The legal Implications of practical data management seen through South African technology law.

1. DATA PROTECTION AND RISK MITIGATION
Understanding Data Protection Risks and the Law
PRIA CHETTY
ENDCODER/ ENDCODE.ORG

2. CONTEXT:
POPI Priority Issues
IT systems and business tools (enterprise data, (know your) customer data,
profiling, analytics, relationship management, financial, health )
Records management policies (creation, retention and destruction of records)
Digital content ownership (users: personal data and intellectual property, rights
and obligations)
Database ownership(source of data, use of data, rights and obligations)
Apps ownership (generation of user data: personal data and intellectual
property, rights and obligations )
Young people (campaigns involving young people: special treatment of young
people)
Recommendations

3. POPI: Priority Issues

4. POPI: Priority Issues
• Getting Serious about PoPI
• Identification of Personal Data impacted and exempted
• Identification of Business Systems impacted
• Identification of Business Processes impacted
• Information Security (Risk and Incident Management)
• Identification of (Vital) Records
• Classification of Records
• Personal Information and Intellectual Property
• Technological Innovation and Privacy

5. POPI and Advertising and Marketing
• Know Your Customer
• Know Your Channel
• Know Your Platform
• Risks associated with Digital Opportunities
• Risks associated with Innovation Opportunities
• Data Risks Management: Privacy and Intellectual Property (incl. copyright),
Information Security and Records Management

6. IT / IS systems and business tools
• Accountability Principle (s8 POPI)
• Responsible Party to process PI in satisfaction of conditions of PoPI
The responsible party must ensure that the conditions set out in
this Chapter, and all the measures that give effect to such
conditions, are complied with at the time of the determination of
the purpose and means of the processing and during the
processing itself.
Section 8 The Protection of Personal Information Act 4 of 2013
• Processing Limitation (Condition 2 PoPI) and Further Processing for compatible
purposes (Condition 4)
• Quality of Information (Condition 5 of PoPI)

7. IT / IS systems and business tools
• Security Safeguards
• Security measures on integrity and confidentiality of personal information (s19 of PoPI)
• Data under my control has been breached, now what?
• Notification to Data Subject (s22 POPI)
• Notification to Information Regulator (s22 POPI)
• Unauthorised access to data is a crime
A person who intentionally accesses or intercepts any data without authority or
permission to do so, is guilty of an offence.
A person who intentionally and without authority to do so, interferes with data
in a way which causes such data to be modified, destroyed or otherwise
rendered ineffective is guilty of an offence
Section 86 (1) and (2) Electronic Communications and Transactions Act 25 of 2002

8. IT systems and the Cloud
Information processed by Operator or person acting under authority
Security measures regarding information processed by operator
Cross-border transfer policy
5 Conditions of Cross-border Transfer (S72 POPI)
• The third party who receives the information is subject to a law, binding corporate rules or
agreement which provide an adequate level of protection that effectively upholds the
principles for processing of information that are similar to those in POPI, and includes
provisions that are similar to POPI in relation to the further transfer of personal information
from the recipient to third parties in a foreign country;
• The person consents to the transfer;
• The transfer is necessary for the performance of a contract between you and the person, or
for pre-contractual measures taken at the request of the person whose information is being
transferred;
• The transfer is necessary for the conclusion or performance of a contract between you and a
third party that is in the interest of the person; or
• The transfer is for the benefit of the person whose information is collected, and it is not
reasonably practical to obtain the consent of the person and, if it were reasonably practical
to obtain such consent, the data subject would likely give it.

