Previous legislation and regulations prior to the arrival of the Protection of Personal Information Act (POPIA) in 2013 required organisations undertaking electronic direct marketing in South Africa to provide the opportunity for recipients to unsubscribe from further communications (commonly referred to as opt-out). According to the Internet Service Provers Association (ISPA), an authoritative industry source, “this was true under section 45 of the Electronic Communications and Transactions Act (ECTA, #25 of 2002), but this will be repealed by section 69 of the POPIA once it is in force [expected to start with a transition period that comes into effect late in 2017 or early 2018].” Section 11 of the Consumer Protection Act (CPA, #68 of 2008) follows in the footsteps of the ECTA by providing that you may refuse to accept, request the discontinuation of (opt-out) or pre-emptively block direct marketing communications, and that any opt-out or pre-emptive block must be respected by marketers, have their receipt confirmed in writing and that the exercise of these right must be performed free of charge.
POPI Act definitions
POPIA defines direct marketing as approaching a data subject (which could be an individual or organisation) either in person or by mail or electronic communications, for the purpose of promoting or offering to supply goods or services to the data subject, or asking them to make a donation. Electronic communication covers a wide variety of methods, including text, voice, sound, image over an electronic network. So this covers use of all the popular methods used today and probably some we are not yet familiar with.
Records of consent and withdrawal of consent for electronic direct marketing
Section 11 of POPIA makes it clear that the Responsible Party (the body doing the direct marketing) must keep adequate records to prove informed consent has been voluntarily given. Records should also be maintained where consent has been denied or is later withdrawn. Consent may be obtained via verbal or written means. The interpretation of voluntary consent in other countries suggests poor practice is to pre-tick or pre-select opt-in choices. Rather the data subject should be presented with an open option to provide consent (e.g. an empty, not pre-ticked, box).
“Section 69 of the POPIA [Direct marketing by means of unsolicited electronic communications] places significant limitations on the circumstances in which a party may engage in direct marketing by means of unsolicited communications by requiring individuals to have either consented to the use of their personal information (opt-in) or for there to be an existing relationship between the parties. An existing relationship between the parties is itself subject to additional limitations and does not result in a freedom to make repeated advances” says ISPA (for more on ISPA visit www.ispa.org.za ).
A request for consent may only be submitted to the data subject once (section 69(2)(a)(ii). However it is not clear whether this “one time opportunity” applies where the data subject moves to a new or different organisation and therefore could be deemed to have a different set of marketing needs. If this is interpreted as one-time-ever then a unique identifier would be required to ensure compliance. It is not sufficient to ask for general consent for marketing. Section 13 requires that “personal information must be collected for a specific, explicitly defined and lawful purpose”.
Section 11(3)(b) of POPIA makes it clear that a data subject may object to any form of direct marketing, not necessarily electronic; section 11(4) clearly states once the data subject (which may be an organisation or juristic entity to use the legal term) has objected, the Responsible Party may no longer process the personal information, by implication for direct marketing, whilst by implication processing may continue for other specific purposes.
Records of consent and withdrawal of consent for non-electronic direct marketing
The rules for opt-out seem to be common and clearly stipulated, whether for electronic or traditional mail. When it comes to consent traditional mail does not merit a specific mention under opt-in. By default permission (consent) should be obtained at the first contact, which may be a first mailer. It is tricky to see how the refusal of consent can be achieved at no cost to the data subject. There also appears to be no limit to the number of mailers that can be sent before consent is denied as the “only once” clause only applies to electronic communication. In summary, some careful wording of your invitation to give consent or withdraw consent would appear to allow an unlimited number of postal mailers to be sent so long as no objection is received.
Role of the Direct Marketing Association South Africa (DMASA)
For any organisation that is engaged in direct marketing activities in South Africa it is recommended that consideration is given to adhering to the DMASA Code of Ethics and Standards of Practice. The DMASA is also known to be developing a Code of Conduct under the POPIA. The DMASA also manages the National Opt Out Database. Registering on this database will mean that individuals will not be contacted by members of the DMASA.
We are in the early days of understanding the full implications of the impact of the POPIA on direct marketing activities by whatever means. Organisations that take action now to review their policies and procedures will give themselves a competitive advantage by being better prepared to anticipate how to better address the rights of their key stakeholders, such as future and current customers, and demonstrate both legal compliance and good governance, all of which will lead to enhancement of their reputation in the marketplace.
* This article does not constitute legal advice but is based on a practical interpretation of the requirements of the POPI Act.
By Dr Peter Tobin
When legendary Canadian singer-songwriter Joni Mitchell released her hugely successful album “Clouds” in May 1969 little could she have guessed that nearly 50 years later the subject of clouds would be part of the global conversation around the protection of personal information (PI).
Her words “I’ve looked at clouds from both sides now” with the conclusion “I really don’t know clouds at all” might well apply to information officers (IOs) here in South Africa and data protection officers (DPOs) across the globe and who are trying to understand how to go about selecting their cloud service providers from a security perspecitve.
