RISK & COMPLIANCE

INFORMATION PROTECTION ADVISORY SERVICES

ISACA SA KZN Chapter MeetingIntroduction to the Protection of Personal Information Bill, 2009

17 June 2010

2

What will we be discussing today?

Why is information privacy important?Are there any information protection regulatory requirements currently applicable in SA?What is the PPI Bill about?What is personal information?What should organisations be doing about the PPI Bill?

3

Privacy: What is it all about?

Privacy is:

Information privacy is:

Personal information is:

The right of everyone to be left alone.The right of everyone to be left alone.The ability to preserve confidentiality, anonymity and The ability to preserve confidentiality, anonymity and solitude.solitude.It includes the right not to have the privacy of oneIt includes the right not to have the privacy of one’’s s communications infringed.communications infringed.

The handling and protection of personal information The handling and protection of personal information that is processed in the course of an organisationthat is processed in the course of an organisation’’s s everyday activities.everyday activities.

Any information about an individual that could be Any information about an individual that could be used to identify that person.used to identify that person.Specific examples are listed in regulation/standards, Specific examples are listed in regulation/standards, e.g. PPI Bill, Draft ISO 29100.e.g. PPI Bill, Draft ISO 29100.

4

Why bother about privacy?

How much do THEY know about you……..

Privacy - Order Pizza.swf

5

Seriously…why bother about Privacy?

Increased global attention – EU Directive – adequacy assurances – business impact

Public image and reputation: privacy incidents- SA: Zurich notification letters – over 600 000 – resource and reputational impact- UK: HSBC fined £3.2 mill (R38 mill) for data loss – reports in Business Day – global exposure- Germany: Deutsche Bahn AG fined €1.1mil (R11.5mil) for violation of data protection law

Fines and law suits (incl. class action, aggravated damages)- UK: ICO announces initial penalties of £500 000 (R6 mill) for non-compliance even if no loss/damage- USA: HIPAA announces fines of up to $1.5mil (R11mil)

Citizen expectations – transparency and accountability – trust is non-negotiable

Contractual obligations

Cross border data transfers

6

Information Protection Regulatory Landscape (South Africa)

Code of Banking Practice

FAIS

RICA

The Constitution Section 14

Banks Act

ECTA

KING IIIConsumer

Protection Act

PAIA

FICA National Credit Act

PPI (???)

7

Summary of key information protection legislation

Right to privacy & right of access to information – Constitution

Security safeguards – ECTA (and PPI Bill)

Information classification – PAIA (and PPI Bill)

Document retention and archiving – ECTA, RICA (and PPI Bill)

Information privacy – processing of personal information – PPI Bill

E-commerce and electronic contracting – ECTA

Monitoring and intercepting of communication (eg. emails) – RICA

Good corporate governance – protect information as an important business asset including PI – King III

8

The Protection of Personal Information Bill, 2009

The Bill:The Bill requires ‘processors’ of personal information to comply with eight core principles:1 Accountability 5 Information Quality2 Processing Limitation 6 Openness3 Purpose Specification 7 Security Safeguards4 Further Processing Limitation 8 Data Subject Participation

The official plan:

The reality:- Late July, August, September?

9

What is personal information (PI)?

“… information relating to an identifiable, living, natural personidentifiable, living, natural person, and where it isapplicable, an identifiable, existing juristic personidentifiable, existing juristic person, including, but not limited to–

(a) information relating to the racerace, gender, sex, pregnancy, marital status,national, ethnic or social origin, colour, sexual orientationsexual orientation, age, physical or mentalphysical or mentalhealthhealth, well-being, disability, religion,religion, conscience, belief, culture, language andbirth of the person;(b) information relating to the education or the medicalmedical, financial, criminalcriminal oremployment history of the person;(c) any identifyingany identifying number, symbol, e-mail address, physical address, telephonenumber or other particular assignment to the person;(d) the blood type or any other biometricbiometric information of the person;(e) the personal opinions, views or preferencesopinions, views or preferences of the person;(f) correspondencecorrespondence sent by the person that is implicitly or explicitly of a private orprivate orconfidentialconfidential nature or further correspondencefurther correspondence that would reveal reveal the contents of the original correspondence;(g) the views or opinions of anotherviews or opinions of another individual about the person; and(h) the namename of the person if it appears with other personal information relatingto the person or if the disclosure of the name itself would revealreveal informationabout the person…”

10

Draft ISO 29100 – Examples of PI – Unique v Linkable

11

Special personal information

May not be processed except in specific circumstances

RACERACECHILDRENCHILDREN

TRADE UNION TRADE UNION MEMBERSHIPMEMBERSHIP

HEALTH or HEALTH or SEXUAL LIFESEXUAL LIFE

CRIMINAL CRIMINAL BEHAVIOURBEHAVIOUR

POLITICAL POLITICAL PERSUASIONPERSUASION

RELIGIOUS or RELIGIOUS or PHILOSOPHICAL PHILOSOPHICAL

BELIEFSBELIEFS

12

The Eight Principles in the PPI Bill

AccountabilityProcessing LimitationPurpose SpecificationFurther Processing LimitationInformation QualityOpennessSecurity SafeguardsData Subject Participation

