SEMINAR: Copyright 2012 All rights reserved. This presentation and/or any part thereof is intended for personal use and may not be reproduced or distributed.

Slides:



Advertisements
Similar presentations
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Advertisements

The Data Protection (Jersey) Law 2005.
The Australian Privacy Principles Protecting information rights –­ advancing information policy.
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Act Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
Protection of Personal Information presented by Seminar Adv. Alan Lambert Sunnyside Hotel 25 October 2012.
The Information Commissioner’s Office David Evans.
The Protection of Personal Information Act
APPLICATION FOR ACCESS (PAIA) Mandatory protection (which must be refused in terms of Chap 4 subject to S46) DENIAL OF ACCESS (PAIA) Internal Appeal to.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
The Data Protection Act 1998 The Eight Principles.
Managing Risks Associated With Privacy Alison Baker- Senior Associate Hall & Wilcox 24 November
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
BTEC ICT Legal Issues Data Protection Act (1998) Computer Misuse Act (1990) Freedom of Information Act (2000)
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Introduction Data protection is relevant to every individual, business or organisation today, not just Local Government. As well as protecting privacy,
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
The Protection of Personal Information Bill 13 February
LEGAL IMPLICATION OF THE USE OF COMPUTER Lower Sixth Computing Lesson Prepared by: T.Fina.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
The EU General Data Protection Regulation Frank Rankin.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Workshop Understanding your responsibilities under the Data Protection Act 1998 and the Freedom of Information Act 2000 Adele Rhodes Girling.
Data protection—training materials [Name and details of speaker]
Sharing Information Legally Lindsay Ould London Borough of Lewisham.
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
The Health Information Protection Act. What is the Health Information Protection Act (HIPA)? HIPA is legislation that speaks to access to, and protection.
[ Direct marketing – an introduction to data protection and privacy] For [insert name of organisation] presented by [insert name of presenter] on [date]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Protection of Personal Information Act An Analysis on the impact.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Monique Jefferson & Nadine Mather
The Data Protection Act 1998
The Data Protection Act 1998
Data Protection The Current Regime
General Data Protection Regulation
APP entities (organisations)
The Data Protection Act 1998
Data Protection Update – GDPR or bust
Data workshop WhOSE DATA IS IT ANYWAY? Alexia Christie
Data Protection Legislation
Data Protection & Freedom of Information- An Introduction
GDPR - Individual’s Rights
Privacy & Access to Information
G.D.P.R General Data Protection Regulations
General Data Protection Regulation
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulations 2018
PERSONAL INFORMATION BILL
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
Data protection & FOIA considerations
Presentation transcript:

SEMINAR: Copyright 2012 All rights reserved. This presentation and/or any part thereof is intended for personal use and may not be reproduced or distributed without the express permission of the author/s.

The Protection of Personal Information Bill Allan Hannie Cape Town 28 February 2013

Purpose of Bill  Give effect to the constitutional right to privacy while protecting the free-flow of information and advancing the right of access to information  Regulate the manner in which personal information is processed in harmony with International Standards  Provide rights and remedies for non-compliance  Create measures, including the establishment of an Information Regulator, to promote and enforce the protection of personal information 24/10/2012 PPI Presentation 3

When Does the Bill Not Apply? The Bill does not apply to the processing of personal information eg:  for a purely personal or household activity  that has been de-identified to the extent that it cannot be re-identified again  by courts or for a public body and for national security (including anti terrorism, defense and public safety); or to prevent, detect, investigate or prove and prosecute offences and execute sentences provided that adequate safeguards legislated  for exclusively journalistic, literary or artistic expression to the extent necessary to reconcile in the public interest the right to privacy with the right to freedom of expression  Processing by journalists, if subject to code of ethics, (with adequate safeguards) then that code applies 24/10/2012 PPI Presentation 4

Condition # 1: Accountability  Responsible Party responsible for compliance and must ensure that all measures in place to give effect to conditions prescribed for processing of personal information including special information  Offence if Responsible Party inter alia failed to take reasonable steps to prevent (unlawful or unauthorised) processing of account number (unique identifier assigned by financial institution to access funds or credit facilities) 24/10/2012 PPI Presentation 5

Condition # 2: Processing Limitation  Processing must be lawful, reasonable (not infringe privacy) and not be excessive having regard to purpose  Processing can only be done if consent obtained necessary for contract to which data subject party to comply with legal obligation to protect legitimate interest of data subject necessary for performance of public law duty (public body) necessary for pursuing legitimate interests of Responsible Party or third party to whom information supplied  Direct collection unless, consent obtained, in public domain, no prejudice, necessity in law or not reasonably possible to collect directly  Consent - voluntary, specific and informed expression of will 24/10/2012 PPI Presentation 6

Condition # 3: Purpose Specification  Collection of information must be: for a specific purpose which relates to an activity of the responsible party with the data subject being aware of the purpose of the collection and  Records of personal information must be retained for no longer than required unless required by law, reasonably required, agreed (in contract) or with consent  Can be retained longer for historical, statistical or research purposes provided appropriate security safeguards  If a record used to make a decision about the data subject then the record must be retained for a prescribed or reasonable period to allow for requests for access  Personal Information must be destroyed or de identified when no longer authorised to retain 24/10/2012 PPI Presentation 7

