Description of the Role of Information Officers Course

OVERVIEW

The Protection of Personal Information Act requires that the heads of public bodies and CEO’s of private bodies register with the Information Regulator the details of the postal and street address, phone and fax number and, if available, electronic mail address of their Information officers and any Deputy Information Officers so that data subjects and the Information Regulator may contact these individuals regarding access to information and compliance with the conditions for lawful processing of personal information set out in the Protection of Personal Information Act.

The purpose of this seminar is to assist Information Officers and Deputy Information Officers understand their role and responsibilities in terms the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act, including the extended duties and responsibilities contained in the Regulations issued by the Information Regulator.

It is the responsibility of the “Information Officer” to encourage the organisation’s responsible parties to process personal information lawfully and in a reasonable manner that does not infringe the constitutional rights of individuals to privacy. Processing of personal information must comply with the eight conditions imposed by the Protection of Personal Information Act. The Information Regulator has extended the responsibilities of the Information Officer to include ensuring a Compliance Framework is developed, implemented and monitored. 

SEMINAR OBJECTIVES

Participants will receive an overview of the POPI Act and obtain a specific understanding of the role and responsibilities of the “Information Officer”.

On completion of this seminar, participants will be able to:

• Articulate the significance of the Protection of Personal Information Act
• Demonstrate an understanding of the duties and responsibilities of information officers
• Describe the role, responsibilities and legal obligations of the responsible parties.
• Describe the roles and the responsibilities of the other parties concerned about the processing of personal information
• Develop and implement a Compliance Framework
• Explain the conditions for the lawful processing of personal information
• Communicate the conditions for lawful processing personal information contained therein.

SEMINAR OUTLINE

Participants will learn through discussion and practical examples about the role of an Information Officer, the requirements of the Promotion of Access to Information Act and the Protection of Personal Information Act. Participants will discuss the issues that an Information Officer is expected to deal with in the course of discharging his/her responsibilities.

This seminar includes topics about:

• Registering Information Officers with the Information Regulator
• The duties and responsibilities of the Information Officer
• Designation and delegation to Deputy Information Officers
• Implications of the Companies Act 2008 for Information Officers
• How to differentiate between personal information, special personal information and other data
• Important content of the PAIA manual
• The preparations required prior to updating the PAIA information manual about the processing of personal information
• PAIA manual exemptions
• Availability of the PAIA manual
• Guidance available from the Information Regulator
• Documentation to be prepared prior to the processing of personal information
• Processing details to be maintained in the PAIA manual
• Records available in accordance with other legislation
• The Conditions for the lawful processing of personal information
• Implications of the Conditions for lawful processing of personal information for business activities
• Assistance that can be expected from the Information Regulator
• Working with the Information Regulator to conduct investigations
• Dealing with requests from Data Subjects
• Ensuring compliance with the provisions of the POPI Act
• Making use of a Compliance Framework
• Handling requests for access to information
• Receipt of complaints by information officers
• Informing information officers prior to pre-investigation procedures
• Requests to the Regulator by Information Officers to make an Assessment in the manner prescribed of whether the body complies with the provisions of the Act insofar as its policies and procedures are concerned
• Information Notice served on an Information Officer
• Enforcement Notice served on an Information Officer
• Non-compliance with an Enforcement Notice by an information officer
• Applications to Court regarding decisions of information officers
• Examples from industry – local and international
• An Action Plan for Information Officers
• The job description of an information officer.

Description of the Complying with the Act Course

OVERVIEW

The Protection of Personal Information Act has been finalised. All public and private bodies are required to record their processing of personal information in their PAIA Information Manual prior to actually processing it.

All public and private bodies are required to ensure that the processing of personal information is lawful and that personal information in their possession is always secure. Failure to do so will have serious consequences and may result in criminal proceedings and civil claims for damages.

The Protection of Personal Information Act specifies eight conditions for the lawful processing of personal information. Regardless of whether the organisation is a large corporate, government department, school or research organisation, it will have to ensure that the processing of personal information is lawful and all personal data in its possession is properly acquired, secured and destroyed when obsolete.

SEMINAR OBJECTIVES

Participants will obtain an understanding of the legislative requirements for the processing of personal Information. On completion of this seminar, participants will be able to:

• Demonstrate an understanding of the requirements of the Protection of Personal Information Act
• Be able to communicate the key aspects of the Protection of Personal Information Act
• Articulate the activities necessary to address the legal requirements for the Protection of Personal Information
• Clarify the roles and responsibilities of all parties required to be involved in the protection of personal information
• Develop a compliance framework for the protection of personal information
• Update the PAIA information manual
• Perform a privacy impact assessment
• Manage the privacy initiative in their organisation.

SEMINAR OUTLINE

Participants will learn through discussion and practical examples how to prepare for and address the organisational, procedural, technical and legal requirements of the legislation for the Protection of Personal Information.

