RISK & COMPLIANCE

ISACA SA KZN Chapter Meeting

Introduction to the Protection of Personal Information Bill, 2009

17 June 2010

INFORMATION PROTECTION ADVISORY SERVICES

What will we be discussing today?

Why is information privacy important?

Are there any information protection regulatory requirements
currently applicable in SA?
What is the PPI Bill about?
What is personal information?
What should organisations be doing about the PPI Bill?

2
Privacy: What is it all about?

Privacy is:
The right of everyone to be left alone.
The ability to preserve confidentiality, anonymity and
solitude.
It includes the right not to have the privacy of one’s
communications infringed.

Information privacy is:

The handling and protection of personal information
that is processed in the course of an organisation’s
everyday activities.

Personal information is:

Any information about an individual that could be
used to identify that person.
Specific examples are listed in regulation/standards,
e.g. PPI Bill, Draft ISO 29100.
3
Why bother about privacy?

How much do THEY know about

you……..

Privacy - Order Pizza.swf

4
Seriously…why bother about Privacy?

Increased global attention – EU Directive – adequacy assurances – business

impact

Public image and reputation: privacy incidents

- SA: Zurich notification letters – over 600 000 – resource and reputational impact
- UK: HSBC fined £3.2 mill (R38 mill) for data loss – reports in Business Day – global
exposure
- Germany: Deutsche Bahn AG fined €1.1mil (R11.5mil) for violation of data protection
law

Fines and law suits (incl. class action, aggravated damages)

- UK: ICO announces initial penalties of £500 000 (R6 mill) for non-compliance even if
no loss/damage
- USA: HIPAA announces fines of up to $1.5mil (R11mil)

Citizen expectations – transparency and accountability – trust is non-negotiable

Contractual obligations

Cross border data transfers

5
Information Protection Regulatory Landscape
(South Africa)

The Constitution
Section 14 PPI (???) ECTA

RICA Banks Act PAIA

FICA National Credit

Code of Banking Practice Act

Consumer
FAIS KING III
Protection Act

6
Summary of key information
protection legislation

Right to privacy & right of access to information – Constitution

Security safeguards – ECTA (and PPI Bill)

Information classification – PAIA (and PPI Bill)

Document retention and archiving – ECTA, RICA (and PPI Bill)

Information privacy – processing of personal information – PPI Bill

E-commerce and electronic contracting – ECTA

Monitoring and intercepting of communication (eg. emails) – RICA

Good corporate governance – protect information as an important

business asset including PI – King III

7
The Protection of Personal Information Bill, 2009

The official plan:

The reality:
- Late July, August, September?

The Bill:
The Bill requires ‘processors’ of personal information to comply with eight core principles:
1 Accountability 5 Information Quality
2 Processing Limitation 6 Openness
3 Purpose Specification 7 Security Safeguards
4 Further Processing Limitation 8 Data Subject Participation

8
What is personal information (PI)?

“… information relating to an identifiable, living, natural person,

person and where it is
applicable, an identifiable, existing juristic person,
person including, but not limited to–

(a) information relating to the race,

race gender, sex, pregnancy, marital status,
national, ethnic or social origin, colour, sexual orientation,
orientation age, physical or mental
health,
health well-being, disability, religion, conscience, belief, culture, language and
birth of the person;
(b) information relating to the education or the medical,
medical financial, criminal or
employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone
number or other particular assignment to the person;
(d) the blood type or any other biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or
confidential nature or further correspondence that would reveal the contents of
the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating
to the person or if the disclosure of the name itself would reveal information
about the person…”
9
Draft ISO 29100 – Examples of PI – Unique v
Linkable

10
Special personal information

May not be processed except in specific circumstances

RELIGIOUS or RACE
CHILDREN PHILOSOPHICAL
BELIEFS

TRADE UNION
MEMBERSHIP POLITICAL
PERSUASION

HEALTH or CRIMINAL
SEXUAL LIFE BEHAVIOUR

11
The Eight Principles in the PPI Bill

Accountability
Processing Limitation
Purpose Specification
Further Processing Limitation
Information Quality
Openness
Security Safeguards
Data Subject Participation

12
Principle 7: Security Safeguards

Reasonable measures:
- Risk identification – internal & external
- Implement controls against risks
- Periodically monitor control effectiveness
- Update controls where needed

Breach notification:
- Data subject
- Regulator
- Reasonable time
- Contents of notification
13
Principle 7: Security Safeguards (cont…)

Information security & IT governance

standards & practices:
- ISO 27001, ISO 27002, Draft ISO 29100
- CoBIT, ITIL, BS 10012
- King III, PCI-DSS

14
Principle 7: Security Safeguards (cont…)

Third parties:
- Confidentiality
- Contractual arrangements
- Security requirements
- Cross border transfers

15
Applying Principle 1: Accountability

Does your organisation currently have an individual who is

accountable for overall information protection?
Does your organisation currently designate specific individuals to
monitor compliance with information protection standards within
each business area?
Does your organisation currently have a privacy policy?
Does your organisation currently have document retention and
access to information policies?
How often does your organisation conduct training or awareness
sessions for employees on information protection and/or security?