In fact, Mitchell was prophetic in looking at multiple clouds, not just one, because that’s a reality for today’s IOs/DPOs who need to satisfy the demands of multiple stakeholders who are unlikely to be satisfied with a single cloud services supplier. Of course Mitchell has not been alone in looking at clouds closely. The European Network and Information Security Agency in 2015 launched its Cloud Certification Schemes Metaframework. “CCSM is a metaframework, which maps detailed security requirements used in the public sector to describe security objectives in existing cloud certification schemes. The goal of CCSM is to provide more transparency about certification schemes and to help customers with procurement of cloud computing services. This first version of CCSM is restricted to network and information security [NIS] requirements. It is based on 29 documents with NIS requirements from 11 countries (United Kingdom, Italy, Netherlands, Spain, Sweden, Germany, Finland, Austria, Slovakia, Greece, Denmark). It covers 27 security objectives, and maps these to 5 cloud certification schemes.” (source https://www.enisa.europa.eu/news/enisa-news/enisa-cloud-certification-schemes-metaframework). The rest of this article will take a look at just some of those 27 security objectives as an aid to helping you select your cloud services providers.
Cloud security objectives when selecting a cloud services provider
This list is the full 27 (title and brief description) in the ENISA CCSM and should give you a flavor of the potential complexity involved in evaluating your suppliers from a security perspective. Of course a full evaluation will cover a number of other areas, such as functionality, value for money and relevant experience. This list has not been prioritized to reflect the issues which you evaluate as more or less important in the specific circumstances, such as the risk appetite, applicable to you organisation.
The text that follows is all sourced from the CCSM document.
- Information security policy. Cloud provider establishes and maintains an information security policy.
- Risk management. Cloud provider establishes and maintains an appropriate governance and risk management framework, to identify and address risks for the security of the cloud services.
- Security roles. Cloud provider assigns appropriate security roles and security responsibilities.
- Security in Supplier relationships. Cloud provider establishes and maintains a policy with security requirements for contracts with suppliers to ensure that dependencies on suppliers do not negatively affect security of the cloud services.
- Background checks. Cloud provider performs appropriate background checks on personnel (employees, contractors and third party users) if required for their duties and responsibilities.
- Security knowledge and training. Cloud provider verifies and ensures that personnel have sufficient security knowledge and that they are provided with regular security training.
- Personnel changes. Cloud provider establishes and maintains an appropriate process for managing changes in personnel or changes in their roles and responsibilities.
- Physical and environmental security. Cloud provider establishes and maintains policies and measures for physical and environmental security of cloud data centres.
- Security of supporting utilities. Cloud provider establishes and maintains appropriate security of supporting utilities (electricity, fuel, etc.).
- Access control to network and information systems. Cloud provider establishes and maintains appropriate policies and measures for access to cloud resources.
- Integrity of network and information systems. Cloud provider establishes and maintains the integrity of its own network, platforms and services and protect from viruses, code injections and other malware that can alter the functionality of the systems.
- Operating procedures. Cloud provider establishes and maintains procedures for the operation of key network and information systems by personnel.
- Change management. Cloud provider establishes and maintains change management procedures for key network and information systems.
- Asset management Cloud provider establishes and maintains asset management procedures and configuration controls for key network and information systems.
- Security incident detection and response. Cloud provider establishes and maintains procedures for detecting and responding to incidents appropriately.
- Security incident reporting. Cloud providers establishes and maintain appropriate procedures for reporting and communicating about security incidents.
- Business continuity. Cloud provider establishes and maintains contingency plans and a continuity strategy for ensuring continuity of cloud services.
- Disaster recovery capabilities. Cloud provider establishes and maintains an appropriate disaster recovery capability for restoring cloud services provided in case of natural and/or major disasters.
- Monitoring and logging policies. Cloud provider establishes and maintains systems for monitoring and logging of cloud services.
- System tests. Cloud provider establishes and maintains appropriate procedures for testing key network and information systems underpinning the cloud services.
- Security assessments. Cloud provider establishes and maintains appropriate procedures for performing security assessments of critical assets.
- Checking compliance. Cloud provider establishes and maintains a policy for checking compliance to policies and legal requirements.
- Cloud data security. Cloud provider establishes and maintains appropriate mechanisms for the protection of the customer data in the cloud service.
- Cloud interface security. Cloud provider establishes and maintains an appropriate policy for keeping he cloud services interfaces secure.
- Cloud software security. Cloud provider establishes and maintains a policy for keeping software secure.
- Cloud interoperability and portability. Cloud provider uses standards which allow customers to interface with other cloud services and/or if needed migrate to other providers offering similar services.
- Cloud monitoring and log access. Cloud provider provides customers with access to relevant transaction and performance logs so customers can investigate issues or incidents when needed.
Summary and next steps
It is recommended that you evaluate how to deploy this list of security objectives to best meet the needs of your own organisation. If you have not already, open the conversation about cloud security with your suppliers or potential suppliers. Challenge them to satisfy you in terms of their ability to meet these objectives, in particular whether they can offer one or more of the 11 certifications to which the CCSM is mapped. If they are not willing to do that it may be time to start looking for another supplier. While you are doing all that you may even enjoy listening to Joni Mitchell.
