The imminent Protection of Personal Information (POPI) Bill will make life easier for the IT industry.
This is according to Nerushka Deosaran, an associate at Norton Rose law firm, speaking during the ITWeb Governance, Risk and Compliance Conference at The Forum in Bryanston yesterday.
Deosaran explained that though SA had privacy laws, these laws were not clearly demarcated and POPI will come in to set out the boundaries.
According to Deosaran, the proposed law seeks to secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction of personal information and the unlawful access to or processing of personal information.
Among the security safeguards of the proposed legislation, she pointed out that POPI aims to identify all reasonably foreseeable internal and external risks regarding personal information.
"The Bill also will ensure that organisations that deal with personal information establish and maintain appropriate safeguards against risks identified as well as regularly verifying that the safeguards are effectively implemented.
"It will also ensure that safeguards are continually updated in response to new risks or deficiencies and have due regard to generally accepted information security practices and procedures which may apply to it."
When POPI becomes law, Deosaran also noted that the role of IT will also see some significant changes.
Post-POPI, she said, the IT department must ensure that the organisation is complying with the rules and it will also be responsible for the review and audit of current practices.
The law will also stipulate that the organisations to process personal information on behalf of responsible party only with knowledge and authorisation of responsible party.
"It will also be required that they treat personal information as confidential and must not disclose it unless required by law or in the proper performance of duty.
"Those handling personal information must also notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed by unauthorised person."
Share