1313

Principle 7: Security Safeguards

Reasonable measures:- Risk identification – internal & external- Implement controls against risks- Periodically monitor control effectiveness- Update controls where needed

Breach notification:- Data subject- Regulator- Reasonable time- Contents of notification

1414

Principle 7: Security Safeguards (cont…)

Information security & IT governance standards & practices:- ISO 27001, ISO 27002, Draft ISO 29100

- CoBIT, ITIL, BS 10012

- King III, PCI-DSS

1515

Principle 7: Security Safeguards (cont…)

Third parties:- Confidentiality- Contractual arrangements- Security requirements- Cross border transfers

16

Applying Principle 1: Accountability

Does your organisation currently have an individual who is accountable for overall information protection?

Does your organisation currently designate specific individuals to monitor compliance with information protection standards within each business area?Does your organisation currently have a privacy policy?Does your organisation currently have document retention and access to information policies?

How often does your organisation conduct training or awareness sessions for employees on information protection and/or security?

Are you aware of any information breaches that occurred within your organisation during the past year?

17

Applying Principle 2: Processing Limitation

What are the different ways in which your organisation processes personal information?

What categories of personal information does your organisation process?What are the different purposes for which your organisation processes these different categories of personal information?How does your organisation assess whether the type of personal information is adequate for, and relevant to, the purpose for which it is collected?

Does your organisation have procedures in place for de- identifying personal information to ensure minimum disclosure?

How does your organisation obtain the consent of individuals before processing their personal information?

18

Applying Principle 3: Purpose Specification

Does your organisation classify personal information in terms of the purposes for which it is processed?How and when does your organisation inform relevant persons about the specific purposes for which their personal information is required? For example, consider updating of application forms, call centre scripts, employee on-boarding forms etc.Does your organisation clearly identify the names and categories of all people/organisations to whom the information will be supplied?Does your organisation have a document retention policy and does the policy provide for the retention of records containing personal information?What is your organisation’s process for destroying and/or de- identifying records at the end of the retention period?Does your organisation inform relevant persons about the duration for which the records will be retained and how these records will be destroyed at the end of the retention period?

19

Applying Principle 4: Further Processing Limitation

Does your organisation process personal information for any other purpose except the identified purposes that are disclosed to the individual concerned?

What type of personal information does your organisation generally subject to further processing?

How does this further processing affect the individual to whom the information relates, i.e. is it likely to benefit/prejudice the individual?

Is the personal information obtained directly from the individual concerned or from other sources, e.g. third parties, marketing databases, internal leads?Is the further processing required in terms of any contractual obligation between your organisation and the individua l concerned, or a third party?

When and how does your organisation inform the individual concerned when personal information is used for a purpose other than originally disclosed?

20

Applying Principle 5: Information Quality

Does your organisation have a process for checking the accuracy and completeness of records containing personal information?Does your organisation have a process to deal with complaints relating to the timeliness and accuracy of personal information?

Does your organisation provide the opportunity to individuals to periodically verify and update their personal information?

How and when are individuals made aware of these processes?

Does your organisation have a process for monitoring and tracking updates to personal information?

Who is responsible in your organisation for ensuring that records containing personal information remain relevant, accurate and up- to-date?

21

Applying Principle 6: Openness

Does your organisation have a formal process for notifying individuals before processing personal information?

Does your organisation have a formal process for notifying the Regulator before processing personal information? (after enactment only)

Do your notifications contain the specific information required in clause 17?Has your organisation compiled a manual and made it available in terms of the Promotion of Access to Information Act?

Who in your organisation is responsible for liaising with the Regulator in terms of the Promotion of Access to Information Act?

Does your organisation use personal information for historical, statistical or research purposes?

22

Applying Principle 7: Security Safeguards

Does your organisation’s risk management strategy cover risks associated with personal information?

Does your organisation have an information security policy and does the policy make specific reference to personal information?

Does your organisation limit the number and categories of employees who have access to personal information?

Does your organisation share personal information with any third parties and are you aware of all your third parties?

Does your organisation have an incident management strategy and does this deal specifically with personal information breaches?Does your organisation have a process for notifying affected individuals about information breaches?

23

Applying Principle 8: Data Subject Participation

Does your organisation have mechanisms for individuals to access and amend their personal information?

How often does your organisation communicate with employees and customers about updating their personal information?

