IconAssociations & Institutes
IconBBBEE Consulting and Verification Agencies
IconBusiness Chambers
IconBusiness Process Management
IconBusiness Process Outsourcing
IconCall Centre Outsourcing & Sales
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDebit Order Collection Facilities
IconEducation and Training
IconHuman Resources
IconInformation Technology and Software Partners
IconLife Insurance Companies
IconLife Insurance Products
IconOutbound Sales
IconPolicy Administration
IconPolicy Trading
IconRe-insurance Companies
IconRegulatory Authorities
IconSales and Sales Management
IconSocial Grants (Government)
IconSurveys and Research
IconTraining Courses & Workshops
IconWellness Programs
  Subscribe To »

Associated Compliance Protection of Personal Information Act Series: Part 7






Protection of Personal Information Act (POPIA) – Security Safeguards
Over the last seven months the POPIA articles have dealt with responsibility, processing, purpose, further processing, information quality and transparency or openness.
Now that you have established the reason and purpose for processing the personal information, in addition to establishing whether you are a “responsible party” or an “operator”, the next question is how to manage privacy risks. In other words, how to ensure that the personal information in your possession is safe and secure. This is information security discipline, which is defined as “protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.” Remember that information may reside on information systems such as computer servers, networks, desktop and laptop computers, and cell phones, etc., and will most likely constitute intellectual property or confidential information.
It is a well-known fact that to protect information systems from increasing levels of cyber threats, organisations are compelled to institute security programmes. To do so, you will need to establish and understand what personal information, be it hard copy and electronic copy, your business has in its possession.
Section 19(1) of POPIA requires organisations to “secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent; loss of, damage to or unauthorised destruction of personal information.”
Sections 20 and 21 deal with personal information that is being processed by operators or persons acting under authority and the required security measures as required by section 19.
What Condition 7 (Security Safeguards) tells you is what aspects of personal information must be secured, but not how you should go about implementing the required security safeguards.
The question to ask yourselves as a business is “what data or personal information” you have, because you cannot protect data that you don’t know you have. The solution is to do a complete data inventory and data flow mapping exercise of personal information (risk identification of personal information), by establishing standards to classify the sensitivity of the personal information and as such determine the levels of protection that would be required. This would include an inventory of all types of personal information and the related processing activities, systems, and third parties that are involved in the handling and processing of such information. So, for example, what personal information the business uses, assessments and audits of databases and data flows/processing activities, with the outcome being a personal data inventory/dashboard and a data map of the data analysed enabling you to have a clear picture of the personal data you use across your business. It also needs to include the transfers of personal information data to and from third parties, and the collection and processing of data by third parties.
Once you’ve completed the risk identification of personal information, the next step is to assess the risks associated with specific information security-related risks, for example special personal information and children’s personal information. The rationale here is that to choose effective and efficient information security measures, management must identify the assets to be protected, the threats to the assets, and the vulnerability of the assets or their environment to the threats.
The risk assessment should include the following activities:
  • Identification and classification of information assets;
  • Identification of the threats to these information assets; and
  • Identification of any vulnerabilities in the current information asset safeguards.
Your risk assessment should include assessments on the types of risk, for example:
  • Intentional Conduct;
  • Hackers;
  • Organised Crime;
  • Insider Attacks; and
  • Attacks by service providers and other third parties, among others.
Once you’ve completed your risk assessments, the next step is to decide how to treat or manage the risk factors that have been assessed through:
  • Avoidance: not performing the activity that generates the risk;
  • Reduction: using controls to reduce or eliminate the risks by way of preventative, detective or corrective controls;
  • Sharing or Transfer: sharing the risk via outsourcing or insurance; or
  • Retention: where you decide to retain or self-insure the identified risk.
After assessing the assets, threats and vulnerability to threats of these personal information assets, you should now be able to start drafting and implementing information security programmes and privacy controls, such as data encryption, identity management and authorisation, computer security controls, network security controls, physical security, personnel security, application security and breach incident management.
The purpose of the controls would be to:
  • Ensure the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorised access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
Remember that where your organisation is regarded as being the “responsible party”, it is necessary to ensure the security of personal information, since according to POPIA the responsible party is ultimately accountable for the personal information of the data subject, even if the privacy breach was caused by the third party, such as an operator. You would be recommended to discuss your security safeguards with your IT department or service provider/s.
The last section dealing with security safeguards is section 22. In short, the section requires you to draft and implement a “Breach Notification” policy supported by:
  • a process for identifying the notification and related requirements of other applicable jurisdictions relating to the data subjects affected by the breach;
  • a process for assessing the need for stakeholder’s breach notification, if required by law, regulation, or policy; and
  • a process for delivering the notice in a timely manner.
To summarise, physical security controls to include deterrent, detective, and preventive measures, are the means you put in place to mitigate physical security issues.
Deterrents aim to discourage those that might violate your security, detective measures alert you to or allow you to detect when you have a potential intrusion, and preventive controls actually prevent intrusions from taking place. In isolation, none of these controls is a complete solution, but together they can put you on a much stronger footing for physical security.
For previous parts, see links below:

Part 1

Part 2

Part 3

Part 4

Part 5

Part 6

Source: Associated Compliance
« Back to previous page Print this page » |

Breaking News »

A fallacy called FAIS Credits

FAIS Newsletter 22 from the FSB, published in December 2016, contains a very important section to assist the industry in understanding the “Credit” requirements. The following paragraph is printed in ...
Read More »


Illegal Incentives for selling insurance and financial services

Despite regular reminders, payments to advisers outside of what is legally permissible continue to make the news. This topic was covered in some detail in FAIS Newsletter 23, published in March 2017. Although the ...
Read More »


South Africa under pressure to enact FICA Bill before global body meets

Pressure is mounting on South Africa to enact the Financial Intelligence Centre Amendment Bill before the June 2017 meeting of the international Financial Action Task Force. The task force, which sets global standards ...
Read More »


Turning unclaimed benefits into windfalls

There’s an estimated R20bn in unclaimed benefits across 3. 5 million policy holders in South Africa. This massive sum represents both an obligation and an opportunity for financial services providers and ...
Read More »


More News »


Healthcare »


Investment »


Retirement »


Short-term »

Advertise Here
Advertise Here

From The Glossary »


Compound Interest:

Compound interest is the accumulation of interest monthly, quarterly or annually including ‘interest on interest’. Interest is sometimes payable in respect of insurance and reinsurance contracts.
More Definitions »

By using this website you agree to the Terms of Use.
Copyright © Stoker Risk & ICT (Pty) Ltd 2004 - 2017.
All Rights Reserved.





Contact IG


Media Pack


RSS Feeds