9. Records Management Policies
• Accountability Principle
• Responsible Party to protect integrity of PI (s8 POPI)
• Outdated information
• Restriction on records (s14 POPI)
• Openness
• Documentation (s17
• Access to Personal Information (s23 of PoPI)
• Accuracy & Correction of information
• Restriction of Records (s14 POPI)
• Right to correct PI (s24 POPI)
A responsible party must take reasonably practicable steps to ensure that the personal
information is complete, accurate, not misleading and updated where necessary.
Section 16 The Protection of Personal Information Act 4 of 2013
• De-identification/Deletion of information
• Exclusion (s6 POPI)
• As soon as no longer authorised to have PI (s14 POPI)

10. Records Management Policies
• Losing personal information
• Notification to Data Subject & Regulator (s22 POPI)
• International Best Practices for records management
• European Directive on Data Protection
• Right to Access Information Records
• Promotion of Access to Information Act 2 of 2000 (PAIA)
• Data Subject participation (s23 POPI)

11. Digital Content Ownership
Who Owns Digital Content
• Do you own your own digital content?
“There are not yet statutory laws around
ownership of virtual goods, nor is there case
law.”
The Guardian
“In most cases you are effectively leasing the content,
not buying it.”
The Guardian
"You will not transfer your account to anyone
without first getting our written permission"
Facebook's terms and conditions

12. Digital Content Ownership
• Should the subject of the digital content own
the own digital content?
“What are these people going to do with that data?
They’re going to target you with an ad which makes
you feel a bit queasy. Targeted adverts are not the
future.”
Sir Tim Berners-Lee
in The Guardian
“If you give [people] the ability to see how [data is]
used and you ban its misuse then people are much
more happy to open up to their data being used.”
Sir Tim Berners-Lee
in The Guardian

13. Database Ownership
Databases & Copyright
• Definition of ‘literary work’ in Copyright Act 98 of 1978 includes compilations stored
or embodied in a computer or medium used with a computer (s1)
• Originality in selection or arrangement
• Labour & Skill
• Owner of copyright to database has exclusive rights
Databases & POPI
• Databases of personal information fall under POPI and must be protected by the
Responsible Party
• Directories (s70 POPI)

14. Apps Ownership
https://www.flickr.com/photos/jasonahowie/

15. Apps Ownership
Apps & Copyright
• An App is a computer program
“computer program” means a set of instructions fixed or stored in any
manner and which, when used directly or indirectly in a computer, directs its
operation to bring about a result”
Section 1 The Copyright Act 98 of 1978
• Computer programs are copyright protected (not patantable)
“Anything which consists of (amongst others) a computer program shall not
be an invention for the purposes of this Act”
Section 25(2) The Patents Act 57 of 1978

16. App Ownership
• Data Protection for Apps
• Owners of App are responsible for
protection of data collected
• Think of all of the information an App can
collect about you
• Health & sport monitoring apps
• Medical apps
• Messaging apps

17. Younge People & Data Protection
https://www.flickr.com/photos/malias/

18. Younge People & Data Protection
• POPI – ‘Competent Person’
• Protection of Personal information of children by Responsible Party
A responsible party may, subject to section 35, not process
personal information concerning a child.
Section 34 The Protection of Personal Information Act 4 of 2013
• Exceptions (s35 POPI)
• Consent from the competent person
• Necessary for establishment, exercise or defence of a right or obligation
in law
• Necessary to comply with an obligation of international public law
• historical, statistical or research purposes

19. Recommendations
• Appointment of Information Officer: Enterprise
• Appointment of a Risk and Compliance Manager: Agencies
• PoPI Audit (Client) PoPI Audit (Project)
• Intellectual Property Audit
• Information Security Audit
• Privacy Policy
• Information Security Policy
• Intellectual Property Policy
• Innovation Management
Different rules for different channels, platforms, data sources and applications

20. Pria Chetty
Pria.chetty@endcode.org
endcode.org
THANKS, QUESTIONS?

21. References
• http://ico.org.uk/for_organisations/data_protection/security_measures)
• http://www.theguardian.com/money/2012/sep/03/do-you-own-your-digital-content
• http://www.theguardian.com/technology/2014/oct/08/sir-tim-berners-lee-speaks-out-on-data-ownership?
CMP=ema_827
• http://www.bizcommunity.com/Article/75/542/98352.html
• http://ico.org.uk/Youth