Image
Icon

Directory

IconActuaries
IconAssociations & Institutes
IconAuditors
IconBBBEE Consulting and Verification Agencies
IconBusiness Chambers
IconBusiness Process Management
IconBusiness Process Outsourcing
IconCall Centre Outsourcing & Sales
IconCompliance
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDebit Order Collection Facilities
IconEducation and Training
IconFAIS
IconHuman Resources
IconInformation Technology and Software Partners
IconLegal
IconLife Insurance Companies
IconLife Insurance Products
IconOmbud
IconOutbound Sales
IconPolicy Administration
IconPolicy Trading
IconPublications
IconRe-insurance Companies
IconRegulatory Authorities
IconSales and Sales Management
IconSocial Grants (Government)
IconSurveys and Research
IconTraining Courses & Workshops
IconWellness Programs
Image
  Subscribe To »

Associated Compliance Protection of Personal Information Act Series: Part 7

Published

2017

Fri

21

Apr

 
Protection of Personal Information Act (POPIA) – Security Safeguards
 
Over the last seven months the POPIA articles have dealt with responsibility, processing, purpose, further processing, information quality and transparency or openness.
 
Now that you have established the reason and purpose for processing the personal information, in addition to establishing whether you are a “responsible party” or an “operator”, the next question is how to manage privacy risks. In other words, how to ensure that the personal information in your possession is safe and secure. This is information security discipline, which is defined as “protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.” Remember that information may reside on information systems such as computer servers, networks, desktop and laptop computers, and cell phones, etc., and will most likely constitute intellectual property or confidential information.
 
It is a well-known fact that to protect information systems from increasing levels of cyber threats, organisations are compelled to institute security programmes. To do so, you will need to establish and understand what personal information, be it hard copy and electronic copy, your business has in its possession.
 
Section 19(1) of POPIA requires organisations to “secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent; loss of, damage to or unauthorised destruction of personal information.”
 
Sections 20 and 21 deal with personal information that is being processed by operators or persons acting under authority and the required security measures as required by section 19.
 
What Condition 7 (Security Safeguards) tells you is what aspects of personal information must be secured, but not how you should go about implementing the required security safeguards.
 
The question to ask yourselves as a business is “what data or personal information” you have, because you cannot protect data that you don’t know you have. The solution is to do a complete data inventory and data flow mapping exercise of personal information (risk identification of personal information), by establishing standards to classify the sensitivity of the personal information and as such determine the levels of protection that would be required. This would include an inventory of all types of personal information and the related processing activities, systems, and third parties that are involved in the handling and processing of such information. So, for example, what personal information the business uses, assessments and audits of databases and data flows/processing activities, with the outcome being a personal data inventory/dashboard and a data map of the data analysed enabling you to have a clear picture of the personal data you use across your business. It also needs to include the transfers of personal information data to and from third parties, and the collection and processing of data by third parties.
 
Once you’ve completed the risk identification of personal information, the next step is to assess the risks associated with specific information security-related risks, for example special personal information and children’s personal information. The rationale here is that to choose effective and efficient information security measures, management must identify the assets to be protected, the threats to the assets, and the vulnerability of the assets or their environment to the threats.
 
The risk assessment should include the following activities:
  • Identification and classification of information assets;
  • Identification of the threats to these information assets; and
  • Identification of any vulnerabilities in the current information asset safeguards.
Your risk assessment should include assessments on the types of risk, for example:
  • Intentional Conduct;
  • Hackers;
  • Organised Crime;
  • Insider Attacks; and
  • Attacks by service providers and other third parties, among others.
Once you’ve completed your risk assessments, the next step is to decide how to treat or manage the risk factors that have been assessed through:
  • Avoidance: not performing the activity that generates the risk;
  • Reduction: using controls to reduce or eliminate the risks by way of preventative, detective or corrective controls;
  • Sharing or Transfer: sharing the risk via outsourcing or insurance; or
  • Retention: where you decide to retain or self-insure the identified risk.
After assessing the assets, threats and vulnerability to threats of these personal information assets, you should now be able to start drafting and implementing information security programmes and privacy controls, such as data encryption, identity management and authorisation, computer security controls, network security controls, physical security, personnel security, application security and breach incident management.
 
The purpose of the controls would be to:
  • Ensure the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorised access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
Remember that where your organisation is regarded as being the “responsible party”, it is necessary to ensure the security of personal information, since according to POPIA the responsible party is ultimately accountable for the personal information of the data subject, even if the privacy breach was caused by the third party, such as an operator. You would be recommended to discuss your security safeguards with your IT department or service provider/s.
 
The last section dealing with security safeguards is section 22. In short, the section requires you to draft and implement a “Breach Notification” policy supported by:
  • a process for identifying the notification and related requirements of other applicable jurisdictions relating to the data subjects affected by the breach;
  • a process for assessing the need for stakeholder’s breach notification, if required by law, regulation, or policy; and
  • a process for delivering the notice in a timely manner.
To summarise, physical security controls to include deterrent, detective, and preventive measures, are the means you put in place to mitigate physical security issues.
 
Deterrents aim to discourage those that might violate your security, detective measures alert you to or allow you to detect when you have a potential intrusion, and preventive controls actually prevent intrusions from taking place. In isolation, none of these controls is a complete solution, but together they can put you on a much stronger footing for physical security.
For previous parts, see links below:

Part 1

Part 2

Part 3

Part 4

Part 5

Part 6

 
Source: Associated Compliance
 
« Back to previous page Print this page » |
 

Breaking News »

FSB publishes the third draft of the replacement Policyholder Protection Rules

By Ernie van der Vyver, Partner; Johann Spies, Partner; Nicole Britton, Associate Clyde & Co www. clydeco. com  On 15 November 2017, the Financial Services Board published the third draft of the proposed ...
Read More »

  

Insurer Obligations on accessing Consumer Credit Reports

by Gerrit Viviers In future, insurers will have to submit credit information in order to continue accessing consumer credit reports from credit bureaux. On 3 November 2017, the National Credit Regulator (NCR) ...
Read More »

  

Is your compliance officer doing the right things?

By Associated Compliance (Pty) Ltd Compliance Practice 6377 There is global acceptance that the role of a compliance officer is to ensure that a company is conducting its business in full compliance with all ...
Read More »

  

Long Term Act Regulations: Draft Determination on Equivalence of Reward

Perceived disparities between remuneration for tied agents and independent advisers have been a bone of contention for ages. The Registrar also expressed concerns about the possibility of using remuneration, other ...
Read More »

 

More News »

Image

Healthcare »

Image

Investment »

Image

Retirement »

Image

Short-term »

Advertise Here
Image
Image
Image
Image
Advertise Here

From The Glossary »

Icon

Scrip:

Share certificates.
More Definitions »

 
 
By using this website you agree to the Terms of Use.
Copyright © Stoker Risk & ICT (Pty) Ltd 2004 - 2017.
All Rights Reserved.
Icon

Advertise

  Icon

eZine

  Icon

Contact IG

Icon

Media Pack

  Icon

RSS Feeds