Category

Information Technology Law / Cyberlaw

When Can You Legally Record Conversations?

By | General Interest, Information Technology Law / Cyberlaw

“Big Brother is watching you.” (George Orwell)

Your smartphone lets you record just about anything, anywhere, and at any time. Your laptop and other devices can automatically record online meetings. Technology enabling voice and/or video recording is all-pervasive, providing us all with a powerful tool for keeping accurate records, resolving disputes and gathering evidence.

But it’s crucial to understand when it’s legal to start recording – and when it’s not… Whether you’re talking face-to-face, over the phone, or via digital platforms like WhatsApp, Zoom, Slack, or Teams.

The law: What’s allowed & what’s not

The legal framework for recording conversations in South Africa is primarily governed by the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA). The Act is aimed not only at regulating “Big Brother” type government surveillance of its citizens, but also at protecting us from each other when it comes to our rights to privacy generally.

Also relevant is the Protection of Personal Information Act (POPIA) which regulates the processing of personal information. Its impact on recording conversations relates primarily to how the recorded information is handled, stored, and shared.

Here are some key points to consider:

  • Recording conversations you aren’t party to: Recording conversations between other people, to which you are not a party, is generally illegal unless explicit consent is obtained from all parties. That’s because RICA has a general prohibition against “intercepting communications” without the knowledge and consent of those involved. There are only very limited situations where such recordings may be legal, such as under a court order or for establishing a person’s location in an emergency rescue situation.
  • Recording your own conversations: If, however you are directly involved in the conversation, you are legally allowed to record it without consent. RICA permits individuals to record communications to which they are a party, either as a direct participant or in their “immediate presence” and within audible range. There is no legal obligation on you to inform or obtain consent from the other participants before recording, but, as we discuss below, there are often good practical reasons for doing so anyway.

    Note that specific rules apply to recordings “in connection with carrying on of business”. To comply with POPIA ensure that you have a clear, lawful purpose for your recording, and that you use it only for that purpose.

  • Recording public conversations: In public spaces, where there is generally no expectation of privacy, recording conversations without consent is unlikely to land you in serious trouble but be careful what you use your recordings for. For example, a person’s image, voice, preferences or opinions is “personal information” subject to POPIA’s restrictions on its use and storage. Moreover, always consider the context before recording as there may be situations where privacy is reasonably expected.
What about workplace communications?

As an employer, you may need to record calls and workplaces for security, compliance, or training purposes, but tread carefully here as clear and transparent communication is essential to maintain trust and to avoid dispute.

You should typically inform your employees if their communications or workplace activities are being or could be recorded. This can be done through employment contracts, policies, or direct notification. As always with our employment laws there is no room for error, so specific advice is essential!

Practical tips for recording conversations legally

If you plan to record a conversation, consider these practical guidelines to ensure you stay within legal boundaries:

  • Informing others: Even when it might not be legally necessary, informing the other parties involved that you are recording can help prevent misunderstandings and build trust. Many platforms like Teams and Zoom will by default advise all meeting participants upfront that they are being recorded. But there’s no harm in mentioning it specifically when you open the meeting, with an offer to share the recording with participants on request.

    Particularly if you think your recording might be important in a legal dispute down the line (to prove the terms of an online contract for example), advising participants upfront of your intention to record can boost its value as evidence and make it difficult for an opponent to challenge it in court.

    If your conversation is an international one, bear in mind that some jurisdictions have more stringent rules than others on the necessity for consent.

    If in doubt, take no chances: The safest course of action will always be to ask for consent.

  • Secure storage: Store recordings securely, especially if they contain sensitive information. POPIA requires that personal information be secure from unauthorised access or breaches, and that it be kept only as long as necessary for the purpose for which it was recorded.
  • Responsible use: Be mindful of how you use the recordings. Sharing or publishing recorded conversations without consent can have serious legal consequences.

There are plenty of grey areas here, so please call us if you’re in any doubt.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

How to Safeguard Your Digital Presence: A Simple Checklist for Website Compliance

By | Business, Information Technology Law / Cyberlaw

“It’s important to remember your competitor is only one mouse click away” (Doug Warner)

Your website, social media profiles, and other online platforms play a vital role in your business strategy and in staying ahead of your competition at all times.

However, it’s not just about marketing effectively. Ensuring compliance with regulations is equally crucial, although often overlooked.

Why is Compliance Important?

