![Digital Content Ownership
• Should the subject of the digital content own
the own digital content?
“What are these people going to do with that data?
They’re going to target you with an ad which makes
you feel a bit queasy. Targeted adverts are not the
future.”
Sir Tim Berners-Lee
in The Guardian
“If you give [people] the ability to see how [data is]
used and you ban its misuse then people are much
more happy to open up to their data being used.”
Sir Tim Berners-Lee
in The Guardian](https://image.slidesharecdn.com/dataprotectionriskmanagementmarketingmixpriachetty-141017035458-conversion-gate02/85/Data-Protection-Risk-Management-12-320.jpg)
Data Protection & Risk Management
- 1. DATA PROTECTION AND RISK MITIGATION Understanding Data Protection Risks and the Law PRIA CHETTY ENDCODER/ ENDCODE.ORG
- 2. CONTEXT: POPI Priority Issues IT systems and business tools (enterprise data, (know your) customer data, profiling, analytics, relationship management, financial, health ) Records management policies (creation, retention and destruction of records) Digital content ownership (users: personal data and intellectual property, rights and obligations) Database ownership(source of data, use of data, rights and obligations) Apps ownership (generation of user data: personal data and intellectual property, rights and obligations ) Young people (campaigns involving young people: special treatment of young people) Recommendations
- 4. POPI: Priority Issues • Getting Serious about PoPI • Identification of Personal Data impacted and exempted • Identification of Business Systems impacted • Identification of Business Processes impacted • Information Security (Risk and Incident Management) • Identification of (Vital) Records • Classification of Records • Personal Information and Intellectual Property • Technological Innovation and Privacy
- 5. POPI and Advertising and Marketing • Know Your Customer • Know Your Channel • Know Your Platform • Risks associated with Digital Opportunities • Risks associated with Innovation Opportunities • Data Risks Management: Privacy and Intellectual Property (incl. copyright), Information Security and Records Management
- 6. IT / IS systems and business tools • Accountability Principle (s8 POPI) • Responsible Party to process PI in satisfaction of conditions of PoPI The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself. Section 8 The Protection of Personal Information Act 4 of 2013 • Processing Limitation (Condition 2 PoPI) and Further Processing for compatible purposes (Condition 4) • Quality of Information (Condition 5 of PoPI)
- 7. IT / IS systems and business tools • Security Safeguards • Security measures on integrity and confidentiality of personal information (s19 of PoPI) • Data under my control has been breached, now what? • Notification to Data Subject (s22 POPI) • Notification to Information Regulator (s22 POPI) • Unauthorised access to data is a crime A person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence. A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective is guilty of an offence Section 86 (1) and (2) Electronic Communications and Transactions Act 25 of 2002
- 8. IT systems and the Cloud Information processed by Operator or person acting under authority Security measures regarding information processed by operator Cross-border transfer policy 5 Conditions of Cross-border Transfer (S72 POPI) • The third party who receives the information is subject to a law, binding corporate rules or agreement which provide an adequate level of protection that effectively upholds the principles for processing of information that are similar to those in POPI, and includes provisions that are similar to POPI in relation to the further transfer of personal information from the recipient to third parties in a foreign country; • The person consents to the transfer; • The transfer is necessary for the performance of a contract between you and the person, or for pre-contractual measures taken at the request of the person whose information is being transferred; • The transfer is necessary for the conclusion or performance of a contract between you and a third party that is in the interest of the person; or • The transfer is for the benefit of the person whose information is collected, and it is not reasonably practical to obtain the consent of the person and, if it were reasonably practical to obtain such consent, the data subject would likely give it.
