EAP - Ethics and Privacy Specifications

Specifications in respect of the roles and responsibilities of parties, procedures, and legal obligations.

 

EAP

Ethics and Privacy Specifications

Version: 0

Author

W Hugo

Draft

17-12-2015

#

Concept

Description

Reference

EAP-01

POPI

Provisions of the Protection of Personal Information Act need to be implemented.

EAP-01-01

EAP-02

License implications

Restrictions on data access emanates form privacy and ethics considerations – refer to License specifications.

LIC

 

EAP-01-01

 

 

#

Aspect

Description

Reference

EAP-01-01-01

Consent

Data can only be processed if consent is given

POPI

EAP-01-01-02

Withdrawal of Consent

Consent can be withdrawn at any time

POPI

EAP-01-01-03

Obtain Directly

Obtain directly from the subject, as attested by e-mail validation

POPI

EAP-01-01-04

Defined Purpose

Purpose of data collection must be defined explicitly and provider must be aware of this.

POPI

EAP-01-01-05

Retention

Retention has to be qualified and provider has to assent to use of inactive records for statistics and reporting

POPI

EAP-01-01-06

Proof of Removal

Proof has to be provided of removal of records for whatever reason – by request form data provider or through lapse of registration period. It must ot be possible to reconstruct the record.

POPI

EAP-01-01-07

No other uses

Specific conditions need to be met for the use of the information in a different context.

POPI

EAP-01-01-08

Quality

Reasonable care must be exercised to ensure that the data is complete and accurate.

POPI

EAP-01-01-09

Documentation

Processing history and documentation must be maintained

PAIA

EAP-01-01-10

Notification

The data subject/ provider must be provided with information about the system/ responsible party. This should form part of the contracting between the parties

POPI

CON

EAP-01-01-11

Security

Prevent loss of or damage to personal information, and prevent unlawful access to such information.

POPI

SEC

EAP-01-01-12

Delegation

Subcontractors, employees, and operators with access to the data are bound by the same provisions

POPI

EAP-01-01-13

Notification of Breach

Where there are reasonable grounds to believe that personal information has been compromised, the responsible party must communicate this to the Regulator and the data subject in the prescribed way and within the prescribed time period.

POPI

EAP-01-01-14

Notification Content

The content must enable the data subject to understand the consequences and take action to take protective measures, and describe corrective steps taken by the responsible party.

POPI

EAP-01-01-15

Information Officer

DIRISA must designate a responsible information officer to implement the provisions of the act.

POPI

Document Actions