We offer the following Consumer Protection Act services in line with our view that compliance is a process.  Each step leads to the next.

(Step 1 - Awareness) Be aware of the issues and applicable law

We can help you to be aware of and learn about consumer protection and the law that requires it.  We do this by:

1. Conducting a seminar called The Impact of the Consumer Protection Act on your organisation?
2. Providing online legal guidance on consumer protection on Online Legal….
3. Providing you with a book called The Consumer Protection Act made easy. The book will give you the background information that you need to know and will get you up-to-speed fast.  It will reduce your overall cost of compliance.  To get it in eBook form go to Kalahari.   To order a copy send an email to CPAbook@michalsons.com and state the number of copies you require, the address to which you want them delivered, and a contact telephone number.  They cost R180 each.  We will confirm your order and send you an invoice.  We can hand deliver the book to you, if we are going to meet.  Or we can post it to you by registered mail at a cost of R25 and it takes about 5 days.  We offer discounts if you order multiple copies.

We make you aware by applying our experience and knowledge to your specific circumstances.

(Step 2 - Assessment) Assess, determine the gap, and find solutions

We can conduct a Consumer Protection Act readiness assessment to determine whether your organisation is ready for the Consumer Protection Act.  It will be conducted by an experienced attorney (or a team of attorneys or other CPA consultants) with a detailed cross-departmental report and recommendations.  You will receive a detailed report that states specially how ready your specific organisation is.   It will customised for your specific circumstances.

We offer the following types of assessments:

1. Readiness desktop analysis with informed officer (2-3 hours)
2. Detailed assessment after interview with each section head
3. Full role accountability mapping exercise incl. individual employees

(Step 3 - Solutions) Implement solutions

We can help you implement various solutions.  For example, we can:

1. Review your documents to ensure that they comply with the Consumer Protection Act
2. Convert your documents into plain language
3. Make sure your promotional competitions comply with the Consumer Protection Act
4. Tell you what happens when a retailer displays the wrong price.

(Step 4 - Review) Ongoing review

We support you to review your situation on an ongoing basis and ensure that you continue to comply.

The benefits

Our  consumer protection services will help you to:

1. Identify the sections of the Consumer Protection Act that are relevant to you
2. Determine the impact of the Consumer Protection Act on your business
3. Focus on the activities that are critical to your business
4. Prioritise your next steps
5. Fast track your consumer protection compliance efforts
6. Get clarity on where you are and where you need to be
7. Determine the gap between your reality and compliance (usually a gap analysis)
8. Determine whether there is anything you should be doing in preparation for the commencement of the Consumer Protection Act
9. Find solutions to fill the gap - determining what solutions you need

Through our consumer protection services you either get assurance that you comply or we help you to find solutions to ensure that you comply.  We will also point you to material that you can read to get up to speed.

Get a proposal from us

For more information or a proposal, please contact cpa@michalsons.com.

Bevan is an information security professional.

He has the following qualifications:

• Bachelor of Commerce degree
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
• Certified in the Governance of IT (CGEIT)
• Certified Information Systems Auditor (CISA)
• Certified as a lead auditor on the ISO 27001 standard by the British Standards Institute (BSI).

He is presently enrolled in an Information Security Masters Program.

Bevan worked for PricewaterhouseCoopers (PwC) for 10 years where he gained extensive experience within the IT forensics, IT audit and Information Security consulting fields.

Since leaving PricewaterhouseCoopers he has been consulting for a variety of clients in terms of Information Security issues and performing reviews and assisting clients with development of policies.

Lance Michalson and Bevan have worked closely with one another on various information security related matters for the last 10 years, with Bevan supplementing Lance’s legal knowledge with his information security technical skills.

Lance Michalson has been included in the 2010 edition of International Who’s Who of Internet and e-Commerce lawyers. He was also included in the 2008 and 2009 editions.

Firstly, the Protection of Personal Information Bill (”POPI”) requires that “appropriate, reasonable” measures be taken to protect information from loss, damage or unlawful access (as does the Payment Card Industry Data Security Standard and ISO 27001).

This implicitly requires companies to set up training programs to help employees understand what those measures are (security experts often say that staff (”insiders”) are the biggest threat to PI, and the list of breaches maintained by the Privacy Rights Clearinghouse is dotted with incidents resulting from employee mistakes).

This is particularly important as section 21 of POPI requires the company to notify the Regulator and data subject of security breaches.

Secondly King 3 says that the board is responsible for the company’s compliance with applicable laws. This includes privacy laws. It is implicitly required that the board and management understand the context and requirements of POPI.

Different audiences we focus on:

• Senior management (where we focus on creating an awareness of privacy requirements under POPI, NCA, CPA and other laws)
• Marketing department (with a focus on direct marketing issues)
• Security (focusing on data warehousing etc with reference to information security implications)
• Call centre agents
• Staff.

