Understanding privacy by design
Privacy by Design simply means that you consider data privacy issues when any new system, product, or process is designed, from the start to the end. In other words, privacy is not an after-thought, something that is considered after the system design is completed, but rather the system is designed in such a way that it leads with privacy as the default setting. It embeds privacy into the design. The resulting outcome is a system that is proactive and preventative, as opposed to reactive or remedial, in dealing with privacy issues.
Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal information is automatically protected in any given system or business practice. Little to no action is required on the part of the individual to protect their privacy, it is built into the system, by default.
The system is further designed to ensure that the security of data is protected throughout its entire lifecycle. This ensures that all data is secure from the time the data is first received, when it is processed, during the retention period and when it is destroyed at the end of the process.
Most importantly, Privacy by Design has a high regard for the interests of data subjects. It includes strong privacy defaults, appropriate notices and a user-friendly interface. It involves a system that is designed with the interests of the data subjects in mind and considers important data privacy principles, such as data subject consent, access and accuracy of personal information.
Is Privacy by Design really necessary? We believe it is. Whilst Privacy by Design is not specifically mandated in the Protection of Personal Information Act, 2013 ("POPIA"), it is compulsory in terms of the General Data Protection Regulation 2016/679 ("GDPR"), which, in certain circumstances, has extraterritorial effect. POPIA, in turn, demands accountability from persons processing personal information. Accountability includes taking all measures necessary to give effect to the processing conditions contained in POPIA. Section 109(3) of POPIA states that "when determining an appropriate fine, the Regulator must consider ... any failure to operate good policies, procedures and practices to protect personal information".
If we consider international best practice, as POPIA expressly states we must, Privacy by
Design would definitely be regarded as good "procedures and practices to protect personal information". POPIA Regulation 4 further provides that an information officer must ensure that a Privacy Impact Assessment ("PIA") is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.
The first step towards Privacy by Design is therefore to conduct a proper PIA when considering any new system, service, product or process that involves personal information, and then to design a system, service or product that implements technologies and processes to mitigate the risks that were discovered during the PIA.
POPIA in brief
POPIA requires that a responsible party ensures that the eight conditions for the lawful processing of personal information are complied with. In this week's edition, we cover processing condition 3. We compare this to the relevant corresponding provision under the GDPR which is article 5(1) (b) and (e).
POPIA: processing condition 3
Personal information must be collected for a specific, explicitly defined and lawful purpose relating to the functions or activities of the organisation, of which the individual is (as a general rule) made aware.
Records of personal information may only be kept for as long as necessary for achieving the purpose for which the information was collected or subsequently processed, unless, among other things, retention of the record is required or authorised by law; the responsible party reasonably requires the record for lawful purposes related to its functions or activities; or the data subject or a competent person where the data subject is a child has consented to the retention of the record.
A responsible party must destroy or delete a record of personal information in a manner that prevents its reconstruction in an intelligible form or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record.
GDPR: articles 5(1) (b) and (e)
Personal data must:
(b) be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (the `purpose limitation' principle); and
(e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (the `storage limitation' principle).
ENSpired (compliance) tip of the week
Each organisation is different and it is essential that organisations have a customised data retention policy that suits the size and type of the organisation. Organisations must also ensure that it has a lawful basis for the record retention periods set out in such policy.
Social Engineering Scams
Following on from last week's article, this week we are focusing on social engineering and looking at phishing, spear phishing and whaling. In cybersecurity, humans are the weakest link, therefore it is of no surprise that attackers exploit people's vulnerability to manipulation and use psychological tricks in order to gain information which can be used to access a network.
This is the most common form of social engineering attack. A phishing scam comes in many forms but the aim of the scam is to obtain sensitive information such as login details or bank account information. A phishing attack is delivered in the form of an email, website pop-up or in an online chat, usually from a source that appears to be legitimate, which may be a bank requesting confirmation of login details or a company claiming that you have won a prize. The scam requires that you input information by either replying to an email or by following a link and inserting information on a fake website.
