Achieving Compliance with The Protection Of Personal Information Act                                                     Download the bill here

On our comprehensive training course, you will learn how to rapidly:

  • identify and secure the personal information you possess by addressing the top 20 technical & organisational risks.
  • deploy best practice controls relevant to your organisation to address the 8 Information Protection Principles
  • understand the relevance of the additional provisions of the new Protection of Personal Information Act.
8 Information Protection Principles

The Act gives effect to the right to privacy, regulating the manner in which personal information may be processed & establishes principles:
  1. Accountability: The responsible party must ensure compliance with the principles

  2. Processing limitation: Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. Personal information must be collected directly from the data subject.

  3. Purpose specification: Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity.

  4. Further processing limitation: Further processing of personal information must be compatible with the purpose for which its collected.

  5. Information quality: The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

  6. Openness: If personal information is collected, the data subject to be aware of what is collected and the purpose for which the information is being collected and whether or not the supply of the information is voluntary or mandatory.

  7. Security Safeguards: A responsible party must secure the integrity of personal information under its control by taking appropriate, reasonable technical and organisational measures.

  8. Data subject participation: A data subject has the right to confirm, whether the responsible party holds personal information about the data subject; and to request the identity of all third parties, who have had access to the information.
 Additional Provisions include:
  • Information Protection Regulator established to monitor and enforce compliance with this Act

  • Compulsory Notification in the Media of security breaches of personal information databases

  • Information Protection Officers are responsible to encourage compliance, and to work with the Regulator in relation to investigations

  • Conviction of an offense, is liable to a fine or imprisonment for a period up to 10 years

  • Damages may be instituted for breach of this Act whether or not there is intent or negligence

  • Notification of processing to take place by responsible party before commencing the processing of personal information

  • Codes of conduct may be issued by the Regulator to prescribe how the information protection principles are to be applied for a sector

  • Unsolicited electronic communication prohibited for the purpose of direct marketing via fax, email, SMS, etc. unless the data subject consents

  • Transfers of personal information outside the Republic is prohibited unless the recipient is subject to a law that upholds principles

  • Enforcement notice may be issued to stop processing personal information specified

  • Assessments may be made as to whether processing of personal information is compliant

  • Information Notices may be served requiring an independent auditor’s report indicating compliance