Data protection legislation is in the pipeline for SA, with the final draft of the Protection of Personal Information Bill being imminent. What arethe implications of the Bill and how can its objectives be realised?
Many companies are unfamiliar with the concept of data protection, yet it has been in existence, globally, for some time. In fact, the need to conform to international norms has been one of the key drivers behind the drafting of the Protection of Personal Information Bill.
Once promulgated, the corresponding Act will require all businesses to provide legal protection for a person, employee or client in instances where his or her personal information is being collected, stored or used by another person or institution.
The objective of the Act is to protect the public from the involuntary release of personal information. In other words, in order to use personal information that has been provided voluntarily by an individual for any other purpose than that for which it was originally provided - without the individual's consent - would be illegal and would be an offence under the Act.
Therefore, in order for South African companies to interact legally with one another - and their counterparts in Europe and other parts of the world - they will need to meet the requirements of the pending legislation.
One of the requirements of the Act will be the need to report any loss or compromise of data to the authorities - an embarrassing task for any large organisation with a valuable corporate image to protect. It is, therefore, vital that South African companies begin demonstrating their ability to store and move data more securely and responsibly.
Storage techniques
The implementation of single instance storage (SIS) techniques and methodologies are some of the ways companies can achieve these goals.
The objective of the Act is to protect the public from the involuntary release of personal information.
Mike Hamilton is MD of Channel Data
SIS describes a system's ability to keep a single copy of data that can be shared by many users - or computer systems. It addresses security issues by identifying any duplicate copies of the data and maintaining accurate references for each item.
Because an SIS data repository is not based on standard formatting principles, a hacker would first have to understand the very complex mapping of the hard drives on which the data is located before gaining access to meaningful information.
Moreover, because the SIS data repository is based on the same concept as a database, unless anyone with mal-intent gains access to the key, or 'schema', they would find it impossible to reconstitute the database from hacked data - which would then be rendered 'unreadable'.
Higher level
One of the areas of focus for large organisations is the increasing numbers of mobile computers in use. Laptop PC theft is rife and often results in compromised data security which, in addition to financial losses, could result in loss of consumer confidence for companies if the reporting terms of the pending legislation are adhered to.
For example, almost every executive's laptop PC contains sensitive data in the form of financial, HR or other strategic content, which would compromise the company and its employees if it fell into the wrong hands.
Despite this, few organisations have policies in place to protect this critical data.
One of the ways to take corporate data security to a higher level is the incorporation of an 'auto-destruct' mechanism in the data that is held on laptop PCs.
The technology exists today to enable enterprises to centrally control the rules by which laptop computers protect data - and to destroy data that may have been compromised.
This is achieved by software systems that detect user specified behaviours that are inconsistent with the authorised use of data.
For example, if a laptop has not been connected to the corporate network for a specified interval, then the data it holds could be obliterated from the hard drive - not simply deleted - effectively preventing it from falling into the wrong hands.
When this occurs, the laptop can also be completely disabled. Solutions such as this represent a 'common sense' approach that effectively takes the concept of data security - and the protection of information - one step further.
* Mike Hamilton is MD of Channel Data.
Share