Phishing is usually aimed at a wide range of individuals whereas spear phishing is a targeted attack either on an organisation, a specific department within an organisation, or just one employee. The attackers usually research the targets and send an email to get the victim's attention which leads them to input sensitive information or to click on a link which then installs malware on their device.
Whaling is a sub-type of phishing and employs the same methods as phishing but the attack is aimed at a person who holds an executive position in a company such as the CEO or a financial executive.
The best defence against these attacks is educating employees. This means having policies in place and backing them up with good awareness training. Our experts can assist in putting in place an educational and entertaining training and awareness programme for your organisation.
Photography: What? Why?
We love to take pictures, all of us. From group family photos, selfies, photos of our kids, photos of our pets, food photos, photos of us exercising, to photos of nature and buildings. And in the workspace? Well there is of course the standard photo of your building, branding, workspace/workstation, stationery, view-from-your-desk, work events and corporate social responsibility events. And where do these photos go? Well, on social media of course, as well as the company intranet, and website.
In this day and age taking photos or videos is a normal and common part of life. What many fail to realise is that photos constitute a person's personal information and, in certain instances, biometric information, which is a category of special personal information. Since POPIA considers data subjects to include juristic entities, in some instances photos could constitute the personal information of that juristic entity too. As such we should treat the taking of, transfer, sharing and/or posting of photos as a processing activity of personal information under POPIA.
As can be seen, merely taking a photo of attendees at an organisation's anniversary celebration or taking photos of delegates at a conference would amount to processing of personal and/or special personal information, which means one would have to comply with the processing conditions of POPIA in dealing with such photos and, where dealing with biometric information, consent is usually required.. In some cases these photos could include children (persons under the age of 18) which would place further obligations on the responsible party to comply with additional processing requirements.
Given these complexities, it becomes apparent that a photography policy which regulates how images and videos can be processed by the organisation and its employees and the parameters within which processing can take place is important. A good photography policy will include the following:
information about what photos or videos may and may not be taken;
the purpose for which these photos or videos may be taken;
how a data subject should consent and could object to their photos or videos being processed; and
who has what rights in the photos or videos.
Data philanthropy donating data for the greater good
In this week's edition, we provide a new angle on data commercialisation: data philanthropy. The term data philanthropy describes a form of data-based collaboration where private sector companies share their data for public benefit. The first question many may ask is why would a private sector company take an asset (in this case data) and utilise it for public benefit? In the question lies the answer: the public will benefit from the sharing of such data.
The writer of this segment has had the privilege of serving on the Privacy Advisory Group of the United Nations Global Pulse for the past 5 years. The UN Global Pulse cites an example of how data can be used for the greater good as follows: "...Imagine you are CEO of that company, and you have just completed construction of a number of costly new cell towers in a region that appears to be a promising market. Unbeknownst to policy makers, many in this community are being affected by an on-going, low-level food crisis. By the time this becomes public knowledge, your new customers are no longer able to afford your services. What if it turned out that considering the data you were collecting from your customers could, if subjected to appropriate analysis, have revealed that they were in trouble months earlier?" The mobile tower company making its data available for the public good benefits both the mobile company (in that they are able to identify market trends and affordability of their products) and the public at large (in that humanitarian effort or other socioeconomic interventions can be applied to alleviate the crises identified, which in turn benefits the mobile tower company). This creates a win-win scenario for the company and the public. Although this example is hypothetical, there are a number of actual companies and organisations which have well-developed data philanthropy programmes and utilise data for the greater good (such as the UN Global Pulse (see https://www.unglobalpulse.org/privacy) and the MasterCard Foundation (see https://www.linkedin.com/pulse/data-transformative-resource-social-good-joann-stonier).
