Prepare to appoint an information officer
The Protection of Personal Information Act (POPI) ensures the right to privacy is taken seriously, says Belinda Milwidsky, IT manager at Fluxmans.
It includes the right to be protected against unlawful collection, retention, dissemination and use of an individual's personal information. This allows individuals to be in control of who has access to their personal information and the purposes for which this information is used, she notes.
"I think POPI is so broad and a lot of companies are taking the wait and see approach. Furthermore, companies are seeing POPI as a mammoth task and are either ill-equipped with processes or understanding to better deal with the implementation of POPI and the rules that will follow."
Milwidsky says companies with enormous amounts of data and physical paper are going to struggle to catalogue and determine what information they have and how to manage it.
Managing the vast amounts of information, keeping it up to date or alternately disposing of old information is going to be a massive task for most organisations. "Proper business processes will need to be put in place to assure this is done according to the rules of POPI."
As to who should be responsible for the POPI programme in an organisation, she notes: "The POPI legislation requires an information officer to be appointed. The role of the IT manager will definitely help with this purpose but it is not the sole responsibility of the person in this role. The areas POPI affects are extremely broad and will cover multiple spheres of personal information, which will include both electronic and paper information.
"POPI automatically designates the head of the business as the information officer," she points out.
The business head or person responsible for the organisation can delegate his or her responsibilities as information officer to any other duly authorised person or persons, she adds.
It is very important to note that whoever "determines the purpose of and means for processing personal information" remains ultimately responsible for ensuring the processing of personal information is done in a lawful manner.
"While POPI does not set out specific skills and qualifications for an information officer, realistically the role requires the following skill sets: legal training, a good understanding of information technology, a broad understanding of the company's daily operations, time to dedicate to the processes that need to be followed, and buy-in and support from top management."