- 9. Records Management Policies • Accountability Principle • Responsible Party to protect integrity of PI (s8 POPI) • Outdated information • Restriction on records (s14 POPI) • Openness • Documentation (s17 • Access to Personal Information (s23 of PoPI) • Accuracy & Correction of information • Restriction of Records (s14 POPI) • Right to correct PI (s24 POPI) A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. Section 16 The Protection of Personal Information Act 4 of 2013 • De-identification/Deletion of information • Exclusion (s6 POPI) • As soon as no longer authorised to have PI (s14 POPI)
- 10. Records Management Policies • Losing personal information • Notification to Data Subject & Regulator (s22 POPI) • International Best Practices for records management • European Directive on Data Protection • Right to Access Information Records • Promotion of Access to Information Act 2 of 2000 (PAIA) • Data Subject participation (s23 POPI)
- 11. Digital Content Ownership Who Owns Digital Content • Do you own your own digital content? “There are not yet statutory laws around ownership of virtual goods, nor is there case law.” The Guardian “In most cases you are effectively leasing the content, not buying it.” The Guardian "You will not transfer your account to anyone without first getting our written permission" Facebook's terms and conditions
- 12. Digital Content Ownership • Should the subject of the digital content own the own digital content? “What are these people going to do with that data? They’re going to target you with an ad which makes you feel a bit queasy. Targeted adverts are not the future.” Sir Tim Berners-Lee in The Guardian “If you give [people] the ability to see how [data is] used and you ban its misuse then people are much more happy to open up to their data being used.” Sir Tim Berners-Lee in The Guardian
- 13. Database Ownership Databases & Copyright • Definition of ‘literary work’ in Copyright Act 98 of 1978 includes compilations stored or embodied in a computer or medium used with a computer (s1) • Originality in selection or arrangement • Labour & Skill • Owner of copyright to database has exclusive rights Databases & POPI • Databases of personal information fall under POPI and must be protected by the Responsible Party • Directories (s70 POPI)
- 15. Apps Ownership Apps & Copyright • An App is a computer program “computer program” means a set of instructions fixed or stored in any manner and which, when used directly or indirectly in a computer, directs its operation to bring about a result” Section 1 The Copyright Act 98 of 1978 • Computer programs are copyright protected (not patantable) “Anything which consists of (amongst others) a computer program shall not be an invention for the purposes of this Act” Section 25(2) The Patents Act 57 of 1978
- 16. App Ownership • Data Protection for Apps • Owners of App are responsible for protection of data collected • Think of all of the information an App can collect about you • Health & sport monitoring apps • Medical apps • Messaging apps
- 17. Younge People & Data Protection https://www.flickr.com/photos/malias/
- 18. Younge People & Data Protection • POPI – ‘Competent Person’ • Protection of Personal information of children by Responsible Party A responsible party may, subject to section 35, not process personal information concerning a child. Section 34 The Protection of Personal Information Act 4 of 2013 • Exceptions (s35 POPI) • Consent from the competent person • Necessary for establishment, exercise or defence of a right or obligation in law • Necessary to comply with an obligation of international public law • historical, statistical or research purposes
- 19. Recommendations • Appointment of Information Officer: Enterprise • Appointment of a Risk and Compliance Manager: Agencies • PoPI Audit (Client) PoPI Audit (Project) • Intellectual Property Audit • Information Security Audit • Privacy Policy • Information Security Policy • Intellectual Property Policy • Innovation Management Different rules for different channels, platforms, data sources and applications
- 20. Pria Chetty Pria.chetty@endcode.org endcode.org THANKS, QUESTIONS?
- 21. References • http://ico.org.uk/for_organisations/data_protection/security_measures) • http://www.theguardian.com/money/2012/sep/03/do-you-own-your-digital-content • http://www.theguardian.com/technology/2014/oct/08/sir-tim-berners-lee-speaks-out-on-data-ownership? CMP=ema_827 • http://www.bizcommunity.com/Article/75/542/98352.html • http://ico.org.uk/Youth
Editor's Notes
- #2: As technology legal advisors considering social media law and its impact on businesses, we’re particularly interested in the point at which conversation becomes publication. The very act of conversing online equates to publication which in the legal realm introduces a host of rights and obligations. Of even greater legal importance is the content that makes up that conversation and the implications it has for the creator, compiler, the poster, the hoster, the storer and the recipient of that content. In short, each link in what the law regards as “the chain of publication” carries legal implications.