A private sector company engaging in data philanthropy has to consider a number of issues, especially in a world where privacy is increasingly regulated. These include the donation model (e.g. a public-private partnership), data security and access rights, exploitation rights, commercial benefit of research undertaken, assurances regarding the sharing of data, impact of research activities on populations (especially vulnerable populations), protection of personal information and numerous other issues.
Notwithstanding the regulatory challenges (almost all of which can be overcome by expert data privacy law specialists), as part of a company's overall data strategy, giving consideration to putting in place a data philanthropy programme can greatly profit
companies both directly and indirectly through enhancing a company's reputation. Custodians of company data are encouraged to develop such a programme.
In this section we focus on data privacy across the African continent.
This week, we look at the Republic of Mauritius. The Data Protection Act, 2004 was replaced with the Data Protection Act 2017 ("DPA") which came into effect on 15 January 2018. The DPA was introduced in order to better comply with international privacy standards. In 2009, a Data Protection Office was established with the Data Protection Commissioner being tasked with oversight. The DPA applies to controllers/processors established in Mauritius or to controllers/processors who use processing equipment in Mauritius. The Data Protection Commissioner cannot impose fines, but a court of law may impose fines of up to MUR200 000 (approximately EUR5 000) and imprisonment of up to five years.
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the organisation, of which the data subject is (usually) made aware. Records of such personal information must (generally) not be retained any longer than is necessary for achieving such purpose.
In terms of the GDPR compliance in respect of the storage limitation principle set out in article 5(e), the UK Information Commissioner's website provides the following examples:
A bank holds personal information about its customers. This includes details of each customer's address, date of birth and mother's maiden name. The bank uses this information as part of its security procedures. It is appropriate for the bank to retain this data for as long as the customer has an account with the bank. Even after the account has been closed, the bank may need to continue holding some of this information for legal or operational reasons for a further set time.
A bank may need to retain images from a CCTV system installed to prevent fraud at an ATM machine for several weeks, since a suspicious transaction may not come to light until the victim gets their bank statement. In contrast, a pub may only need to retain images from their CCTV system for a short period because incidents will come to light very quickly. However, if a crime is reported to the police, the pub will need to retain images until the police have time to collect them.
Vacuum cleaners mapping your home and refrigerators connecting you to your soul mate
Having a smart home (a home equipped with lighting, heating and an array of electronic devices that can be controlled remotely) certainly sounds appealing, having technology do just about anything for you (and we mean anything, cue the toilet seat that heats up before you use it) is why technology is so exciting. And we will not dispute that, but the truth is you do not need to be a tech-savvy smart home owner to fall into the vast number of people who are giving away very personal details about their lives by using various, seemingly innocuous, household items. The bottom line is this: if you have to login to utilise a device it is collecting your personal information. But just how much is too much? In this weeks' edition of Stranger Times we take a look at some very handy household gadgets that are able to gather a wealth of your personal information.
First on the list is the robot vacuum cleaner, specifically the Roomba. The early models of Roomba were fairly simple devices that would essentially flit around your living room bumping into furniture. However, recent models include simultaneous localisation and mapping technology which can map rooms to help the device clean more efficiently. Essentially the Roomba is mapping the home while it is cleaning, collecting information which many have claimed Roomba was planning to sell on to third parties. This does not necessarily mean that Roomba has bad intentions with this data, examples of how these floorplans could be used by other devices include helping smart speakers direct sound to improve the acoustics in a room, advising where to place smart lighting to compensate for the positions of windows, and aiming air conditioners to maximise airflow. Technology enabled by this data could therefore prove quite useful.
Second on the list is the smart refrigerator. The smart refrigerators on the market have a number of functionalities such as notifying you when you are running low on certain items (in some instances actually ordering these items on your behalf) or reminding you to use food while it is still fresh. However, the latest addition "Refrigerdating" is an application paired with the refrigerator which claims to pair fellow food-obsessives based on the content and appearance of their fridge. The company which has developed this functionality recommends against staging your fridge to appear more organised or sophisticated (although some might applaud the extra effort).