Are you aware of any information breaches that occurred within

your organisation during the past year?

16
Applying Principle 2: Processing Limitation

What are the different ways in which your organisation processes

personal information?
What categories of personal information does your organisation
process?
What are the different purposes for which your organisation
processes these different categories of personal information?
How does your organisation assess whether the type of personal
information is adequate for, and relevant to, the purpose for which
it is collected?
Does your organisation have procedures in place for de-
identifying personal information to ensure minimum disclosure?
How does your organisation obtain the consent of individuals
before processing their personal information?

17
Applying Principle 3: Purpose Specification

Does your organisation classify personal information in terms of

the purposes for which it is processed?
How and when does your organisation inform relevant persons
about the specific purposes for which their personal information is
required? For example, consider updating of application forms,
call centre scripts, employee on-boarding forms etc.
Does your organisation clearly identify the names and categories
of all people/organisations to whom the information will be
supplied?
Does your organisation have a document retention policy and
does the policy provide for the retention of records containing
personal information?
What is your organisation’s process for destroying and/or de-
identifying records at the end of the retention period?
Does your organisation inform relevant persons about the
duration for which the records will be retained and how these
records will be destroyed at the end of the retention period?

18
Applying Principle 4: Further Processing
Limitation
Does your organisation process personal information for any other
purpose except the identified purposes that are disclosed to the
individual concerned?

What type of personal information does your organisation

generally subject to further processing?
How does this further processing affect the individual to whom the
information relates, i.e. is it likely to benefit/prejudice the
individual?
Is the personal information obtained directly from the individual
concerned or from other sources, e.g. third parties, marketing
databases, internal leads?
Is the further processing required in terms of any contractual
obligation between your organisation and the individual
concerned, or a third party?

When and how does your organisation inform the individual

concerned when personal information is used for a purpose other
than originally disclosed?
19
Applying Principle 5: Information Quality

Does your organisation have a process for checking the accuracy

and completeness of records containing personal information?
Does your organisation have a process to deal with complaints
relating to the timeliness and accuracy of personal information?

Does your organisation provide the opportunity to individuals to

periodically verify and update their personal information?

How and when are individuals made aware of these processes?

Does your organisation have a process for monitoring and

tracking updates to personal information?
Who is responsible in your organisation for ensuring that records
containing personal information remain relevant, accurate and up-
to-date?

20
Applying Principle 6: Openness

Does your organisation have a formal process for notifying

individuals before processing personal information?
Does your organisation have a formal process for notifying the
Regulator before processing personal information? (after
enactment only)

Do your notifications contain the specific information required in

clause 17?
Has your organisation compiled a manual and made it available in
terms of the Promotion of Access to Information Act?
Who in your organisation is responsible for liaising with the
Regulator in terms of the Promotion of Access to Information Act?

Does your organisation use personal information for historical,

statistical or research purposes?

21
Applying Principle 7: Security Safeguards

Does your organisation’s risk management strategy cover risks

associated with personal information?
Does your organisation have an information security policy and
does the policy make specific reference to personal information?

Does your organisation limit the number and categories of

employees who have access to personal information?

Does your organisation share personal information with any third

parties and are you aware of all your third parties?

Does your organisation have an incident management strategy

and does this deal specifically with personal information
breaches?
Does your organisation have a process for notifying affected
individuals about information breaches?

22
Applying Principle 8: Data Subject
Participation

Does your organisation have mechanisms for individuals to

access and amend their personal information?
How often does your organisation communicate with employees
and customers about updating their personal information?

Does your organisation conduct periodic assessments on the

accuracy and validity of personal information contained in your
databases?
Does your organisation have a process for dealing with requests
for corrections to personal information?
Does your organisation have a process for informing third parties
of updates, corrections or deletions of personal information?
Does your organisation charge any fees for requests to access
records containing personal information?

