Upload
larry-roston
View
223
Download
6
Embed Size (px)
Citation preview
ONLINE PRIVACY ONLINE PRIVACY & DATA & DATA
PROTECTION PROTECTION
VERINE ETSEBETHVERINE ETSEBETH
INTRODUCTION
TRADITIONAL VERSUS ONLINE DATA PROTECTION
“We leave data everywhere we go”
“What happens to our data happens to ourselves”
Who controls our data controls our lives”
CHALLENGES FACING ONLINE DATA PROTECTION
INTERNATIONAL LEGISLATIVE DEVELOPMENTS IN RESPONSE TO ONLINE PRIVACY CONCERNS Individual country response:
1. EU 2. UK 3. CANADA 4. AUSTRALIA 5. USA
ESSENTIAL MEASURES INTRODUCED BY COUNTRIES:1. Consent requirement mechanism
2. Access requirement mechanism
3. Onward transfer provisions
4. Notice requirement mechanism
5. Information security mechanism
6. Spam regulation
importance of online privacy physical world privacy vs. online privacy past – personal information kept under lock & key in
offices now – electronically available, anywhere, anytime,
anyplace
Problem (1) electronic data is easily transferable (2) businesses share information in-discriminatorily
Solution to the problem = Legislature introduced PROTECTION OF PERSONAL
INFORMATION BILL (PPI Bill)
Natural persons &
Juristic persons
any individualindividual
any business entitybusiness entity For example: Close Corporations Private & Public Companies Partnerships Businesses that have been incorporated
personal information
information about an identifiable person – e.g.:
gender, religion, race, etc
fingerprints, blood type (DNA)
medical records
data subject the person who provides information about
himself/herself
data controller the person who collects, processes, stores and
uses information
third party person to whom data is disclosed
SA does not have separate legislation dealing exclusively with privacy protection
Applicable law is fragmented
Mirrors the EU Data Protection Directive
The data controller must disclose to data subject the purpose(s) for which it is going to use the collected information Purpose must be stated with relative degree of certainty Purpose may not be defined in general, vague terms
Before the data controller will be entitled to collect, use or process any personal information, it must obtain the prior written consent from the data subject to do so Consent requirement = key feature of PPI Bill Without consent no data that might have been
collected may be used in any manner Unlawful usage can result in huge fines &
possibility of imprisonment
Data controller must ensure that data which is collected is accurate, current and up-to-dateTwo token identification generally required
in SA
When collecting, using and/or processing the personal information the data controller must at all relevant times inform the data subject of his/her rights This would entail informing the data subject
EXACTLY which statutes protect him/her & what remedies are available to him/her if they feel their rights have been violated
A data controller may not retain the personal information collected for any period longer than is necessary for the stated purpose
The period for which the data controller decides to retain the information must therefore be reasonable & justifiable.
KEY QUESTION = can you motivate why you are still retaining the data collected to a court of law?
Position in America
• A data controller must destroy any collected information that is no longer needed or used by them.
•Destruction ≠ deletion
8. CROSS-BORDER TRANSFER OF INFO
data controller must take adequate security measures to protect the confidentiality, integrity and availability of the information (cia)
confidentiality: no unauthorised persons should be permitted to view the information encryption and cryptography
integrity: no unauthorised person may alter the information encryption and digital signatures
availability: information must be readily available on demand
digital signatures & pki
any questions???any questions???