Compliance ensures that your business:

  • Meets all legal requirements.
  • Reduces risks associated with user engagement.
  • Enhances your brand’s image.
  • Builds trust and loyalty with users.
  • Safeguards your reputation.
  • Prevents unnecessary costs.
A Checklist for Website Compliance

Website compliance involves adhering to various laws, regulations, and standards governing online operations and content. Here’s what it entails:

  • Legal Compliance: Your website must follow local, national, and international laws, covering online business, intellectual property, and consumer protection requirements.
  • Accessibility Compliance: Websites should be accessible to people with disabilities, as mandated by some countries’ laws.
  • Cookie Compliance: Inform users about cookies and obtain their consent before placing them on their devices, as required by many countries.
  • Privacy Compliance: Comply with privacy regulations when collecting user data, such as POPIA in South Africa and (where applicable) GDPR in the EU.
  • Security Compliance: Implement security measures like encryption and secure logins to protect user data and prevent unauthorized access.
  • Content Compliance: Ensure content doesn’t violate copyright or trademark laws.
  • Financial Compliance: Adhere to regulations for online payments and financial transactions if your website conducts such activities.
  • Advertising Compliance: Ensure ads meet advertising standards and regulations to avoid deception or violation of laws.
  • Terms of Service/Supply and Policies: Make legal documents clear, transparent, and legally sound for users to agree to.
  • Industry-Specific Compliance: Some industries have specific regulations, like healthcare websites complying with health information privacy laws.
Integrate compliance into step 1 of your website’s development

Integrate compliance into the very earliest developmental stage of your website, focusing not only on content but also design and process. This ensures that your online presence remains compliant from the outset, reducing the risk of non-compliance issues down the line.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

Another mystery investor emerges to rescue Africrypt investors at 65c in the rand

By | Business, Criminal Law / Crime, Information Technology Law / Cyberlaw, Insolvency / Liquidation

Barely a week after a mystery ‘white knight’ offered creditors $4 million (R64 million) to bail out investors in the failed Africrypt scheme, another mystery investor has appeared with a better offer of $5 million (R80 million), equivalent to 65 cents in the rand.

The first offer made in November was also for $5 million, though only $4 million of that would go to creditors, with the remaining $1 million (R16.13 million) going to the running of the company.

Read:

This latest offer of $5 million is a simpler offer, with a timeline of seven days for acceptance, after which the ‘white knight’ will purchase and take cession of the claims.

Africrypt collapsed in April after its accounts were supposedly hacked and emptied of all funds. But it turns out this was not the first hack to have plagued the founders of Africrypt – brothers Raees and Ameer Cajee – and their investors.

As Moneyweb reported, a previous investment scheme of theirs was supposedly hacked in May 2019, causing more than a few Africrypt investors to suspect foul play. Two hacks in less than three years seemed a stretch too far for some investors, who suspect the Cajees are now using proxies to make an offer of compromise with the hope of avoiding jail time.

Read: Lightning strikes twice for Africrypt’s Cajee brothers

The latest offer of 65 cents in the rand is on investors’ deposited amount, not the current value of the ‘hacked’ bitcoin or Ethereum.

Investors who deposited into Africrypt in September 2019 would have paid about R120 000 for their bitcoin – which is today worth about R800 000.

This offer effectively means investors will be paid out less than R80 000 per bitcoin, for an asset that is worth 10 times that today.

Africrypt was run by the Johannesburg-based Cajee brothers, who solicited funds from investors by promising returns as high as 10% a day using a computerised trading algorithm.

These promises were even more outrageous than MTI’s claims of 0.5-1.5% returns a day.

MTI was placed in provisional liquidation a year after failing to pay out members’ requests for withdrawals. MTI also claimed to have a computerised trading algorithm, though no evidence of this was found by the Financial Sector Conduct Authority (FSCA) when it looked into it.

Read:

Similarly, there is no evidence the Cajees were trading the cryptos entrusted to their care.

The Cajees disappeared around the time of the alleged hack, and are believed to be in the Middle East.

The first offer to buy out the claims of Africrypt investors made in November came with a catch: anyone accepting the offer would have to withdraw criminal charges against the Cajee brothers and their affiliated entities.

This condition was likely unlawful, and is referred to as ‘compounding’ in law, which is agreeing not to prosecute a crime in return for a reward.

The second rescue offer presented to investors last Friday (December 3) carries no obligation to withdraw criminal charges.

