data protection & privacy · the concept of processing is broadly defined. the popi act will...
TRANSCRIPT
DATA PROTECTION & PRIVACY
OUR DATA PROTECTION & PRIVACY GROUP IS THE LARGEST PRACTICE OF ITS KIND
IN SOUTH AFRICA
DATA PROTECTION & PRIVACY | cliffedekkerhofmeyr.com
OUR DATA PROTECTION & PRIVACY GROUP
Cliffe Dekker Hofmeyr’s Data Protection & Privacy Group is a dedicated, multi-disciplinary team of lawyers with specialist knowledge of the Protection of Personal Information Act, No 4 of 2013 (POPI). We also have extensive experience in every aspect of privacy of information and data protection.
Our Data Protection & Privacy Group is the largest practice of
its kind in South Africa. Our team consists of lawyers drawn
from across the firm’s practice areas and sectors, which include
Technology & Sourcing, Convergence & New Media, Employment
law, Dispute Resolution and Commercial law. Our team is able
to advise you on the practical implications of the POPI Act, such
as addressing your privacy of information and data protection
requirements under the new legislation.
Our team’s specialist know-how means that we combine our
technical knowledge of data retention and protection, data
security, data transfer, privacy, confidentiality and freedom of
information, with practical experience.
We act for clients from a wide range of sectors, so we understand
the requirements of clients from diverse industries. We are also
ideally positioned to offer bespoke solutions to a client’s specific
situation and business environment.
INTERNATIONAL SCOPE, LOCAL EXPERTISEWe give you immediate access to a global network of lawyers who
have expert knowledge and practical experience in international
information law. Borders are no barrier. With our network across
Africa, Asia Pacific, Europe, the Middle East and the United States,
we are able to provide sophisticated and practical legal advice to
our clients, wherever they operate.
We are kept fully up to date on international trends, precedents
and developments – an essential component to maintaining a
competitive edge in this highly specialised area.
Our Data Protection & Privacy Group is unique in its focus on
giving advice that draws on international experience in the
information and data protection field. Our team has in-depth
knowledge of international privacy laws, notably the European
Union data protection model on which the POPI Act is based. We
are also familiar with privacy laws in the US, Canada and other
jurisdictions around the world.
Our experience and our immediate access to similar laws in
jurisdictions around the globe, equips our local team to interpret
and provide recommendations on the practical application of the
POPI Act in South Africa.
OUR SERVICES
DATA PROTECTION
We have a strong track record in advising clients on all
contentious and non-contentious issues related to privacy and
data protection. Selected examples include:
∞ Conducting large-scale national and international data protection due diligence exercises and audits
∞ Advising on data protection issues in corporate transactions and in insolvency proceedings, including database ownership and transfer
∞ Advising on international transfers of personal data, and drafting inter-group and third party data transfer agreements
∞ Advising on direct marketing campaigns and on the application of related privacy and consumer protection laws
∞ Advising clients on their preparedness for the promulgation of the POPI Act
∞ Advising on privacy policies and procedures
∞ Advising on relevant data subject consent documentation
∞ Advising on revisions to existing agreements to comply with the provisions of the POPI Act
∞ Advising on business process changes required to ensure compliance with the provisions of the POPI Act
∞ Advising clients on dealing with sensitive or special personal information, which includes information relating to children, medical information and certain employee information
∞ Advising on the POPI Act’s implications on HR processes and procedures, and on amendments to employee contracts to comply with the provisions of the POPI Act
∞ Advising on agreements to be concluded with third party service providers with whom clients share data, including third parties who process data on behalf of a client
∞ Advising on document and data retention policies and procedures
∞ Advising on website terms and conditions, including opt-in/opt-out boxes
ASSISTING WITH THE POPI ACT COMPLIANCE STEPS
Our core services in this area include:
∞ Assessing and analysing current data management policies and procedures to gauge the current level of compliance with legislation across:
∞ data collection
∞ storage
∞ processing
∞ records retention
∞ implementation
∞ training processes
∞ Assisting in developing a comprehensive data management strategy to ensure and maintain compliance with legislation, and reduce the risk of claims, regulatory enforcement and possible criminal liability
DATA PROTECTION AND PRIVACY | cliff edekkerhofmeyr.com
∞ Assisting in compiling policies to regulate compliance with related current legislation, such as the Constitution, consumer protection laws, the Electronic Communications and Transactions Act, No 25 of 2002, the Promotion of Access to Information Act, No 2 of 2000 and the POPI Act; also including procuring the necessary consents to process information, allowing for access to information, maintaining information so that it is kept up to date, employing effective security safeguards and data retention
∞ Advising on effective data management strategies and structures to underpin commercial deals, including in relation to multi-jurisdictional outsourcing transactions
∞ Providing training to clients in relation to effective data management to ensure that all responsible parties comply with legislation
∞ Assisting in preparing internal policy documents
∞ Advising on domestic and international data compliance and public policy
∞ Advising IT and corporate clients on managing risk and security; we are well placed to assist clients in dealing with data breaches
∞ Assisting with compliance strategies and policies, regulatory investigations, transactional support and litigation
∞ Advising on and assisting with employment related privacy issues
OUR RECENT EXPERIENCE ∞ Advising large corporates on implementing privacy policies
∞ Advising on the employment aspect of a global oil company’s audit on South African data protection law
∞ Advising in relation to data retention requirements in South Africa for a multinational banking group
∞ Advising a large local bank on various aspects of compliance with the provisions of the POPI Act
∞ Advising the Independent Schools Association of South Africa about the POPI Act
∞ Presenting seminars on the POPI Act to local and multinational companies
∞ Advising a major petroleum company on data protection law for their internal compliance process
∞ Providing general advice on data protection law for a major listed company’s internal policy documents
∞ Giving opinions on the Home Affairs National Identification System (HANIS) database access identification verification matter
∞ Advising a state-owned enterprise on achieving compliance with the provisions of the POPI Act
∞ Giving general opinions relating to identity verification systems
∞ Advising a multinational outdoor advertising company on its data protection legislation compliance across 14 African jurisdictions
∞ Advising state-owned entities on compliance with the POPI Act
DATA PROTECTION AND PRIVACY | cliff edekkerhofmeyr.com
WHAT IS THE POPI ACT?