Our training program:

• is aimed at raising awareness amongst employees of their privacy responsibilities under the company Privacy Policy and how to reduce the risk of a privacy breach;
• is aimed at integrating information-handling practices into day-to-day business activities;
• includes setting up campaigns (e.g. posters, email) as well as “role-based” training.  This means that our programs are aimed at different audiences as different audiences have different needs on what they should be doing
• We focus on giving  practical steps and outcomes rather than just a summary of the law;
• We try hard to contextualise our training and make a big effort to explain why people are attending and why things need to change (if things do need to change);
• Includes webinars and face to face training.

• the way you manage information: in terms of the the Protection of Personal Information Bill (”POPI”), you will now have to classify what information you hold constitutes “personal information” (PI). King 3 also requires  companies to identify what “records” and “sensitive” information they hold. You can therefore ‘kill three birds with one stone’  when doing a PI classification.  There will be different handling criteria for PI and non PI.
• you will have to notify third parties of breaches of their personal info due to a privacy breach.
• If you want more information on how POPI will affect you, read here and attend one of our webinars.

When will the new privacy bill be promulgated?

• sometime during 2010.

Are there other South Africa legislation that regulates privacy in South Africa?

• It is envisaged that POPI will be the primary legislation dealing with the protection of information. This does not mean that it will necessarily be the only one. However, any other Act will have to comply with the principles set out in POPI. Existing legislation will therefore have to be amended (a huge number of Acts will have to be dealt with in consequential amendments when POPI is enacted) to ensure compatibility and any new legislation will have to comply from the start. According to the SA Law Commission which drafted POPI, the following is envisaged in respect of the most important pieces of legislation that has been  identified: The privacy provisions in the Electronic Communications and Transactions Act will fall away in instances of duplication. Sections in the Promotion of Access to Information Act dealing with a person’s own personal information (as opposed to third party information and general information) will fall away and be dealt with in POPI. The National Credit Act (”NCA”) and the Consumer Protection Act (”CPA”) will have to be amended to comply with all the privacy principles or the sections dealing with privacy removed and dealt with in POPI. An arrangement to this effect is already in place with the DTI in so far as the NCA is concerned (the NCA was enacted before the PPI draft was available) and consultation regarding the CPB will still have to take place.

How is sensitive information like a persons “race” protected through the new privacy bill when it is required to submit this information for employment equity purposes?

• “Protected” is misleading. If it constitutes “personal information” it has to be processed ito PPI

How should personal information be protected by organisations?

• First, conduct a privacy impact assessment;
• Secondly, develop an inward facing privacy policy in place describing how the company deals with employee, company and third party PI;
• Thirdly, develop an outward facing privacy policy on your website describing how the company deals with 3rd party PI it collect through the website;
• Fourthly, put appropriate technology in place to protect PI.

What is the difference between privacy and security?

• Information security is distinct from the concept of privacy, although the two concepts often overlap. “Privacy” involves the protection of a person’s personal information by inter alia limiting the amount and kind of personal information gathered, notifying the person of the ways in which the person’s information is used or disclosed, obtaining the person’s consent to such use and disclosure and providing means for a person to review and update his own personal information. The concept of privacy also entails that a person’s private information will be kept secure against loss, theft, modification, unauthorised access, use or disclosure. Because the concept of privacy therefore encompasses security, but not vice versa, it is possible to have security without privacy. However, it is not possible to have privacy without security. Privacy is therefore broader than security. There is however a considerable overlap between privacy compliance and security obligations.

How much would it cost to ensure compliance with POPI? One has to factor in the cost of:

• a privacy impact assessment;
• the identification of PI;
• drafting and implementation of policies, training and technology.

What type of organisations will be affected most by the privacy bill?

• All companies, but in particular companies that deal with a lot of sensitive PI such as banks, insurance companies and other companies in the financial services sector and companies that deal with medical information: medical aids etc…

Principle 5.4 of King III states that “The board should monitor and evaluate significant IT investments and expenditure.”

IT investment and expenditure includes the acquisition, management and disposal of IT goods or services.

Types of IT goods or services, include (amongst others):

• IT infrastructure,
• applications,
• peripherals,
• the rental of goods,
• the purchase of goods,
• software,
• cloud-computing,
• application service provider (ASP) services,
• Software as a Service (SaaS),
• Platform as a Service (PaaS),
• on-demand computing and hardware,
• support and maintenance services,
• consulting services and professional services,
• hosting services,
• design and development services,
• temporary employment services.

Our IT Goods and Services audit assesses you current governance practices relating to IT goods and services. This includes reviewing key contracts to inter alia establish whether:

• the rights and obligations of all parties have been clearly defined and agreed in writing;
• the agreement has been drafted in plain language and should not include legal or technical jargon;
• they contain the alternative dispute resolution clause recommended by King III.

It also includes establishing whether good vendor management procedures are  followed.  They include:

• The escalation of issues
• The notification of breaches of the agreement
• The transfer of services on termination of the relationship

The audit also seeks to ascertain whether information security and sustainability have been addressed as part of the disposal of IT goods.  For example,

• the company should scrub hard drives before disposing of them.
• the company should consider the impact on the environment before disposing of print cartridges.

For further information please contact info@michalsons.com

If you want to find out more about information management go to Online Legal.

Click here to test your awareness of Technology Laws.