The first offer specified that the Cajees would be employed by Africrypt, which would be resuscitated as a trading entity so that investors could potentially earn back their full investment.

Investors hoped this would provide them with an opportunity to interrogate the Cajees as to the circumstances surrounding the alleged hack, and whether it was a genuine hack or an inside job. The Cajees have maintained the hack was genuine, and denied any involvement in what some believe was a heist, according to the BBC.

The identities of both the first and second ‘saviour’ investors remain unknown, though Ruann Kruger, legal representative for the Africrypt liquidators, says the second investor is a company.

“I am prevented from disclosing the identity of the company at this stage due to a non-disclosure agreement,” he tells Moneyweb.

“We have no idea of the identity of the first investor,” he adds.

Kruger says so far 35 out of 181 investors have signalled their intention to accept the offer.

Says a representative for some investors: “There are of course suspicions that this offer is coming via a proxy for the Cajees, and that we are being paid out with [our] own money. Either way, this is a clever tactic by whoever the investor is. It’s a divide [and] rule tactic.

“What I see happening here is the smaller investors are going to accept the offer, then the larger investors will be dealt with piecemeal. It’s a clever strategy, but a high risk one, because I believe some of the investors will not accept this offer, and will hold out for a better offer.”

Attorney Gerhard Botha, who is representing some of the investors, says any offer of 65 cents in the rand in any liquidation situation is not a bad deal.

“You must remember that up to now, there’s been no offer on the table. There’s also no proof that there was a hack, and there’s no proof that the money was actually invested [by the Cajees]. There is a strong possibility that this is a great deal for the Cajees, both legally and financially, but at the end of the day investors will make a decision based on purely commercial considerations,” he adds,

In a letter to Africrypt investors sent out on Friday, the joint provisional liquidators say they had not received any further communication or feedback from the first “third party investor” on the amended terms of the compromise offer – which attempted to indemnify the Cajees against criminal prosecution.

This raises suspicions among investors that the Cajees were behind the offer, which they decided to drop when it was pointed out that they could not buy their way out of potential jail time.

The letter from the provisional liquidators says the second offer of compromise is “a good, firm and less complicated offer that is open for acceptance for the next seven days”.

Those who accept the offer will receive 65 cents in the rand for any proven claim within five days of signature.

Africrypt investors are reckoned to have deposited about R120 million, though the value of their stolen cryptos today is worth many times this amount.

Article by:  for moneyweb.co.za

Mystery Africrypt investor wants Cajee charges dropped

By | Information Technology Law / Cyberlaw, Insolvency / Liquidation, News

A group of Africrypt investors, who lost millions following an alleged hack of the crypto platform earlier this year, say they will only accept an offer from a mystery investor to inject $5 million (R76 million) in the firm if the investor agrees to certain conditions.

This, despite investors with the majority of claims against the platform having voted unconditionally in favour of the offer, following a six-hour virtual meeting on Friday.

The mystery investor, who has not revealed identification details, has offered to put in the money for a 51% stake in the company and in so doing, take it out of liquidation, on condition that criminal charges against the platform’s founders Raees and Ameer Cajee are dropped.

The brothers have been in hiding since informing investors in April that the platform had been hacked.

The liquidators’ attorney, Ruann Kruger, confirmed in an e-mailed letter to creditors today that those investors representing 69% of the total ascertainable claims at the time voted in favour of the offer unconditionally.

However, creditors who made up 21% of claims voted in favour of the compromise subject to the implementation of additional terms and conditions that were put to the provisional liquidators during the meeting. The remaining 10% of the creditors rejected the offer.

To enable the provisional liquidators to properly verify each claim, creditors have been asked to provide full details and proof of each claim by Friday.

Attorney Darren Hanekom, who is representing a number of creditors, says the additional terms and conditions include that the settlement is no longer conditional on the investors withdrawing their criminal cases.

Hanekom says further protection mechanisms were also put in place regarding the mystery investor’s contractual obligations to the business.

“We await confirmation as to whether the amendment version has been accepted; thereafter, it will need to be made an order of court.”

Article by: itweb.co.za

Africrypt rescue plan could see Cajee brothers avoid prosecution

By | Information Technology Law / Cyberlaw, Insolvency / Liquidation

In what has been described as a “get out of jail free” card for the Cajee brothers, the liquidators for failed crypto scheme Africrypt say an unnamed investor has proposed stumping up US$5-million (about R77-million) for a 51% stake in the company – provided all criminal proceedings against the Cajees are dropped.

