Exclusions
The Act does not apply to the processing of the following personal information:
-
Purely personal or household activity;
-
De-identified info that cannot be re-identified again;
-
Processing by or on behalf of the State:
-
National security, defence or public safety;
-
Criminal offences, prosecution, execution of criminal sentences and security measures.
-
Processing for exclusively journalistic purposes;
-
By the Cabinet and its committees;
-
Judicial functions of a court;
-
Exempted in terms of sec 34.
Conditions for lawful processing of personal information
The Bill regulates the "Processing" of Personal Information. This is very widely defined and covers any activity or operation involving personal information, whether automated or not. It includes the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of information.
The Processing of Personal Information must comply with certain requirements which are framed as the eight "information protection principles" ("Principles") in the Bill.
The Information Protection Principles are as follows:
Accountability
-
The responsible party must ensure that all principles are complied with.
Processing limitation
-
Lawfulness of processing.
-
Lawfully and in a reasonable manner.
-
Minimality of information.
-
For a specific purpose, adequate, relevant and not excessive.
-
Consent & other grounds of justification.
-
Objection allowed in specific instances.
-
If data subject has objected, the responsible party may no longer process the personal information.
-
Collection directly from data subject.
-
Exceptions allowed: public record; necessary for the enforcement of laws or national security, not reasonably practicable etc.
Purpose specification
-
Specifying a purpose specific, explicitly defined, lawful, related to a function or activity of the responsible party.
-
Informing data subject of purpose.
-
Retaining data for no longer than needed.
Further processing limitation
-
Compatible with original purpose.
-
Exceptions e.g. statistical, historical or research purposes.
Quality of information
-
Reasonably practicable steps, given purpose, to ensure complete, up to date, accurate and not misleading.
Openness
-
Notification to the Regulator and the data subject of planned processing.
Security safeguards
-
Companies will have to implement appropriate, reasonable technical and organisational measures to prevent the loss or unauthorised use of personal information. Companies will have to identify all internal and external risks to personal information and establish and maintain appropriate security safeguards. In addition to a well drafted privacy and data protection policy, companies will have to invest in technologies like encryption and access control.
-
Processing by an operator
-
Only with knowledge of the responsible party.
-
Duty of confidentiality.
-
Notification of security compromises
-
Notification to the Regulator and the data subject when personal information has been accessed or acquired by any unauthorised person.
Data subject participation
-
Right to access.
-
The data subject has the right to request, free of charge, whether or not the responsible party holds personal information and to whom such data was disclosed.
-
Request a description of the personal information.
-
Correction of personal information
-
The data subject has the right to request the responsible party to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
-
Manner of access is in terms of the Promotion to Access of Information Act.
Processing of special personal information
Subject to certain exclusions, the processing of Special Personal Information is generally prohibited by the Bill.
Special Personal Information is information concerning:
-
A child who is subject to parental control in terms of the law; or
-
A data subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, or criminal behaviour.
Information Protection Regulator
The Information Protection Regulator will have wide-ranging investigative and enforcement powers.
Establishment of Information Protection Regulator
-
Independent juristic person.
-
Receive notification of processing.
-
Failure to notify is an offence.
-
Keep a register of processing activities.
-
Powers and duties.
-
Education and research
-
Monitor and enforce compliance
-
Audits
-
Prior investigations
-
Information notices
-
Enforcement notices
-
Issue codes of conduct
Information Protection Officer
Duties and Responsibilities of the Information Protection Officer include:
-
To encourage compliance, by the body, with the information protection principles;
-
Deal with requests made to the body pursuant to this Act by the data subjects;
-
Work with the Regulator in relation to investigations conducted; and
-
Ensuring compliance by the body with the provisions of this Act.
Every organisation must have an Information Protection Officer. Officers may only take up their duties in terms of the POPI Act after the responsible party (information protection officer) has been registered with the Regulator.
Dostları ilə paylaş: |