With the Protection of Personal Information (POPI) Bill around the corner, there are increasingly urgent reasons companies need to control their information.
So said Allison Walton, eDiscovery counsel at Symantec, in an interview with ITWeb last week. Walton believes that as information growth continues to explode, organisations are looking for ways to manage that information more effectively.
She is also of the view that having controls in place gives companies the confidence to let their employees use new technologies.
Walton also noted that to provide these controls, different parts of the company need to collaborate more than they have in the past. "This is information governance, though many companies won't yet be using the term."
According to Walton, the term information governance is not new but it is not well-defined. "We define it as the ability to retain, secure and analyse data to deliver a common view across business, legal and IT to enable organisations to balance information control and freedom."
With information governance in place, Walton believes that organisations must be able to classify information for retention, supervisory review, and discovery.
"They must also have common policies for attorney-client privileged information to prevent data loss and for retention; as well as have search backups and archive, and apply legal holds at the file-level for eDiscovery.
"They must also identify potential custodians for eDiscovery based on file usage data and classify files for use in eDiscovery collection and use technology assisted review results for future data classification."
She also pointed out that some of these terms are defined in POPI, explaining that the definition of 'processing' is very broad, and it seems to include every conceivable action - collecting information, receiving it, storing it, updating it, modifying it, disseminating it, even destroying it.
The term 'personal information' is also broadly defined under POPI, she said. "It covers, for example, information relating to the race, sex, pregnancy, marital status, ethnicity, colour, sexual orientation, age, health, religion, language and education of a person.
"It also covers medical, financial, criminal and employment histories. It includes ID numbers, addresses, telephone numbers and blood types. It also covers personal opinions, the private correspondence of a person, and the views that other people have of a person. It even includes the mere name of a person, if the name appears together with other personal information."
Walton also pointed out that a 'record' is defined to include recorded information in any form that is in the possession or control of a company or public body, irrespective of whether or not it created it.
"POPI seeks to balance the constitutional right of privacy with business growth objectives for SA and other business needs like the need for economic and social progress within the context of the information society, and the interest in a free flow of information, both domestically and internationally."
According to Walton, information privacy, or data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them.
She also said privacy concerns exist wherever personally identifiable information is collected and stored - in digital form or otherwise.
"Improper or non-existent disclosure control can be the root cause for privacy issues. Data privacy issues can arise in response to information from a wide range of sources, such as religion, health records, credit information, etc. The challenge in data privacy is to share data while protecting personally identifiable information."
Share