Creditors get to vote on the compromise offer on Friday, 12 November.

One creditor, who asked not to be named, described it as an “audacious” offer.

As Moneyweb previously reported, Raees and Ameer Cajee, have a history of ‘hacks’ against their various crypto schemes, the first being in May 2019 and then again earlier this year when an amount of about R200-million was allegedly hacked and spirited away.

Though the Cajees have stuck to the hack story, forensic investigators are less sure.

The compromise offer presented to creditors proposes paying $4-million (R61.6-million) towards the payment of creditor’s claims, which are reckoned to amount to about R200-million, and a further $1-million (R15.4-million) as capital for purposes of continuing the business.

The unnamed investor willing to inject $5-million into the business will receive 51% of the shares in Africrypt, with the balance of shares going to creditors pro rata to the balance of their claims.

The proposal also calls for the hiring of the two Cajee brothers by the company. In addition, it calls for one of the liquidators, Eugene Januarie, is to be appointed to the board, alongside an appointee representing the investor.

‘Preposterous’

One of the conditions of the offer is that any criminal charges laid by creditors against the Cajees be dropped, and that they agree to alternative dispute resolution instead.

Ruann Kruger, legal representative for the liquidators, said he did not want to comment on the compromise offer ahead of the Friday meeting with creditors.

One creditor, who asked not to be named, described the offer as “preposterous”.

“It’s a ‘get out of jail free card’ for the Cajees. Who would invest in a business like this as if it had any credibility or chance of success, other than someone very close to the Cajee family?”

There is still no certainty as to the value of claims against Africrypt, and the figure of R200-million given by the liquidators represents the deposit amounts, not the subsequent value of the cryptos deposited.

Bitcoin is up roughly 200% over the last year, and ethereum more than 1 000%. It means investors in Africrypt – who were being offered 10% a month – have potentially lost hundreds of millions of rands.

The offer requires 75% support from creditors to be accepted, at which point it will be made an order of court.

Another creditor said the offer is likely to be accepted by 75% of creditors, as the alternative is to receive nothing.

This proposed compromise certainly comes at a convenient time considering the current prices of bitcoin and ethereum

While creditors will sign away their rights to pursue criminal charges against the Cajees if they vote in favour of the offer, law enforcement authorities and ordinary citizens may take a different view.

The Cajees were living the high life prior to the collapse of their companies and, despite being in their early 20s, appeared to have enough money to purchase several luxury cars and houses – and then boast about it on social media.

“This proposed compromise certainly comes at a convenient time considering the current prices of bitcoin and ethereum,” says attorney Darren Hanekom, who is representing a number of creditors. “We trust that the general body of creditors will make the right decision when the proposal is tabled for a vote.”

 

Article by: Moneyweb

Cajee brothers to appear virtually at Africrypt inquiry

By | Articles, Business, Information Technology Law / Cyberlaw, News

Africrypt directors Ameer and Raees Cajee, who shut their crypto investment platform in April over an alleged hack, leaving investors millions of rands out of pocket, are to appear next month before an inquiry ordered by the company’s court-appointed liquidators.

The brothers went into hiding earlier this year after announcing the hack, saying they feared for their lives after receiving several death threats.

The liquidators’ legal representative, Ruann Kruger, told ITWeb yesterday that the Cajee brothers have agreed to testify on 19 and 20 October through a virtual session.

They were initially subpoenaed to appear before the inquiry last week, but this was postponed after their attorneys asked for an extension in order to consult further with their clients and stating at the time that their safety was still in question.

While a responding affidavit to oppose final liquidation of Africrypt, which was signed by Raees Cajee, contains the stamp of the South African embassy in Dar es Salaam, Tanzania, dated 19 July, no one knows – or will say – where the two brothers currently are.

Kruger said the first part of the inquiry, held last Thursday and Friday in Pretoria, heard testimony from Daniel Opperman, Africrypt’s former compliance officer.

Opperman, who was testifying over a virtual platform, told how a few days after the hack took place and two days before the two brothers announced in a statement that the company had been hacked, he met with the Cajees, but the brothers made no mention to him that the alleged hack had taken place.

“[Opperman] said he was very surprised to read about [the hack] in the media,” said Kruger. He added that Opperman will return to testify further at next month’s hearing. Contacted by ITWeb, to confirm the details of his testimony, Opperman declined to comment.