This seminar includes topics about:

• Overview and key components of the Protection of Personal Information Act
• Accountability for the processing of personal information
• Conditions for lawful processing of personal information
• Identifying personal information and the category of special personal information
• Processing that is subject to prior authorisations
• Trans-border exchanges of personal data
• Developing a Privacy Policy and educating staff
• Conducting a Privacy Impact Assessment
• Contracting with Operators and verifying compliance
• Developing a compliance framework
• Building capability to manage Privacy
• Privacy by Design
• Managing information throughout its life-cycle
• The responsibilities of the CEO, the appointed “responsible parties” and appointed “information officer”
• Records to be maintained in the PAIA information manuals regarding the processing of personal information
• Handling requests for information and complaints from data subjects
• The role and responsibilities of the Information Officer
• The role of the Information Regulator
• Assessments undertaken by the Information Regulator
• Civil remedies, enforcement and criminal offences
• The information security requirements
• The need for records management and a legal register
• Maintaining the information quality of personal data
• Avoiding secondary use and unlawful processing
• Developing an Action Plan to address the requirements for the lawful processing of personal information.

Description of the Obligations of responsible Parties Course

OVERVIEW

The Protection of Personal Information Act has been finalised. Heads of public bodies, CEO’s of private bodies and the business leaders identified as “responsible parties” who control the purpose and means for processing information are required to ensure compliance with the conditions of lawfully processing personal information set out in the Act.

Business leaders and information officers who fail to fulfil their obligations defined in this Act may be charged with a criminal offence and face civil claims for damages.

It is the responsibility of the “Responsible Parties” identified by the CEO and listed in the PAIA to ensure that personal information is processed lawfully and in a reasonable manner that does not infringe the constitutional rights of individuals to privacy. Processing of personal information must comply with the obligations imposed by law and this processing must be necessary for legitimate interests of the body.

SEMINAR OBJECTIVES

Participants will obtain a general understanding of the legal obligations placed on “Responsible Parties”. On completion of this seminar, participants will be able to:

• Articulate the requirements of the Protection of Personal Information Act
• Demonstrate an understanding of the conditions for the lawful processing of personal information
• Describe the role, responsibilities and legal obligations of the responsible parties
• Describe the roles and the responsibilities of the other parties concerned about the processing of personal information
• Communicate the design of a suitable compliance framework
• Identify the effort required to meet the requirements of the Protection of Personal Information Act and the conditions for lawful processing personal information contained therein.

SEMINAR OUTLINE

Participants will learn through discussion and practical examples how to prepare for and address the obligations placed on responsible parties by the Protection of Personal Information Act.

This seminar includes topics about:

• Recording details about Responsible Parties in the PAIA Manual
• The duties of the Responsible Party
• Implications of the Companies Act 2008
• Controlling the activities of Operators
• How to differentiate between personal and other data
• The preparations required prior to updating the PAIA information manual about the processing of personal information
• Mitigating risks
• Documentation to be prepared prior to the processing of personal information
• Processing details to be maintained in the PAIA manual
• Designing a compliance framework
• Communicating with data subjects
• Implications of the conditions for lawful processing of personal information for business activities
• Working with the Information Regulator
• Working with the Information Officer
• The role of Risk Management and Compliance
• Trans-border exchanges of personal data
• Consequences of failing to comply
• Challenges – collection, profiling, cross-marketing, unstructured data, third party processing, secondary use
• Case studies from industry – local and international
• An Action Plan to fulfil the obligations of Responsible Parties.

Description of the POPI Act Overview Course

This course provides delegates with an overview of the new Protection of Personal Information legislation and the significant obligations placed on those business leaders identified as the “responsible parties” and “information officers”. All public and private bodies will be affected by the requirements of this legislation. Various technical and organisational arrangements will be necessary.

The collection of personal information must be for a specifically defined, lawful purpose related to a function of the responsible party. The processing of data must be for a legitimate purpose. Data subjects must be aware of the collection of the data. Adequate business controls are required to maintain data integrity and information security must meet international standards. Data must be retained only for as long as necessary and the it must be destroyed.

SEMINAR OBJECTIVES

Participants will obtain an overview of the Protection of Personal Information Act and its implications. On completion of this seminar, participants will be able to: 

• Articulate the requirements of the Protection of Personal Information Act
• Demonstrate an understanding of the conditions for the lawful processing of personal information
• Identify the technical and organisational measurements necessary for protecting personal information
• Describe the various roles and the responsibilities of the personnel who should be concerned about the protection of personal information
• Identify the effort required to meet the requirements of the Protection of Personal Information Act and the conditions for lawful processing personal information contained therein.

 SEMINAR OUTLINE

Participants will learn through discussion and practical examples how to address the organisational, procedural, technical and legal requirements for the Protection of Personal Information.

This seminar includes topics about:

• Overview of the legislation for the Protection of Personal Information
• The duties of the Responsible Party and Information Officer
• The role of Risk Management and Compliance
• Working with the Regulator
• Communicating with data subjects
• The eight conditions for the lawful processing of personal information
• How to differentiate between personal and other data
• How to update the PAIA manual and what records to keep about the processing of personal information
• Identifying and mitigating privacy related risks
• Identifying the organisational and technical arrangements necessary for the protection of personal information
• Controlling the activities of Operators
• Trans-border exchanges of personal data
• Building organisational capability to manage Privacy
• Challenges from the collection, profiling, cross-marketing, unstructured data, third party processing, secondary use.