PAIA as a lot of practical implications. Click here to understand what they are.

In terms of PAIA all private bodies (entities mentioned above as defined in PAIA) and public bodies (mainly state departments and state administrations as defined in PAIA) must give access to their records if a party requests a record in terms of PAIA.

We perform a GAP analysis establish whether your current processes and procedures comply with the requirements of PAIA.

For further information please contact accessaudit@michalsons.com

This necessitates a review of the company’s current practices in respect of each of the following areas:

• Record Keeping Function (Processes & Control)
• Record Keeping Policy Statements
• Roles and Responsibilities
• Record Creation and Record Keeping (Active and Inactive Records)
• Record Maintenance (Safe Keeping)
• Record Disposal
• Record Access (Security, privacy, confidentiality and legal liability)
• Monitoring and Reporting (Implementation and evaluation)
• Scanned images of paper documents

Each of these areas comprise one of the building blocks (modules) of our records governance audit.

Our approach entails undertaking a high level (broad but shallow) audit of the existing state of records governance . We  utilise our Record Keeping Compliance Framework which assesses the company’s  record keeping practices against South African legal requirements, standards and best practice while taking into account organisational strategies and objectives. The audit will further highlight the risks posed in terms of non-compliance.

There is a specific focus on “records”. There are several statutes in South Africa which require organisations to keep “records”.  The ability to separate business records (both electronic and paper), from non-essential records is at the heart of the matter.  It is critical that organisations be able to separate the “wheat” from the “chaff” and identify their records as this allows organisations to amongst others maintain control over their storage requirements, storage costs and speed up the compliance process in the event that a record is required to satisfy a statutory or legal requirement (e.g. discovery of documents in legal proceedings) at some future date.

Our deliverables could include the following (to be delivered in consultation with you):

• Delivering a high level GAP Analysis Report detailing your current status, ideal status and legal and compliance gaps;
• The Report will highlight risks and make recommendations in the form of an Action Plan.

Where necessary, we recommend solutions which would ensure compliance with South African regulatory requirements and implement best practice where sound business practice, rather than a legal requirement, dictate that risk be managed.

For further information please contact recordsgovaudit@michalsons.com

If you want to find out more about information management go to Online Legal.

Click here to test your awareness of Technology Laws.

The Consumer Protection Act (CPA) has been signed into law and will become operative on 24 October 2010. The CPA will have huge implications for your standard business terms and conditions, policies and other documents. The CPA introduces many obligations on vendors which vendors may probably not even be aware of because it was never before required by law. These include for example:

• A vendor must bring certain clauses to a customer’s attention;
• Very specific requirements when selling goods voetstoots;
• Warranty against defective goods for 6 months;
• Liability for gross negligence.

It is imperative that you as Vendor understand what you may and may not include in your terms and other documents. To accomplish this, we can perform a two leg exercise to your existing documents. We

1. Audit your existing documents to determine whether they comply with the provisions of the CPA; and
2. Draft or redraft appropriate clauses where your existing documents do not comply.

We can also provide advice or an opinion on various clauses independently like warranty, indemnity, liability, delivery and any others.

We will help you to:

1. Assess where you are;
2. Determine the gap between your actual position and compliance;
3. Fill the gap to ensure that your documents comply.

Through the audit you either get assurance that you comply or we help you to comply.

The deliverables are:

1. a written report on the audit including a report on all aspects where your existing documents do not comply and the implications of non - compliance. It entails a clause by clause examination and references to the applicable section in the CPA;
2. redrafted or new clauses to ensure compliance.

• Grow your business by building trust with the visitors to your web site
• Avoid legal problems, difficulties, and disputes by managing your legal risks
• Avoid costly litigation
• Avoid fines and imprisonment by complying with the laws related to web sites and electronic transactions
• Follow best practice

We focus on, amongst others, issues around:

1. the design of the web site (different issues flow from whether it was developed and designed in-house or by an outside advertising agency or website developer),
2. copyright,
3. the contractual terms - terms and conditions and privacy policies,
4. so-called web site “linking” and “framing”,
5. trade marks,
6. domain names,
7. security,
8. payment mechanisms,
9. consumer protection, and
10. the processing of personal information - privacy and data protection.

We review the web site (including the current terms and conditions and privacy policy) and perform a GAP analysis where we assess the extent to which an organisation is “compliant” with applicable law.  We often have to ask various questions to gather additional information related to the web site that we require to conduct the audit.   Where necessary, we recommend solutions which would ensure compliance with South African regulatory requirements and implement best practice where sound business practice, rather than a legal requirement, dictate that the risk be managed.

The deliverable is a written web site audit report.  The audit report includes a table setting out:

• The compliance or risk issue
• Our observation or the current status
• Whether the web site is compliant or not
• Whether there is a risk or not
• Our suggested recommendation or control

The report also includes an action plan to ensure that the audit results in action being taken that adds value to the web site and the web site owner.

For further information please contact websiteaudit@michalsons.com

If you want to find out more about web site related issues, go to Online Legal.

Click here to test your awareness of Technology Laws.