Kruger said the inquiry also heard testimony from Wayne Naidoo and Steve Miller, a director and manager, respectively, of public relations (PR) company Duke Advertising, which signed a 14-month contract worth R3 million with Africrypt.

The contract was to run until the end of December 2021; however, just three months into the contract, the PR company was paid the full amount. Kruger said the fact that the PR company was paid in full before the completion of the contract raised a red flag.

Raees Cajee contends in Africrypt’s affidavit opposing final liquidation that the application was taken out against the wrong company and that clients signed investment contracts not with Africrypt but with an entity called Rae Create Wealth.

However, Kruger said bank statements obtained by Tayfin Forensic Investigative Auditors, the forensic investigators appointed by the liquidators, revealed that all transactions made to Africrypt were moved to Raee Create Wealth. He said this and other evidence is expected to appear in the forensic report on Africrypt.

Contacted yesterday, Africrypt’s attorney Rashaad Moosa of Shaheed Dollie Incorporated Attorneys declined to comment, saying the inquiry is a private inquiry and that as such, he couldn’t comment without getting the permission of the commissioner. However, he said he would be questioning witnesses further in next month’s session.

Earlier this month, a group of investors’ bid to get the court to place Africrypt in final liquidation was postponed to 15 November.

It follows a provisional liquidation order brought by the group, under the name Badaspex, which was granted in April by the Gauteng South High Court against Africrypt.

Article by : Stephen Tim | itweb.co.za

11 POPIA Questions to Ask Yourself Before 30 June 2021

By | Business, Information Technology Law / Cyberlaw, Property


Note: This is a complex topic and there is no substitute for tailored professional advice. What is set out below is of necessity no more than a simplified summary of some practical highlights.

You and your business are at substantial risk if you aren’t fully compliant with POPIA (the Protection of Personal Information Act) on 1 July 2021.

The clock is ticking! Have a look at the Information Regulator’s Countdown Clock here to see exactly how many days (and hours, minutes, and seconds!) you have left.

