EAP - Ethics and Privacy Specifications
Specifications in respect of the roles and responsibilities of parties, procedures, and legal obligations.
EAP |
Ethics and Privacy Specifications |
Version: 0 |
|
Author |
W Hugo |
Draft |
17-12-2015 |
# |
Concept |
Description |
Reference |
EAP-01 |
POPI |
Provisions of the Protection of Personal Information Act need to be implemented. |
EAP-01-01 |
EAP-02 |
License implications |
Restrictions on data access emanates form privacy and ethics considerations – refer to License specifications. |
EAP-01-01
# |
Aspect |
Description |
Reference |
EAP-01-01-01 |
Consent |
Data can only be processed if consent is given |
|
EAP-01-01-02 |
Withdrawal of Consent |
Consent can be withdrawn at any time |
|
EAP-01-01-03 |
Obtain Directly |
Obtain directly from the subject, as attested by e-mail validation |
|
EAP-01-01-04 |
Defined Purpose |
Purpose of data collection must be defined explicitly and provider must be aware of this. |
|
EAP-01-01-05 |
Retention |
Retention has to be qualified and provider has to assent to use of inactive records for statistics and reporting |
|
EAP-01-01-06 |
Proof of Removal |
Proof has to be provided of removal of records for whatever reason – by request form data provider or through lapse of registration period. It must ot be possible to reconstruct the record. |
|
EAP-01-01-07 |
No other uses |
Specific conditions need to be met for the use of the information in a different context. |
|
EAP-01-01-08 |
Quality |
Reasonable care must be exercised to ensure that the data is complete and accurate. |
|
EAP-01-01-09 |
Documentation |
Processing history and documentation must be maintained |
|
EAP-01-01-10 |
Notification |
The data subject/ provider must be provided with information about the system/ responsible party. This should form part of the contracting between the parties |
CON |
EAP-01-01-11 |
Security |
Prevent loss of or damage to personal information, and prevent unlawful access to such information. |
SEC |
EAP-01-01-12 |
Delegation |
Subcontractors, employees, and operators with access to the data are bound by the same provisions |
|
EAP-01-01-13 |
Notification of Breach |
Where there are reasonable grounds to believe that personal information has been compromised, the responsible party must communicate this to the Regulator and the data subject in the prescribed way and within the prescribed time period. |
|
EAP-01-01-14 |
Notification Content |
The content must enable the data subject to understand the consequences and take action to take protective measures, and describe corrective steps taken by the responsible party. |
|
EAP-01-01-15 |
Information Officer |
DIRISA must designate a responsible information officer to implement the provisions of the act. |