATION HAS BEEN COMPROMISED? 19 WHAT WILL HAPPEN IF I CONTRAVENE POPIA? 19 IS THERE OTHER LEGISLATION IN SOUTH AFRICA THAT REGULATES PRIVACY? As a South African-based company, this chapter on data privacy is based on South Africa's data protection law, Protection of Personal Information Act (Popia). You're probably aware of GRPR (General Data Protection Regulation, regulation in the EU). The major difference between Popia and GDRP is that Popia extends its protection on collected information to companies, corporations, and individuals, and GDPR only covers individual data. It is key to remember if your operator is using equipment in South Africa to process personal information for you, you will have to comply. Each country has its law to protect personal information. It's impossible to try to cover all countries. I would recommend that you check your local law regarding data privacy. Hopefully, this guide will guide you on what you can and can't do. Protection of Personal Information The Protection of Personal Information Act (PoPI Act or PoPIA) is South Africa’s data protection law, outlining how institutions, both private and public, go about collecting, processing, storing, sharing, and maintaining personal information. PoPIA aims to encourage the protection of personal information by (1) introducing certain conditions that will establish the minimum requirements that institutions must comply with when processing personal information and (2) holding institutions accountable for the use or misuse of personal information. The Act is also aimed at providing rights to people when it comes to unsolicited electronic communications. However, PoPIA does not aim to stop the free flow of information. The POPIA commencement date was is1 July 2020, which makes the deadlines for organisations to comply 1 July 2021. The Information Regulator facilitates the implementation of the Act. What is POPIA? The data subject: the person to whom the information relates The responsible party: the person who determines why and how to process personal information and who is ultimately responsible for the lawful processing of personal information. These parties may be referred to as ‘controllers’ in other jurisdictions. The responsible party could be a: a public body, including government departments, municipalities, and any institution performing a public role private body, including a partnership natural person who carries or has carried on any trade, business, or profession, but only in such capacity juristic person – either former or existing The operator: a person who processes personal information on behalf of the responsible party, such as an IT vendor. These parties may be referred to as ‘processors’ in other jurisdictions. The POPI Act involves three parties, who can be natural or juristic persons, namely: Responsible parties should only use operators that can meet the requirements of lawful personal information processing prescribed by the POPI Act. I think it would also be good to add the importance of 4th and 5th, etc. parties here as people often only look to the operator and don’t “follow” the data through to ensure mechanisms (such as contracts) are in place with additional data protection clauses. Who are the role players? What is considered ‘personal information’? an identifiable, living natural person; or an identifiable, existing juristic person. In terms of the POPI Act, personal information is defined as information relating to: The definition of personal information is important because, if the information does not qualify as ‘personal information, then it is simply ‘information’ which is not protected by PoOPIA. Personal information includes, but is not limited to race, gender, sex, pregnancy, marital status, national/ethnic/social origin, colour, sexual orientation, age, physical or mental health, disability, religion/beliefs/culture, language, educational/medical/financial/criminal or employment history, ID number, email address, physical address, telephone number, location, biometric information, personal opinions views or preferences and correspondence. What is considered ‘personal information’? Personal information is not limited to electronic information Personal information may be mixed with non-personal data making it difficult to identify the personal information. For example, a hospital’s server may contain test results, along with the names and contact details of patients. The test results themselves are not personal information but combined with patient names and contact details the test results become personal information. Data may not constitute personal information on its own, but it may be possible to combine this date with other data to form personal information (may be good to give a practical example here, like for e.g. if you say someone is a CEO of a cell phone company, it isn’t linked to personally identifiable information, but if you say “the CEO of Vodacom” it is easy to ascertain who that is”. Personal information is generated from a wide range of sources and examples include bank records, hospital records, CCTV footage, supplier records and biometric access control records. Personal information under PoPIA has several important characteristics: What is considered ‘personal information’? Level 1: special personal information, which is information concerning religious or philosophical beliefs, race or ethnic group, trade union membership, political persuasion, health or sex life, biometric information, and criminal behaviour. Level 2: personal information relating to children, defined as natural persons under the age of 18 years who are not legally competent to consent to any action or decision. POPIA provides for two subsets of personal information, which are regarded as having increased or heightened sensitivity and, as a result, are given higher levels of protection. Must my organisation comply with POPIA? Domiciled in South Africa You need to comply if (1) your organisation is domiciled in South Africa, or (2) your organisation is not domiciled in South Africa but processes personal information in South Africa. PoOPIA, unlike the GDPR, does not apply extraterritorially (which requires you to comply if your organisation processes the personal information of data subjects in the territory). This means that your organisation does not need to comply if it is domiciled and processed outside of South Africa. POPIA focuses on the location of processing rather than the location of the data subject. 1. If you are a legal entity that is registered in South Africa, then you are domiciled in South Africa. If you are a natural person living in South Africa, then you are domiciled in South Africa. Must my organisation comply with POPIA? 