The document summarizes the Protection of Personal Information Bill (PPI Bill) of 2009 in South Africa. It provides an overview of the bill's timeline and introduction to parliament. The bill aims to protect personal information and establish a regulatory agency to enforce compliance. It outlines 9 key principles for handling personal information, including obtaining consent and only using data for its intended purpose. The bill also discusses provisions around electronic communications, the responsibilities of the regulatory body, and codes of conduct for industries. It concludes by outlining the requirements companies will need to meet under the new law.
2. Content
• Overview: Timetable, aim
• 9 principles
• Exceptions and special provisions
• Automatic electronic communications
• Consent/purpose
• The Regulator
• Codes of conduct
• Table of content of the Bill
• Conclusion
3. Timetable for introduction of PPI
Bill (09)of 2009 was tabled in August to Parliament by Cabinet.
• It will now go through the Parliamentary process: hearings before the
National Assembly portfolio committee.
• Could be signed by the President first half of 2010.
• It will then take another year before the start of its implementation,
including the drafting of regulations, the setting up of a National
Information Regulator‟s office and other support structures.
So there is time for all businesses to prepare their operations and minimize
the impact of the legislation.
4. The aim of PPI
• To give effect to the constitutional right to privacy
• To regulate the manner of collection, usage, processing, retention and
deletion of personal information
• A statutory regulatory agency to be established, information
commissioner: to register, monitor, regulate, educate and prosecute the
offences
• To endorse codes of conduct to make industry sectors self-regulated
• To fall in line with international standards for trans border data flow
The law applies to all private and public bodies who handle personal
information .
5. 9 principles in PPI Bill
Personal information must be:
• Obtained fairly and lawfully and disclosing the purpose (purpose
driven) and used only for the original specified purpose
• Adequate, relevant and not excessive to purpose
• Get consent as far as it is practical and offer an opt-out option (consent)
• In some cases opt-in will be mandatory
• Accurate and up to date and delete if requested (control)
• Accessible to the subject
• Kept securely and destroyed after its purpose is completed
• The responsible party has an obligation to comply with all principles
• Trans borders compliance
They are exclusions and exemptions for each principle and certain
circumstances.
6. 1. Accountability
• Designate a staff manager to be responsible for adherence to privacy
principles throughout the company
• Draft a company privacy principles code to be used by all departments
• Train all staff affected
• Subscribe to an industry code, advise and scrutinize
• Register with Information Regulator
7. 2. Disclosure
When gathering data from individual consumers marketers shall advise
them of:
1. What information is being collected
2. How the information will be used
3. Record their consent
When acquiring a list from another organization, must insure that consent
was obtained for such usage
8. 3. Controlling the use of information (purpose)
• The purpose for which information is collected shall be identified
before the time of collection
• The collection shall be limited to what is necessary as identified by the
company
• All involved in the use, transfer, rental, sale or exchange of data must
be aware of the exact nature of the list‟s intended usage
9. 4. Safe storage of information of customers
• All those involved in the use, transfer, rental, sale or exchange of
mailings lists should agree to be responsible for the protection of data
and take appropriate measures to ensure against unauthorized access,
alteration or dissemination of list data
10. 5. Respect for confidential and sensitive
information
• Lists owners and users must be protective of consumer‟s rights to
privacy of sensitive information like religion, health and sex life, race,
political persuasion and criminal behavior and positive consent will
have to be obtained ( some industry exceptions)
11. 6. Give consumers control of usage of information
• Make reasonable efforts to provide personal own information to
consumers on request
• The marketer must remove the consumer‟s name from all internal lists
or rental to third parties at the request of the consumer at anytime of
such request
• The marketer must amend any personal information at the request of
the consumer or when aware of changes to the data. There is a duty of
accuracy in keeping the information (present requirement of PAIA of
2000)
12. 7. Security safeguards
• Ensure the integrity of personal information and unlawful access
• Information processed by person acting under authority of responsible
party
• Security measures in place
• Notification of security compromises to regulator and data subjects
13. 8. Information no longer required
• Formal guidelines and implementation procedure guidelines must be
develop to ensure safe destruction or disposal of personal information
no longer required.
14. Exceptions and special provisions
Note: Public Domain is excluded
• Separate provision has been made for the protection of special (sensitive)
personal information like religion, health and sex life, race, political persuasion
and criminal behavior.
• Section ( sect 66) regulates the unsolicited electronic communications to „opt-
in” conditions (except for present customers)
• (Sect 67) regulates the compilation and use of directories and ( Sect 68)
automated decisions making
• Deals with the privacy and advertising to children.
15. PPI: E-mail, SMS, Fax, automatic dialing
machines offers
• Section 66 mandates that consent is obtained before contacting new
consumers by Email, SMS, automatic dialing machines- opt-in
requirement- (spam protection).
• Does not apply to telemarketing
• Positive consent does not apply for existing customers
• ECT Act to be reviewed
16. “Consent” “purpose” and usage
• “Purpose” for collection and usage must be disclosed up front
• “Consent” means any freely given, specific and informed expression of will
where data subjects agree to the purpose of usage and processing of personal
information
• An “opt-out” system presumes that the consumer wants to be contacted for
marketing offers BUT the system allows people to block the use of their
information.
• An “opt-in” system presumes that the consumer does not want to be contacted (
even if the information is from publicly available source) and it requires that
every consumer be contacted to gain explicit permission.
• “Implied consent” can apply to existing customers
17. Regulator’office & Complaints
• Establishment of a Regulator as an independent authority to administer
the Bill, issuing codes of conduct, registering companies who intend to
process personal information ( to check the purpose and transparency
compliance)
• Procedures set out to lodge a complaint with the Regulator
• Regulator‟s powers and procedures outlined
• Regulates the investigations process
• Offences and penalties
18. Codes of conduct
• Provisions in the Bill for registration by Associations of business sectors codes.
• If the code accepted by the Regulator, the sector becomes self regulated and
report to the regulator on its processing of complaints and , from time to time
has its code reviewed
• Should a company not adhere to the recommendations of the Association, the
remedies and penalties of the Bill will apply.
• An industry with a Code will also vet its members for compliance to the Bill,
and if accepted as a member, the process of prior investigation will not be done
by the Regulator.
19. Conclusion
Requirements as Industry standards to reflect:
• High degree of transparency and responsibility in gathering and handling
consumers‟ personal information, emphasis on security safeguards of databases
and computer systems
• Set standards for opt-in and opt-out procedures and registers
• Set standards for active, technical, management changes to current practices
for information gathering and handling
• Encourage companies to have privacy policy and communication with staff,
training to handle procedures
• Registration with the Information Regulator and negotiation to have the
standards endorsed under the PPI or be member of an accredited industry
association.
20. Table of content of the Bill ( 12 chapters)
• Chapter 1 : Definitions and purpose
• Chapter 2 : Application provisions
• Chapter 3 : Principles and processing of information
• Chapter 4 : Exemptions
• Chapter 5 : Information Protection Regulator
• Chapter 6 : Notification and prior investigation
21. Table of content of the Bill ( contd)
• Chapter 7 : Codes of conduct
• Chapter 8 : Unsolicited electronic communications
• Chapter 9 : Trans-border information flows
• Chapter 10 : Enforcement
• Chapter 11 : Offences and penalties
• Chapter 12 : General provisions