Does your organisation conduct periodic assessments on the accuracy and validity of personal information contained in your databases?Does your organisation have a process for dealing with requests for corrections to personal information?

Does your organisation have a process for informing third parties of updates, corrections or deletions of personal information?

Does your organisation charge any fees for requests to access records containing personal information?

24

Implications of the Bill – Multi-disciplinary approach to compliance

Governance Assigning of overall accountability for compliance with the Bill – not where it sits, but who?

Information management

Classification, retention and security of information

Human resources Collection and processing of employee personal information – identify sources, purposes, information flows

Customer relations Collection and processing of customer personal information - identify sources, purposes, information flows

Marketing Restrictions on direct marketing, product leads and maintenance of opt-out registers/”do-not-call” lists

Contract management

Identification and management of third party processors – accountability remains with you

International transacting

Restrictions on cross-border transfers – require assurance of adequacy

Training and awareness

Embedding a culture of information protection throughout the organisation

25

Costs and Enforcement

Implementation costsSystems cost estimations: R150 - R200 millionTraining cost estimations: R 80 000 p.a.Time: 3 - 5 year roll out for full compliance

The RegulatorInformation Protection Regulator (IPR)Start-up budget – R80million

Non-compliance costsRegulatory finesTen year prison sentenceCivil litigation costsAggravated damage awardsRegulatory auditsReputational damage

26

Don’t get caught…zzzzzzzz…….huh.huh…….. whatwhat……DUH?DUH?

2727

Case Study Findings

Client takes 6 months to identify third parties

Identified 16 000 third parties

Gap assessment alone costs R2 million – takes 12 months

Remediation planned for up to 18 months

Number of business units affected were 37

Group wide gaps identified were 92

Project team consisted of 10 internal client employees and 11 consultants

2828

What Local Organisations Are Doing

Conducting privacy gap analyses to identify control weaknessesAssigning responsibility – defining role profiles - appointing Information Protection OfficersEmbarking on remediation programmes - addressing control weaknesses - attaining a state of readiness to complyAssessing cross border data transfers to ensure an adequate level of protectionDeveloping and updating privacy policies and proceduresImplementing employee and customer information protection awareness programmesAuditing third party processorsUpdating third party contracts

29

Global Privacy Experience: Success Factors

Assign responsibilities – “privacy governance”

Multi-disciplinary and process-based approach

Privacy impact assessments to prioritise and develop action plans

Determine information flows, information owners, classify information

Effective policies and processes: retention, incident management, complaints

Privacy awareness: over-communicating / training is not possible

Ensure privacy compliance in systems, processes and at third parties

30

Remember … every organisation is unique!

AFRICAAFRICA

INDIAINDIA

AMERICAAMERICA

31

Achieving compliance: To-do-list

By whom?

Privacy risk and impact assessments

Designing and implementing privacy governance frameworks

Information Protection Officer role profile

Organisational culture - awareness and training

32

Achieving compliance: To-do-list (cont…)

By whom?

Information management processes – document retention, information classification

Compliance risk management plans

Policies, disclaimers, contract clauses, website terms and conditions, SLAs

Incident response and breach notification

33

How many boxes did you tick?

3434

Other Questions To Ask Your Organisation

What personal information are we processing?

Do we obtain explicit consent for the processing of personal information on

our application forms, contracts, online or telephonically? Have our customers given their express

consent for all the purposes for which we use their information (e.g. marketing, cross selling in group, third parties,

acquisition transfer)?

Are we sure that customer or employee information that is processed by third parties is

done so in accordance with the privacy principles (e.g. secure, accurate, up to date,

only for agreed purpose)?Do our contracts with employees, third parties

and customers include a privacy clause?

Are our employees aware of how to protect our customer information in accordance with the

privacy principles?

Do we have a breach and notification procedure for personal information breaches?

Do we ensure that an adequate level of protection is in place and agreed between parties

when transferring personal information across the South African border?

Do we provide our customers with means to regularly access and verify their

personal information? Do we destroy personal information when it is no longer required and in accordance with

specific legislative requirements? How?

35

Proposed Roadmap: An integrated plan for achieving sustainable privacy compliance

36

Privacy Resources

KPMG’s Global Privacy Knowledge Base – www.kpmg.com/privacyinstitute

ISO/SABS – Privacy Working Group 71F -

ISG Africa – Privacy Special Interest Group - www.isgafrica.org/

IAPP/CIPP certification - www.privacyassociation.org/

EE--mail me!!!mail me!!!

37

38

Questions

39

Presenter’s contact detailsFarzana BadatInformation Protection Advisory ServicesKPMG Services (Pty) Ltd+ 27 (0) 11 647 5576farzana.badat@kpmg.co.zawww.kpmg.co.za

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

©

2010

KPMG

South Africa the

member firm of KPMG International, a Swiss cooperative. All rights reserved.

Printed in

South Africa