2. Process personal information in South Africa If you use equipment (like a server or computer) located in South Africa to process personal information, then PoPIA applies. However, there is an exception. If you use equipment only to forward information through South Africa, PoPIA does not apply to you. It is key to remember that process means processing by the responsible party or by an operator on its behalf. So, if your operator is using equipment in South Africa to process personal information for you, you will have to comply. If you are an organisation registered in South Africa, but process the information of Europeans only, you must comply with PoOPIA (and the GDPR) to protect the personal data of Europeans. If you are an organisation domiciled in Europe and process in Europe the personal information of South African data subjects (to offer them goods or services, say), then you do not need to comply with PoOPIA. However, you would need to comply with the GDPR regarding South African data subjects (to offer them goods or services, say), then you do not need to comply with PoOPIA. However, you would need to comply with the GDPR. Must my organisation comply with POPIA? If you are domiciled outside of South Africa, but you process personal information in South Africa, you must comply with PoPIA. If you are domiciled outside of South Africa and are considering outsourcing some processing into a South Africa company, this will trigger you having to comply with PoPIA. Who is exempt from PoPIA? Do we process personal information that is not entered into a record?(maybe give an example?) Do we process personal information during purely household activities? (also give an example?) Is the information we process de-identified so that it no longer amounts to personal information? Are we a public body that protects national security? Are we a public body that prosecutes offenders? Are we a cabinet (and its committees) or the executive council of a province? Are we a court referred to in s166 of the Constitution and process for judicial functions? Do we process for purely journalistic, artistic, or literary purposes? Some processing is excluded. PoOPIA provides a few exemptions. If you answer ‘yes’ to any of the following questions, you do not have to comply with POPIA. 1. 2. 3. 4. 5. 6. 7. 8. How will PoPIA affect my business? When may I obtain someone’s personal information? PoPIA will affect the way you manage information. You will need to classify any consumer data that you hold and/or process and identify whether it constitutes ‘personal information. You will also be required to identify any ‘records’ and ‘sensitive’ information you might hold – there are is different criteria for handling personal information and non-personal information. It will also affect the way that you notify stakeholders. (this includes the Information Regulator who has said all data breaches need to be reported to their office, regardless of materiality)Third parties will have to be notified as soon as possible if there is a privacy breach and personal information is compromised. 1. The person whose personal information you have must know that you have it and have consented to this. The data subject has the right to say “no” when you want to obtain his or her personal information. Before you obtain someone’s personal information, you must tell them who you are and why you need it. Use the personal information only in accordance with the purpose that leads to you obtaining it in the first place. If you want to use it for a different purpose, check-in with the data subject first. How will PoPIA affect my business? 2. What must I remember while possessing someone’s personal information? Use the personal information only for the purpose based on which you obtained it. Do not share the information with third parties without the data subject’s consent. Store the personal information safely in a locked office or secure data storage. The person whose information you have has the right to have it updated upon request. Also ensure their is access control in your business around who accesses the personal information- in terms of minimisation, it should be limited to those that are only necessary for the processing of it (for e.g.: not everyone in a cell. phone company needs access to see the client’s bank account details- this may be restricted to the Finance Department.) How will PoPIA affect my business? 3. What must I remember when I am done using someone’s personal information? Some personal information must be stored for three to five years for legal reasons. Such storage must be in a safe and secure location. Dispose of it safely. Do not leave it lying around or dispose it where third parties may access it. If it is in hard copy, destroy it by shredding or burning it safely. Digital information can be permanently deleted. What steps must my organisation take to comply with POPIA? Appointing an Information Officer Drafting a Privacy Policy Raising awareness amongst all employees Amending contracts with operators Reporting data breaches to the regulator and data subjects Checking that they can lawfully transfer personal information to other countries Only sharing personal information when they are lawfully permitted to Complying with POPIA is not a case of one size fits all and the actions you should take depend on many things, including the size of your organisation and the data protection controls already in place. Typical steps that responsible parties will need to take to comply with the requirements of POPIA include: I am in the marketing business. What does POPIA mean when it comes to direct marketing? This is dealt with in section 69 of the POPI Act. No direct marketing may be conducted electronically unless the data subject has consented thereto. The marketer may approach the subject only once to obtain consent. Any organisation using electronic direct marketing must disclose the identity of the advertiser and provide the consumer with an opt-out route. The rules of personal information collection apply here too – any person whose information is sought must be offered the opportunity to consent thereto. What do I do if personal information has been compromised? Any compromise of personal information must be reported to your organisation’s information officer, who reports it to the Information Regulator and the data subject in a way that allows the data subject to protect him/herself against possible negative consequences. If you do not have an information officer, then report it to the Information Regulator directly. What will happen if I contravene POPIA? A fine or imprisonment of between R1 million and R10 million or one to ten years in jail Paying compensation to data subjects for the damage they have suffered There are two legal penalties for the responsible party, as follows: 1. 2. Is there other legislation in South Africa that regulates privacy? The Electronic Communications and Transactions Act The Promotion of Access to Information Act The POPI Act is not the only legislation that regulates privacy. Other relevant Acts include (but are not limited to):