The POPI Act is new legislation designed to ensure that the personal information of individuals is protected under a regulatory framework within which organisations may process personal information.
The POPI Act (which has solicited significant and lengthy debate
among citizens and corporate South Africa since it was first
introduced in Parliament in 2009) was finally promulgated into
law on 26 November 2013 and will commence on a date to be
determined by the President by proclamation in the Gazette.
Different dates of commencement may be determined in respect
of different provisions of the the POPI Act. We note that the
provisions of the the POPI Act dealing with the establishment of
the office of the Information Regulator as well as the powers,
duties and functions of the Information Regulator have, on
proclamation by the President, come into effect as of 11 April 2014.
The the POPI Act gives effect to the right to privacy contained in
the Constitution, while protecting the free-flow of information
and advancing the right of access to information.
WHAT IS MEANT BY ‘PROCESSING’?
The concept of processing is broadly defined. The POPI Act will apply to you if you in any manner collect, receive, record, organise, collate, store, update, alter or modify, retrieve, consult, use, disseminate, distribute, merge, link, erase or destroy personal information.
While the POPI Act provides for certain exceptions, you should
seek professional advice to assess possible exceptions on a
case-by-case basis.
If you or your companyprocesses personal informationABOUT ANY SOUTH AFRICANperson or concerning anySouth African business you will NEED TO COMPLY WITH POPI
DATA PROTECTION & PRIVACY | cliff edekkerhofmeyr.comDATA PROTECTION & PRIVACY | cliff edekkerhofmeyr.com
WHAT IS MEANT BY ‘PERSONAL INFORMATION’?
Personal information is any information that identifies a natural or juristic (corporate) person and can be linked back to that person, such as contact information, and information regarding race, gender, marital status, religious beliefs, as well as medical and financial information.
Personal information includes:
∞ Information relating to an identifiable, living natural person and, where applicable, an identifiable, existing juristic person
∞ Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person
∞ Information relating to the education, medical, financial, criminal or employment history of the person
∞ Any identifying number, symbol, email address, physical address, telephone number or other particular assignment to the person
∞ The blood type or any other biometric information of the person
∞ The personal opinions, views or preferences of the person
∞ Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature
∞ The view or opinions of another individual about the person
∞ The name of the person if it appears with other personal information or if the disclosure of the name itself would reveal information about the person
WHAT STEPS CAN BE TAKEN TO COMPLY WITH THE ACT?
The POPI Act allows for a one-year compliance period (which
may be extended). However, because the POPI Act imposes
such broad obligations, you are encouraged to consider, without
delay, the steps you will need to take and changes you will need
to implement in standard processes and procedures, in order to
comply with the requirements of the POPI Act.
PERSONAL INFORMATION IS ANY INFORMATION THAT IDENTIFIES
a natural or juristic person and can be linked back to that person
BBBEE STATUS: LEVEL TWO CONTRIBUTOR
This information is published for general information purposes and is not intended to constitute legal advice. Specialist legal advice should always be sought in
relation to any particular situation. Cliff e Dekker Hofmeyr will accept no responsibility for any actions taken or not taken on the basis of this publication.
JOHANNESBURG
1 Protea Place, Sandton, Johannesburg, 2196. Private Bag X40, Benmore, 2010, South Africa. Dx 154 Randburg and Dx 42 Johannesburg.
T +27 (0)11 562 1000 F +27 (0)11 562 1111 E [email protected]
CAPE TOWN
11 Buitengracht Street, Cape Town, 8001. PO Box 695, Cape Town, 8000, South Africa. Dx 5 Cape Town.
T +27 (0)21 481 6300 F +27 (0)21 481 6388 E [email protected]
©2018 0706/JULY
DATA PROTECTION & PRIVACY | cliff edekkerhofmeyr.com