By Dr Peter Tobin
Global recognition of the importance of data privacy can be traced back to the United Nations (UN) which has a long history of promoting the right to privacy through its Human Rights treaties.
This includes article 12 of the Universal Declaration of Human Rights in 1948 and article 17 of the International Covenant on Civil and Political Rights in 1966. More recently in July 2015 the UN appointed a “Special Rapporteur on the right to privacy” to bring additional focus to the importance of data privacy. Supporting the UN is the Organisation for Economic Co-operation and Development (OECD) which in 1980 issued its “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” which were revised and re-issued in 2013, just as the POPI Act (POPIA) was gazetted in South Africa. Following the UN and OECD initiatives, nearly one hundred countries and territories have established or are developing data protection laws.
African data privacy
In Africa, the African Union (AU) Commission and the Economic Commission for Africa have spearheaded the development of the AU Convention on Cybersecurity and Personal Data Protection, which was adopted by the AU Heads of States and Governments Summit in June 2014 in Malabo, Equatorial Guinea. Eight Countries had already signed the convention by July 2016 according to AU Commission: Benin, Chad , Congo, Guinea Bissau, Mauritania , Sierra Leone, Sao Tome & Principe and Zambia. At a regional level in Africa there are also several initiatives, notably the ECOWAS Cybersecurity guidelines and the SADC Model Law on data protection, e-transactions and cybercrime. There is also the HIPSSA initiative (Harmonization of the ICT Policies in Sub-Saharan Africa) which covers 30 countries across the continent. Latest estimates show that 16 African countries have data privacy legislation, with an additional 14 countries working on legislation, leaving a balance of 24 currently having taken no action so far.
POPIA and the European Union
The POPI Act can trace its origins not just to the OECD guidelines but also Directive 95/46/EC of the European Parliament in 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This Directive will have been completely replaced across all member states of the EU (including the United Kingdom, despite BREXIT) by May 2018 by the General Data Protection Regulation – commonly known as the GDPR. The GDPR has potentially wide-ranging implications for companies based outside the EU trading with the EU member states. Of particular interest is the following extract from the GDPR document: “The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.” This tells us two things: the faster our Information Regulator South Africa (IRSA) gets POPIA full commenced and SA becomes a trusted trading partner in terms of data protection, the easier trade with the EU will become. The downside is if the IRSA is ineffective then potentially the whole country could be put at a significant disadvantage.
International trade recommendations
For those of you who trade in Africa and more broadly across the globe an understanding of data privacy legislation can be an important consideration when establishing trading relationships. This view is supported by DataGuidance, a London-based organisation that provides advice on a global basis concerning data privacy and protection through a global network of experts, including coverage of South Africa. “Our clients tell us that a clear understanding of the data privacy and protection legislation applicable to the territories and countries in which they trade can have a significant influence on the way they do business. Privacy professionals are facing a fast changing global legislative landscape and constant attention needs to be given to ensure consistent compliance with national laws” says David Longford, CEO at DataGuidance. So the key recommendation is to create and maintain awareness of privacy laws when doing business outside of SA, just as much as paying attention to the requirements of POPIA in SA.
My thanks to the Beatles for prompting the title of this article which is in part based on their August 1996 hit song “Here, there and everywhere” released as a track on the hugely successful Revolver album.
By Dr Peter Tobin
Submit queries or feedback from these articles to firstname.lastname@example.org.
The functions of the Information Regulator include:
- to provide education about the Protection of Personal Information Act, for example, giving advice to data
- subjects in the exercise of their rights;
- to monitor and enforce compliance with POPI;
- to consult with interested parties;
- to handle complaints;
- to conduct research and to report to Parliament;
- to issue codes of conduct and make guidelines to assist bodies to develop codes of conduct; and
- to facilitate cross-border cooperation in the enforcement of privacy laws.
The Information Regulator will have the power to conduct investigations, order publicity of data breaches, and issue administrative fines of up to R10-million.
Regulations must be promulgated under POPI, for example, including regulations setting out the cost of making a subject access request and the prescribed standards for codes of conduct.
The announcement of a commencement date. Organisations will not be liable for fines or non-compliance for a period of 12 months from the commencement date.
If you haven’t started yet, now is the time for organisations to start or ramp up their POPI implementation efforts. Our virtual privacy lawyer, POPI Counsel, can assist with your privacy law questions and provide practical guidance through your implementation process. POPI Counsel produces legal opinions for you on demand, anytime and anywhere. Contact us for more information.
The chairperson, Pansy Tlakula, full-time members, Lebogang Stroom and Johannes Weapond, and part-time members, Tana Pistorius and Sizwe Snail, have been appointed to the Information Regulator with effect from 1 December 2016 and will serve for a period of five years.
By Nerushka Bowan for www.financialinstitutionslegalsnapshot.com