Condition # 4: Further Processing Limitation  Information may not be processed further in a way that is incompatible with the purpose for which it was collected  Further processing allowed if – consent obtained derived from public record or deliberately made public by data subject legally necessary necessary to prevent or mitigate serious and imminent threat to public safety or life or health of data subject or another individual for historical, statistical or research purposes and solely for this purpose and not published in any identifiable form exemption obtained from regulator 24/10/2012 PPI Presentation 8

Condition # 5: Information Quality  Responsible party must take reasonably practicable steps to ensure that the information is complete, accurate, not misleading and up to date  Must have regard to purpose for which information is collected or further processed 24/10/2012 PPI Presentation 9

Condition # 6: Openness  Responsible Parties must document its processing operations in the manual contemplated in PAIA (as amended by Bill)  Responsible party must take reasonably practical steps to ensure that data subject aware, inter alia, of the following: the information being collected and its source the name and address of the responsible party the purpose for which the information is being collected whether mandatory or voluntary to supply information and the consequences of failure to provide information if the information transferred outside RSA or to international organisation and the level of data privacy/protection there rights to object and rectify information and complain to regulator  Similar exclusions eg. consent, no prejudice and not reasonably practicable to inform, apply here too 24/10/2012 PPI Presentation 10

Condition # 7: Security Safeguards  Integrity and confidentiality of personal information must be secure by appropriate, reasonable technical and organisational measures to safeguard against inter alia loss, destruction or unlawful access  Risks (internal and external) must be identified and appropriate safeguards developed and put in place  Operators must be authorised by responsible party and maintain confidentiality and above security measures  Security breaches must be notified to the regulator and data subject (where known) and sufficient information must be provided to data subject to take protective measures 24/10/2012 PPI Presentation 11

Condition # 8: Data Subject Participation  Data subject can request confirmation as to whether the responsible party holds information about him/her and the record or a description of the personal information and information on the identity of all third parties or categories of third parties who have or have had access  Request for access made in terms of PAIA and access can be refused on the grounds set out in PAIA  Data subject entitled to correct or delete personal information that is inaccurate, excessive, out of date, incomplete, misleading or obtained unlawfully 24/10/2012 PPI Presentation 12

Cross-Border Transfer of Personal Information  No transfer of personal information outside of SA unless: recipient is subject to a law, binding corporate rules or contract or MOU (between public bodies) which provides comparable (substantially similar) protection for the processing personal information (including in relation to further transfers) data subject consents necessary for performance of a contract with data subject, or contract with third party in the interest of the data subject; or transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the data subject’s consent but would likely have got such consent 24/10/2012 PPI Presentation 13

Direct Marketing  Processing of personal information for purposes of direct marketing (unsolicited electronic communications) prohibited unless - consent (in prescribed manner and form) of data subject obtained which need only be obtained once to existing customer provided (i) contact details obtained in context of sale of product; (ii) for similar products or services; and(iii) opt out provided when information collected and each subsequent communication details of sender and opt out contact details required 24/10/2012 PPI Presentation 14

Exemptions  Regulators may exempt by notice in the gazette a Responsible Party compliance with conditions if satisfied that public interest outweighs to a substantial degree the right to privacy clear benefit to data subject or third party that outweighs to a substantial degree the right to privacy  Public interest includes national security, prevention, detection and prosecution of offences, economic and financial interests of public body and special importance of freedom of expression  No need to comply with certain conditions (consent, direct collection, further processing limitation and notification) in discharge of relevant function - protection of public against eg. financial crimes and practices (incl. dishonesty, malpractice etc) and improper or incompetent professional conduct 24/10/2012 PPI Presentation 15

Codes of Conduct  Must be issued by Regulator on own initiative or on application by industry body/class  Must incorporate all the conditions for lawful processing or set out functional equivalents and prescribe how conditions are to be applied in the context of the relevant sector  Must also specify appropriate measures for any information matching programmes (comparing documents containing personal information of ten or more data subjects) or for protecting legitimate interests of data subjects in the case of automated decision making 24/10/2012 PPI Presentation 16

Enforcement Information Regulator  Independent Statutory Authority  Powers and duties (extensive) – can issue information notices, enforcement notices and apply to court for search warrants  Monitor and enforce compliance by responsible parties  Develop and issue codes of conduct for various sectors  Develop guidelines to assist with the application of the codes of conduct  Authorise exemptions and conduct investigations  Dispute Resolution (mediator) 24/10/2012 PPI Presentation 17

Civil Remedies  Either the data subject or the Regulator may institute an action for damages, whether or not there is intent or negligence  Defences Vis major Consent Fault on the part of the plaintiff Compliance not reasonably practicable in circumstances Authorisation by the Regulator  Court can award wide range of damages and all court orders must be published including settlement agreements 24/10/2012 PPI Presentation 18

Offences and Penalties  Offences Obstruction of the Regulator Breach of confidentiality Failure to comply with an enforcement notice or information notice  Penalties Obstructing or unlawfully interfering with the Regulator - fine or imprisonment for up to 10 years Other offenses – fine or imprisonment up to 12 months Administrative fines – up to R10Million 24/10/2012 PPI Presentation 19

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.