Professional Documents
Culture Documents
17 June 2010
2
Privacy: What is it all about?
Privacy is:
The right of everyone to be left alone.
The ability to preserve confidentiality, anonymity and
solitude.
It includes the right not to have the privacy of one’s
communications infringed.
4
Seriously…why bother about Privacy?
Contractual obligations
5
Information Protection Regulatory Landscape
(South Africa)
The Constitution
Section 14 PPI (???) ECTA
Consumer
FAIS KING III
Protection Act
6
Summary of key information
protection legislation
7
The Protection of Personal Information Bill, 2009
The reality:
- Late July, August, September?
The Bill:
The Bill requires ‘processors’ of personal information to comply with eight core principles:
1 Accountability 5 Information Quality
2 Processing Limitation 6 Openness
3 Purpose Specification 7 Security Safeguards
4 Further Processing Limitation 8 Data Subject Participation
8
What is personal information (PI)?
10
Special personal information
RELIGIOUS or RACE
CHILDREN PHILOSOPHICAL
BELIEFS
TRADE UNION
MEMBERSHIP POLITICAL
PERSUASION
HEALTH or CRIMINAL
SEXUAL LIFE BEHAVIOUR
11
The Eight Principles in the PPI Bill
Accountability
Processing Limitation
Purpose Specification
Further Processing Limitation
Information Quality
Openness
Security Safeguards
Data Subject Participation
12
Principle 7: Security Safeguards
Reasonable measures:
- Risk identification – internal & external
- Implement controls against risks
- Periodically monitor control effectiveness
- Update controls where needed
Breach notification:
- Data subject
- Regulator
- Reasonable time
- Contents of notification
13
Principle 7: Security Safeguards (cont…)
14
Principle 7: Security Safeguards (cont…)
Third parties:
- Confidentiality
- Contractual arrangements
- Security requirements
- Cross border transfers
15
Applying Principle 1: Accountability
16
Applying Principle 2: Processing Limitation
17
Applying Principle 3: Purpose Specification
18
Applying Principle 4: Further Processing
Limitation
Does your organisation process personal information for any other
purpose except the identified purposes that are disclosed to the
individual concerned?
20
Applying Principle 6: Openness
21
Applying Principle 7: Security Safeguards
22
Applying Principle 8: Data Subject
Participation
23
Implications of the Bill – Multi-disciplinary
approach to compliance
Assigning of overall accountability for compliance with the
Governance
Bill – not where it sits, but who?
Information Classification, retention and security of information
management
Collection and processing of employee personal
Human resources
information – identify sources, purposes, information flows
Collection and processing of customer personal
Customer relations
information - identify sources, purposes, information flows
Restrictions on direct marketing, product leads and
Marketing
maintenance of opt-out registers/”do-not-call” lists
Contract Identification and management of third party processors –
management accountability remains with you
International Restrictions on cross-border transfers – require
transacting assurance of adequacy
Training and Embedding a culture of information protection throughout
awareness the organisation
24
Costs and Enforcement
Implementation costs
Systems cost estimations: R150 - R200 million
Training cost estimations: R 80 000 p.a.
Time: 3 - 5 year roll out for full compliance
The Regulator
Information Protection Regulator (IPR)
Start-up budget – R80million
Non-compliance costs
Regulatory fines
Ten year prison sentence
Civil litigation costs
Aggravated damage awards
Regulatory audits
Reputational damage
25
Don’t get caught…
zzzz….huh….
what…DUH?
26
Case Study Findings
27
What Local Organisations Are Doing
28
Global Privacy Experience:
Success Factors
29
Remember … every organisation is unique!
AFRICA
INDIA
AMERICA
30
Achieving compliance: To-do-list
By whom?
31
Achieving compliance: To-do-list (cont…)
By whom?
32
How many boxes did you tick?
33
Other Questions To Ask Your Organisation
What personal information are we processing?
Do we obtain explicit consent for the
processing of personal information on
our application forms, contracts,
online or telephonically? Have our customers given their express
Are we sure that customer or employee consent for all the purposes for which we
information that is processed by third parties is use their information (e.g. marketing,
done so in accordance with the privacy cross selling in group, third parties,
principles (e.g. secure, accurate, up to date, acquisition transfer)?
only for agreed purpose)?
Do our contracts with employees, third parties
and customers include a privacy clause?
Are our employees aware of how to protect our Do we have a breach and notification
customer information in accordance with the procedure for personal information breaches?
privacy principles?
Do we ensure that an adequate level of
protection is in place and agreed between parties
when transferring personal information across
the South African border?
Do we provide our customers with means to
regularly access and verify their
personal information? Do we destroy personal information when it is
no longer required and in accordance with
specific legislative requirements? How?
34
Proposed Roadmap: An integrated plan for
achieving sustainable privacy compliance
35
Privacy Resources
36
37
Questions
38
Presenter’s contact details
Farzana Badat
Information Protection Advisory
Services
KPMG Services (Pty) Ltd
+ 27 (0) 11 647 5576
farzana.badat@kpmg.co.za
www.kpmg.co.za
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we
endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular
situation.
© 2010 KPMG South Africa the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in South Africa 39