23
Implications of the Bill – Multi-disciplinary
approach to compliance
Assigning of overall accountability for compliance with the
Governance
Bill – not where it sits, but who?
Information Classification, retention and security of information
management
Collection and processing of employee personal
Human resources
information – identify sources, purposes, information flows
Collection and processing of customer personal
Customer relations
information - identify sources, purposes, information flows
Restrictions on direct marketing, product leads and
Marketing
maintenance of opt-out registers/”do-not-call” lists
Contract Identification and management of third party processors –
management accountability remains with you
International Restrictions on cross-border transfers – require
transacting assurance of adequacy
Training and Embedding a culture of information protection throughout
awareness the organisation
24
Costs and Enforcement

Implementation costs
Systems cost estimations: R150 - R200 million
Training cost estimations: R 80 000 p.a.
Time: 3 - 5 year roll out for full compliance

The Regulator
Information Protection Regulator (IPR)
Start-up budget – R80million

Non-compliance costs
Regulatory fines
Ten year prison sentence
Civil litigation costs
Aggravated damage awards
Regulatory audits
Reputational damage

25
Don’t get caught…
zzzz….huh….
what…DUH?

26
Case Study Findings

Client takes 6 months to identify third parties

Identified 16 000 third parties

Gap assessment alone costs R2 million – takes 12 months

Remediation planned for up to 18 months

Number of business units affected were 37

Group wide gaps identified were 92

Project team consisted of 10 internal client employees and 11

consultants

27
What Local Organisations Are Doing

Conducting privacy gap analyses to identify control weaknesses

Assigning responsibility – defining role profiles - appointing Information
Protection Officers
Embarking on remediation programmes - addressing control
weaknesses - attaining a state of readiness to comply
Assessing cross border data transfers to ensure an adequate level of
protection
Developing and updating privacy policies and procedures
Implementing employee and customer information protection
awareness programmes
Auditing third party processors
Updating third party contracts

28
Global Privacy Experience:
Success Factors

Assign responsibilities – “privacy governance”

Multi-disciplinary and process-based approach

Privacy impact assessments to prioritise and develop action plans

Determine information flows, information owners, classify information

Effective policies and processes: retention, incident management,

complaints

Privacy awareness: over-communicating / training is not possible

Ensure privacy compliance in systems, processes and at third parties

29
Remember … every organisation is unique!

AFRICA

INDIA

AMERICA

30
Achieving compliance: To-do-list

By whom?

Privacy risk and impact assessments 

Designing and implementing privacy

governance frameworks 

Information Protection Officer role profile 

Organisational culture - awareness and training 

31
Achieving compliance: To-do-list (cont…)

By whom?

Information management processes –

document retention, information classification 

Compliance risk management plans 

Policies, disclaimers, contract clauses,

website terms and conditions, SLAs 

Incident response and breach notification 

32
How many boxes did you tick?

33
Other Questions To Ask Your Organisation
What personal information are we processing?
Do we obtain explicit consent for the
processing of personal information on
our application forms, contracts,
online or telephonically? Have our customers given their express
Are we sure that customer or employee consent for all the purposes for which we
information that is processed by third parties is use their information (e.g. marketing,
done so in accordance with the privacy cross selling in group, third parties,
principles (e.g. secure, accurate, up to date, acquisition transfer)?
only for agreed purpose)?
Do our contracts with employees, third parties
and customers include a privacy clause?

Are our employees aware of how to protect our Do we have a breach and notification
customer information in accordance with the procedure for personal information breaches?
privacy principles?
Do we ensure that an adequate level of
protection is in place and agreed between parties
when transferring personal information across
the South African border?
Do we provide our customers with means to
regularly access and verify their
personal information? Do we destroy personal information when it is
no longer required and in accordance with
specific legislative requirements? How?
34
Proposed Roadmap: An integrated plan for
achieving sustainable privacy compliance

35
Privacy Resources

KPMG’s Global Privacy Knowledge Base –

www.kpmg.com/privacyinstitute

ISO/SABS – Privacy Working Group 71F -

E-mail me!!!

ISG Africa – Privacy Special Interest Group -

www.isgafrica.org/

IAPP/CIPP certification - www.privacyassociation.org/

36
37
Questions

38
Presenter’s contact details
Farzana Badat
Information Protection Advisory
Services
KPMG Services (Pty) Ltd
+ 27 (0) 11 647 5576
farzana.badat@kpmg.co.za
www.kpmg.co.za

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we
endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will
continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular
situation.

© 2010 KPMG South Africa the member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in South Africa 39