Written by Catherine Berry – Director of Commercial and Cyber Crime at Camargue Specialised Liability Management
Enacted in November 2013, the Protection of Personal Information Act (POPI) aims to bring South Africa in line with international data protection laws. However, currently only a few sections of POPI have already commenced (most notably the formation of the Information Regulator), with the balance to only commence at a later date (to be proclaimed by the President). It is anticipated that POPI shall commence during the course of 2016, however, it should be noted that there is a one year period to show compliance once the commencement date is announced (it is anticipated that this may be extended to a maximum of three years).
Whilst there is a general awareness of POPI, it is useful, when contemplating the exposures facing one’s business, to reconsider exactly what POPI aims to achieve, and what the ramifications for not adhering to these requirements are. Very simply, POPI promotes transparency with regards to what information is collected and what is processed. POPI contains eight conditions for lawful processing of personal information which need to be adhered to: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation. The definition of personal information is extremely broad and includes (but is not limited to) identity numbers, date of birth and age, contact details, online identifiers, race, gender, ethnic origin, photos, voice recordings, CCTV footage, biometric data, marital status, criminal record, religious or philosophical beliefs, financial and educational information, physical and mental health information, and even membership to organisations. POPI gives rise to three elements of potential liability:
- civil liability for patrimonial and non-patrimonial damages for interference with personal information (whether or not there is intent or negligence);
- criminal liability not exceeding 10 years and/or payment of a fine;
- and administrative liability for an administrative penalty payable to the information regulator, to the maximum of R10 million.
It is of vital importance to note that POPI shall not only apply to new clients’ information but also governs that of existing clients. Thus, you shall have to obtain existing clients’ consent to hold their information.
The issue of protecting the information of which we are custodians of is probably the burning topic at the moment. As is noted above, one of the conditions put forward by POPI is that of security safeguards, requiring that the responsible party ensures the integrity and confidentiality of any personal information in their possession by implementing appropriate, reasonable technical and organisational measures to prevent loss, damage and unauthorized and unlawful access to the personal information in their custody and control. It is under this particular condition that POPI stipulates that the information regulator is to be contacted in the event that there are reasonable grounds to believe that personal information of a data subject has been accessed or acquired by an unauthorised person.
One has to wonder how many entities actually have information asset inventories, i.e. can actually pinpoint what information is being held within their systems. This is probably a great starting point for companies wanting to begin moving towards POPI compliance. If you don’t know what information you have, how will you even begin to protect it? Once this identification process is complete, the organisation should look to implement a register to monitor this data and any changes / movements thereof.
It is of paramount importance that the information technologies and controls which are in place be assessed to ensure that they are sufficient. Given the rate at which technology advances and the rate at which hackers are able to exploit new technologies, it is imperative that regular reviews are conducted. Issues which should be given consideration during this assessment is that of disaster recovery and backups; security controls such as firewalls and antivirus software; patching practices; whether data is encrypted (particularly in respect of mobile devices such as laptops, smartphones, external drives, etc.). Security assessment / penetration testing are excellent service offerings which identify potential vulnerabilities in the organisation’s network which can be exploited. Professionals rendering this service shall also advise on how these weaknesses can be repaired / improved.
Ironically, the best controls implemented can be for nought if employees are not appropriately informed. The term boardroom-to-basement perfectly captures the requirement for information security to be an organisation-wide practice, and that is insufficient for only the board of directors to be aware of the exposures and risk management surrounding same. Thus, the organization should be determining who has access to personal information within their systems (external and internal) and whether there is actually a business need for these individuals to have access thereto.
Masthead will be running a series of articles, in conjunction with Camargue, considering various aspects of POPI.
Should you have any questions relating to POPI, please contact your Masthead compliance officer or email firstname.lastname@example.org