The moral of the story? All the privacy concerns that apply to your smartphone and computer should also apply to any other device you are using that gathers your personal information.
The point is simply to make you aware of all the different ways that your devices are collecting your data. From the seemingly simple to the obviously high tech, the devices that inhabit your home, your car, your workplace, or your coat pocket are always gathering little bits of information about you. The fact that this cloud of information about you exists out there may not be immediately harmful to you right now. But as technology improves and the risk of the data falling into the wrong hands increases, that may change. Ultimately, the focus on cybersecurity and maintaining the confidentiality of personal information must be
and remain a priority for all tech companies developing everyday products, even the most mundane a vacuum cleaner.
in the news
Equifax: A lawsuit has been filed against Equifax in the UK arising from a 2017 data breach where personal information of around 143 million individuals was stolen, including the personal information of UK customers. The lawsuit is a representative claim, which means that a claim can be filed for one victim but all the victims affected by the data breach may be compensated if the litigants are successful. The filing of this lawsuit follows from a landmark ruling made earlier in this month which allows representative claims for data breaches in the UK.
EU: The European Court of Human Rights ("ECHR") held that the use of hidden cameras which were installed in a supermarket in order to obtain evidence of theft by employees did not violate the employees' right to privacy. The ECHR found that the use of the hidden cameras was justified in that the suspicion of theft was based on legitimate reasons and the surveillance was limited to the checkout area of the supermarket and that the duration of the surveillance did not exceed what was necessary in order to obtain evidence of theft.
Singapore: The Protection from Online Falsehoods and Manipulation Act came into effect earlier this month; it aims to stop the spread of fake news in Singapore. If the government is of the view that content on an online platform is false it will require that the platform issue corrections and remove the content. Companies that fail to comply could be liable for a fine of up to a USD724 000 and individuals could be liable for a fine of up to USD43 000 and imprisonment for up to 10 years.
ENSafrica will be hosting POPIA, GDPR and Information Officer training workshops in Durban, Cape Town and Sandton. For more details and to register, please click here.
ENSafrica has a highly specialized team of privacy and cybersecurity lawyers with deep expertise and experience in assisting clients with all aspects of POPIA compliance, GDPR assistance, cybersecurity and insurance, and data commercialization. Our unique services includes the provision of a POPIA Toolkit, which contains data protection policies and other documentation which can be tailor-made for your organisation and help fast track your organisation's POPIA compliance journey. We also provide training on awareness initiatives, risk assessments, policy and procedure implementation, and also provide a helpful service to Information Officers requiring support in implementing POPIA.
Ridwaan Boda Executive | Technology, Media and Telecommunications +27 83 345 1119 rboda@ENSafrica.com
Era Gunning Executive | Banking and Finance +27 82 788 0827 egunning@ENSafrica.com
Wilmari Strachan Executive | Technology, Media and Telecommunications +27 82 926 8751 wstrachan@ENSafrica.com
Rakhee Dullabh Senior Associate | Technology, Media and Telecommunications +27 82 509 6565 rdullabh@ENSafrica.com
Nicole Gabryk Executive | Dispute Resolution +27 82 787 9792 ngabryk@ENSafrica.com
This email contains confidential information. It may also be legally privileged. Interception of this email is prohibited. The information contained in this email is only for the use of the intended recipient. If you are not the intended recipient, any
disclosure, copying and/or distribution of the content of this email, or the taking of any action in reliance thereon, or pursuant thereto, is strictly prohibited. Should you have received this email in error, please notify us immediately by return email. ENSafrica (ENS and its affiliates) shall not be liable if any variation is effected to any document or correspondence emailed unless that variation has been approved in writing by the attorney dealing with the matter.
ENSafrica | Africa's largest law firm
info@ENSafrica.com | ENSafrica.com privacy statement | unsubscribe