Charlene Tshitoka Mulamba

TEST AUTOMATION

Tried and tested

Subscribe to Security Newsletter

VIRTUAL PRESS OFFICESTM
(011) 807 3294   itnews@itweb.co.za | Advertise on ITWeb   Tue, 23 Dec, 02:05:36 AM
You are here Home

Scramble to meet PPI Bill deadline

The pending Protection of Personal Information legislation will require companies to do more than just secure their data, says Deloitte Legal's Dean Chivers.

Organisations that have so far not planned for the Protection of Personal Information (PPI) Bill will have to scramble to meet the deadlines imposed by the legislation, especially given that a sound PPI solution can take approximately three years to implement.

This is according to Dean Chivers, director at Deloitte Legal, who notes that the pending legislation will require companies to do more than just secure their data – it will force them to extensively review their business policies and processes.

To get an indication of how prepared local organisations are for the Bill, ITWeb, in partnership with Deloitte, today unveiled the PPI Bill Survey.

The Bill is currently before the National Assembly parliamentary committee on justice and constitutional development.

In a statement, Deloitte notes that data privacy, in terms of the South African legislation, relates to an individual's personal information being safeguarded.

“If you have information about people, you can no longer deal with it as you used to,” Chivers explains.

From the point where personal information is collected, he adds, organisations will have to get a person's permission to use his or her information. According to Chivers, historically, South African organisations collected data and used it liberally.

“The PPI legislation will require that any terms or contract concluded must have a consent element built in. Information can only be used in terms of the permissions obtained, and when information is no longer required for the purposes for which it was collected, it will have to be destroyed.

“Information will have to be secured regardless of whether it's in 'soft data' form or 'hard data' form and the security requirements include control of access to information. In the case of information being sent across borders and to outsourced service providers, such recipients will need to meet the same security requirements,” he explains.

Deloitte believes significant changes to systems to make them compliant with the demands of the PPI legislation will have to be accompanied by extensive training of staff across disciplines, as new rules will apply to what were previously routine corporate functions.

The company adds that access to information within a company will have to be controlled on an 'as-needed basis'. This will dictate which of a company's officers have access to what material. For example, HR data should only be accessed by a small number of employees, this being the HR team, it explains.

“Policies controlling the use and storage of files within personal offices, access controls and the removal of data from company premises will also have to be written. Sanctions for contravention of legal provisions will therefore have to be included in a company's HR disciplinary code,” says Chivers.

He is also of the view that processes will have to be built around the collection, processing, monitoring, distribution, and ultimately, destruction of all personal information held by an entity.

“The primary responsibility of safeguarding information will rest with the collector of the data. In this regard, the proposed legislation makes it clear that the safeguarding cannot be outsourced.

“In markets like the EU, where strong PPI laws already exist, major companies are using the services of independent auditing companies to certify compliance with destruction and other privacy requirements. Industries that are highly reliant on direct marketing or which process significant amounts of personal information will be the first to be impacted by PPI. Companies using marketing tools such as competitions to create databases will have to operate differently.”

Some South African companies, Deloitte notes, especially those with international links to countries with well-developed PPI legislation, are already working towards ensuring their future compliance.

“The South African PPI legislation is sound legislation. It is modern and aligned with internationally accepted practice. It also meets the needs of a technological age in which information flows easily across the globe.

“The onus will be on South African companies to ensure that security across their operations is effective and can be introduced in the time stipulated,” concludes Chivers. If they can achieve this, they will be more competitive globally.

Click here to complete the survey.

Enjoyed this story? Subscribe to ITWeb's Security News newsletter.

Our comments policy does not allow anonymous postings. Read the policy here




Company news

 

 

 

 

Bytes IDM specialises in the provision of full Identity Lifecycle Management solutions through an array of hardware devices and software solutions. The IDM divisionprovides industry tailored solutions to both public and private sector organisations that require identity verification solutions when interacting with their clientele. Click here to learn more.

Top news

SECURITY BLOGS

GENERAL BLOGS


27-29
MAY
Security Summit
Sandton Convention Centre

AdWare.Win32.HotBar.dh
Trojan.JS.Popupper.aw
AdWare.Win32.FunWeb.kd
Trojan-Downloader.JS.IstBar.cx
AdWare.Win32.FunWeb.jp
Trojan-Downloader.JS.Agent.fxq
Exploit.HTML.CVE-2010-4452.h
Trojan.JS.Agent.bun
Trojan-Downloader.JS.Iframe.cew
Exploit.JS.CVE-2010-1885.k
ITWeb Security Summit 2015
26 to 28 May / Vodacom World, Midrand
William (Bill) BinneyInternational keynote: William (Bill) Binney, former NSA director
Bill spent more than 30 years working at the NSA, and has been described as one of the best analysts in its history. He left the agency in 2001, having publicly disagreed with its data collection policies. During his keynote he'll draw back the veil and reveal what the state-adversary looks like from the inside.

Publications

MTN's marketing guru hits refresh.

 

Johan Jacobs

CONTACT CENTRES

Out of contact