Be ready! Be compliant! Ask yourself these eleven questions –

  1. Does POPIA really apply to us?
    As soon as you in any way “process” (collect, use, manage, store, share, destroy and the like) any personal information relating to a “data subject” (suppliers, customers, members, employees and so on – whether individuals or “juristic persons” such as corporates and the like), you are a “responsible party”.The formal definition of a responsible party is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information” – very few businesses and organisations will fall outside that net. Equally you are unlikely to fall under exemptions such as that applying to information processed “in the course of a purely personal or household activity”.But don’t panic –. compliance is easily attainable for most businesses, particularly if you are a smaller operation with little in the way of sensitive personal information. Answer the questions below to get a feel for areas you need to concentrate on now.
  2. What risks do we run if we don’t comply with POPIA?
    If a data subject suffers any loss as a result of your breach of POPIA, the subject (or the Regulator at the request of the subject) can sue you for damages and you will be liable even if your breach was unintentional and not negligent. You also face criminal prosecution, penalties and administrative fines for some breaches.
  3. Have we registered our Information Officer/s?
    You must register your Information Officer (“IO”) with the Information Regulator – go to the Regulator’s Online Portal for the online and PDF versions of the registration form, plus the email address for support enquiries and a link to the Search page. The IO is responsible (and liable) for all compliance duties, working with the Regulator, establishing procedures, and the like. You are automatically your business’ IO if you are its “Head” i.e., a sole trader, any partner in a partnership, or (in respect of a “juristic person” such as a company) the CEO, MD or “equivalent officer”. You can “duly authorise” another person in the business (management level or above) to act as IO and you can designate one or more employees (again management level or above) as “Deputy Information Officers”.
  4. Do we have a list of all personal information we hold, and how and why we hold it?
    Make a full list of all the personal information you hold/process, whether physically or in electronic form. Then evaluate it against the test that, to collect and “process” personal information lawfully, you need to be able to show that you are acting safely, lawfully, and reasonably in a manner that doesn’t infringe the data subject’s privacy.You must show that “given the purpose for which it is processed, it is adequate, relevant and not excessive”. Data can only be collected for a specific purpose related to your business activities and can only be retained so long as you legitimately need to (or are allowed to) keep it for that purpose.
  5. What security measures do we have in place?
    You must “secure the integrity and confidentiality of personal information in [your] possession or under [your] control by taking appropriate, reasonable technical and organisational measures to prevent … loss of, damage to or unauthorised destruction of personal information … and unlawful access to or processing of personal information.”You are at great risk of liability and penalties if you suffer any form of data breach from a risk that is “reasonably foreseeable” unless you can prove that you took steps to “establish and maintain appropriate safeguards” against those risks. If you haven’t already done so, brainstorm with your team all possible internal and external vulnerabilities (physical as well as electronic) and address them.
  6. Do third parties hold/process personal information for us?
    If third parties (“operators”), hold or process any personal information for you, they must act with your authority, treat the information as confidential, and have in place all the above security measures. Further restrictions apply if the third party is outside South Africa.
  7. Do we know what to do if we suffer a breach?
    Any actual or suspected breaches (called “security compromises” in POPIA) must be reported “as soon as reasonably possible” to both the Information Regulator and the data subject/s involved.
  8. Do we do any “direct marketing” and if so do we comply with all requirements?
    Most businesses don’t think of themselves as doing any “direct marketing”, but the definition is wide and includes “any approach” to a data subject “for the direct or indirect purpose of … promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject…”. So for example, emailing or WhatsApping your customers about a new product or a special offer will put you into that net.If your approach is by means of “any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”, you must observe strict limits. Whilst you can as a general proposition market existing customers/clients in respect of “similar products or services” (there are limits and recipients must be able to “opt-out” at any stage), potential new customers can only be marketed with their consent, i.e., on an “opt-in” basis. They can be approached only once for that consent so keep a record of everyone you have asked.
  9. Does our website use cookies and if so do we have a cookie notice and policy in place?
    As countries around the world ramp up their privacy laws, we will all see many more examples of “cookie notices” on websites we visit. You may wonder how your own website should be configured, and the short answer is that if it uses cookies (almost all do), POPIA very likely applies despite the fact that there is no specific mention of cookies in the current legislation. Bottom line – to be on the safe side, have a cookie notice and policy in place. Keep yours simple and user-friendly.
  10. Do we have a privacy policy and a POPIA manual in place?
    POPIA – unlike PAIA (the Promotion of Access to Information Act) – doesn’t require you to have a POPIA manual in place but in larger businesses it is certainly a good idea to prepare one.However you should certainly have a privacy policy in place. Make sure that everyone in your organisation is aware of it and of how critical it is to comply with it at all times.
  11. Is our staff team ready?
    Check that everyone in your business understands your compliance plan and their own individual roles and responsibilities in it. Make sure that nothing falls through the cracks – assign specific tasks to specific staff members.
Bodies Corporate and Homeowners Associations – how POPIA affects you

Bodies Corporate and Homeowners Associations (HOAs) fall into the POPIA compliance net and should be asking themselves the questions above.

In assessing what personal information you hold, how and why you hold it, and who you are sharing it with, remember to include not only scheme owners and HOA members but also your auditors, attorneys, managing agents, the CSOS (Community Schemes Ombud Service), security service providers and the like.

If you have gate security in the form of visitor registers, scanning of licence plates and driver’s licences and so on, be ready to address questions around having lawful reason for collection and retention of all the personal information you are gathering in this manner.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

POPIA: A Practical 4-Step Action Plan for your Business

By | Business, Information Technology Law / Cyberlaw

“By failing to prepare you are preparing to fail” (Benjamin Franklin)

The media is still awash with warnings about the dangers of not complying with POPIA (the Protection of Personal Information Act). The risks of non-compliance are indeed substantial but whilst much is made of the fact that the Act itself is now in force, references to the one-year grace period for compliance expiring on 30 June 2021 appear only in the fine print (if at all).

But – and this is a big but – there are major benefits to understanding POPIA and starting the compliance process long before it becomes compulsory. The penalties for getting it wrong are sizeable, “preparation makes perfect”, you are giving yourself lots of time to get it right, and for many businesses there is also good marketing potential in being able to tell your customers and clients that you are already addressing the situation.

Four practical steps to start with…

Before we start on your action plan, get to grips with the fact that you will almost certainly have to comply fully with POPIA. As soon as you in any way “process” (collect, use, manage, store, share, destroy and the like) any personal information relating to a “data subject” (customers, members, employees etc etc), you are a “responsible party”. Very few businesses will fall outside that net. Equally you are unlikely to fall under exemptions like that applying to information processed “in the course of a purely personal or household activity”. Get going with these steps –

  1. Assess what personal information you hold, how you hold it, and why: Figure out what personal information you currently hold, how you hold it, and why you hold it. To collect and “process” such information lawfully you need to be able to show that you are acting lawfully, reasonably in a manner that doesn’t infringe the data subject’s privacy, and safely.   

