Subscribe
  • Home
  • /
  • Security
  • /
  • Privacy milestone in SA: Protection of Personal Information Bill

Privacy milestone in SA: Protection of Personal Information Bill

By Robert Shield, Principal, Product Marketing, Security/TDM at Informatica
Johannesburg, 13 Oct 2014

POPI will have significant impact on South African organisations. Most organisations collect information from clients, employees and partners. With POPI, due care must be implemented to accommodate the broad definitions of what is considered private, and therefore protected, information.

Any information related to identity, race, health status, beliefs, education and personal preferences should be considered private and therefore subject to protection. In the explanatory memorandum to the Bill, it calls for safeguarding private information:

"The Bill aims to give effect to the right to privacy, by introducing measures to ensure the personal information of an individual (data subject) is safeguarded when it is processed by responsible parties."

In the context of "safeguarding", more information is provided in the body of the Bill itself, chapter 3, condition 7, and broadly calls for protecting private information from unauthorised access:

"1. ... responsible party must take reasonable technical and organisational measures to prevent ? (b) unlawful access.....of personal information".

"Reasonable" is the operative word. Many organisations understand traditional cyber security and data security controls, but these controls have gaps. First, network/cyber security will eventually be breached and data security controls (encryption, tokenisation) have gaps, in that they do not protect live data (data opened and decrypted by an application) and do not secure data copied from databases for testing, training, support or outsourced initiatives. These gaps can be covered with masking. Perusing headlines confirms hackers exploit cyber security gaps and weaknesses with devastating results. Recent research reported 42 million security incidents to date in 2014; a staggering daily rate of over 150 000.

Information security needs help to reduce the risk and/or impact of a breach and to facilitate tight control of private data. Organisations should continue their investments in cyber security (network security such as VPN, firewall, WAF, IDS) and look to expand their adoption of traditional data security controls (encryption, tokenisation).

But, more importantly, they should look to data masking to harden data security. Given that masking technologies have now been recognised by analyst organisations as effective controls, and with growing adoption worldwide, it would be wise to assume data masking is in scope with POPI's definition of "reasonable" controls. For protection of test data, live production data and for outsourcing purposes, no other technology provides the granular controls to facilitate the de-identification and de-sensitisation of data as called for by POPI.

Share

Editorial contacts

Robert Shield
Informatica