SA to criminalise data hoarding

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 25 Feb 2015

With the imminent promulgation of the Protection of Personal Information (POPI) Act, data hoarding will become illegal in SA.

So said Michiel Jonker, director of IT advisory at Grant Thornton, addressing the Governance, Risk and Compliance Summit 2015 held at The Forum in Bryanston yesterday.

According to Jonker, data hoarding is the gathering of data without a clear business reason or security strategy to protect the underlying information.

There is still no news on when POPI is going to commence, but the law stipulates that data may only be processed for as long as there are clear and defined business purposes to do so.

"We are all data hoarders," said Jonker. "Data is hoarded in electronic and non-electronic formats and with the emergence of the Internet of things, machines are also creating data. People also have a tendency to multiply data by sharing it, processing it and storing it," he added.

"The problem with data hoarding is it attracts 'flies'. As data is being referred to as the new currency, big data also attracts criminals. The likelihood of a security breach is high in today's extremely complex IT environment."

Big data can be used for solid business intelligence, assisting the board and management with strategy and tactical decisions, Jonker said. However, the dilemma is data hoarding increases a company's 'risk surface' - "hackers know we hoard data".

He believes people hoard data mainly because they consider information a source of power they want to hold on to.

"Since information is power, we never want to get rid of it. 'I might need it in the future' is the typical response of a hoarder. An example is e-mails which people just keep in order to clear their names in the event of something going wrong at work. This has resulted in Exchange server becoming our official database."

The POPI Act will challenge our reasons for collecting, processing, usage and storage of data, Jonker pointed out.

To comply with the new legislation and avoid being confused by some terminology in the POPI Act, Jonker urged organisations to embrace international data privacy best practices, aligned with POPI, to guide them in collecting, processing and securing big data.

These best practices include ISO/IEC 29100:2011 which provides a privacy framework for data management, he noted.

"ISO/IEC 29100:2011 also specifies a common privacy terminology and defines the actors and their roles in processing personally identifiable information. The practice also describes privacy safeguarding considerations and provides references to known privacy principles for information technology."

Another best practice is Generally Accepted Privacy Principles, he added.

According to Jonker, all international best practice guidelines deal with three aspects of information security and confidentiality - to prevent or protect data breaches in the first instance; to detect data breaches, if prevention measures have failed; and to correct breaches or perform damage control.