    You must show that “given the purpose for which it is processed, it is adequate, relevant and not excessive”, data can only be collected for a specific purpose related to your business activities, and can only be retained so long as you legitimately need to or are allowed to keep it.   

    There’s a lot more detail in POPIA, but you get the picture – you cannot collect or hold personal information without good and lawful cause.
  2. Check security measures, know what to do about breaches: You must “secure the integrity and confidentiality of personal information in [your] possession or under [your] control by taking appropriate, reasonable technical and organisational measures to prevent … loss of, damage to or unauthorised destruction of personal information … and unlawful access to or processing of personal information.” You are going to have big problems if there is any form of breach from a risk that is “reasonably foreseeable” unless you can prove that you took steps to “establish and maintain appropriate safeguards” against those risks. Bear in mind that whilst cyber-attacks tend to get the most media time, there are also other risks out there – brainstorm with your team all possible vulnerabilities and patch them.  

    Any actual or suspected breaches (called “security compromises” in POPIA) must be reported “as soon as reasonably possible” to both the Information Regulator and the data subject/s involved.   

    If third parties (”operators”) hold or process any personal information for you, they must act with your authority, treat the information as confidential, and have in place all the above security measures.
  3. Check if you do any direct marketing: Most businesses don’t think of themselves as doing any “direct marketing”, but the definition is wide and includes “any approach” to a data subject “for the direct or indirect purpose of … promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject…”. So for example just emailing or WhatsApping your customers about a new product or a special offer will put you firmly into that net. 

    If your approach is by means of “any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”, you must observe strict limits. Whilst you can as a general proposition market existing customers in respect of “similar products or services” (there are limits and recipients must be able to “opt-out” at any stage), potential new customers can only be marketed with their consent, i.e. on an “opt-in” basis. 
  4. Get a start on procedures and training: Identify an “Information Officer” who will take on all compliance duties, establish procedures, and train your team in implementing them. Cover how you will collect the data, process it, store it, for how long, for what purpose/s and so on. What consent forms do you need and when/how are they to be completed and stored? You are much less likely to have a POPIA problem if everyone in your business (and most importantly you!) understands what your procedures are and implements them as a matter of course. Make sure that no functions “fall between two stools” – assign individual compliance tasks to named staff members and make sure everyone understands who is to do what.

This is a complex topic and there is no substitute for tailored professional advice. What is set out above is of necessity no more than a simplified summary of a few highlights.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

POPIA’s Deadline is 30 June 2021 – Ignore the “Fake Headlines” But Start Planning!

By | Business, Information Technology Law / Cyberlaw

At long last the main provisions of POPIA (the Protection of Personal Information Act) have been gazetted, and they will commence on 1 July 2020. That means that the one year transitional period will expire on 30 June 2021

Don’t panic just yet, and ignore the many “fake headlines” in the media implying that you are at immediate risk of non-compliance, but at the same time don’t leave this to the last minute! Preparing for compliance is going to be a time-consuming affair, almost all South African businesses will need to comply, and the penalties for not doing so will be very severe indeed – 

  • You risk administrative fines of up to R10m;
  • You could face criminal prosecution (with up to 10 years’ imprisonment);
  • You could be sued for millions by anyone whose data has been compromised, and this is an instance of strict liability” in that no “intent or negligence” on your part need be proved;
  • The loss of trust and the adverse publicity resulting if your data breach goes public could be devastating.

In future issues we’ll let you have a lot more practical advice on how POPIA will affect your business, and on the steps you will have to take to protect yourself from the dangers of non-compliance, but for now get started with this first planning step: Ask yourself what personal information you hold, where you hold it, who has access to it, and how secure it is. 

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

POPIA’s One Year Deadline to Start Running on 1 April?

By | Business, Information Technology Law / Cyberlaw

Will the main provisions of POPIA (the Protection of Personal Information Act) really commence on 1 April 2020 as media reports suggest, or is this just another case of Crying Wolf? This time it seems it may be the real thing, with the Information Regulator having formally requested the President to declare the commencement date.

If that does indeed happen (still unclear at date of writing), any organisation that needs to comply with POPIA will have a one year transitional period expiring on 31 March 2021 to get their house in order. 

Watch this space…

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews