Unpacking the POPI Act: The ins and outs of protecting personal information
Local companies will soon be required to comply with the stringent provisions of the Protection of Personal Information (POPI) Act.
Local companies will soon be required to comply with the stringent provisions of the Protection of Personal Information (POPI) Act, which regulates how they handle, store and secure personal information, or face substantial penalties.
The POPI Act was signed into law by president Jacob Zuma in November last year, but a commencement date is yet to be announced. While the Act is expected to come into practice later this year, it is unlikely to happen before the country's general elections, set to take place at the beginning of May.
"Once a commencement date is announced, companies will only have one year to get their houses in order," says Johann van der Merwe, Security Practice Lead at Accenture. "Companies can apply for an extension but could run into difficulties, as their security systems and processes should already demonstrate a high standard, especially if they're storing sensitive, personal information."
First mooted back in 2005, POPI is SA's first consolidated piece of legislation detailing how companies must deal with people's - and entities' - information. It brings the country in line with international laws on privacy.
The legislation is based on the European data protection directive, and aims to ensure that personal information is processed in a way that accords with internationally accepted data protection principles. "There are strict penalties, not least of which is the damage a company's reputation can suffer if there's an information breach because of the disclosure requirement in the law," says van der Merwe.
What it is
POPI is an all-inclusive piece of legislation that safeguards the integrity and sensitivity of private information. In response, entities operating in sectors that require them to handle personal particulars - ranging from financial services to telecommunications - will be required to carefully manage the data capture and storage process. Companies will also have to get permission to keep data, and disclose the reason that they need it.
The Act will apply to any information regarding clients or suppliers, including contact details and correspondence. Human resources and payroll data, curricula vitae, applications for employment, CCTV records, performance reviews and internal e-mail records are also subject to POPI's requirements.
POPI also outlines stringent cross-border data transfer requirements as information may not be relocated to countries with inadequate information protection frameworks.
POPI has eight conditions that requires that personal information (PI) of both individuals and juristic entities is sufficiently protected and also used in a manner that facilitates transparency around the following:
* What is done with the personal information;
* Why and how it is processed (i.e. this covers all phases of a typical information management lifecycle - from collection, to usage, sharing, disposal, archiving, etc);
* Who the personal information is shared with (i.e. third parties - both locally and internationally, other legal entities - sometimes within the same group or company, etc);
* What types of personal information is processed and for what purpose.
Privacy is about ensuring that both individuals and juristic entities are aware of what is being done with their personal information. Within South Africa, our Constitution emphasises the right to privacy. This means that ultimate ownership of the personal information resides with the individual/juristic entity concerned.
"I always say that privacy happens in the front office," says Ritasha Jethva, Governance, Risk and Compliance Lead at Liberty Group South Africa.
"This means that the eight conditions of privacy have to take effect before a sale, a service or a deal is concluded. Everything else is back-office and everything else is based on how the organisations adopt and implement their governance, risk and compliance measures.
"When one considers breaches, the same applies. The impact of the harm which could be caused to the impacted parties is always circumstantial and the context within which the breach has occurred is vital in understanding how the breach occurred or how the breach could have been prevented."
As a result, given that ownership does not shift to the party who obtains and processes the information, the onus remains on the receiving party to ensure that transparency is maintained around all aspects of personal information.
To this end, juristic entities and individuals have the right to question any aspect of what is being done with their information.
"The first thing to realise is that there are no such things as 'zero-privacy breaches'. Hence, the key question always remains - how does one respond when there is a privacy breach, rather than if there will be a privacy breach? Avoiding a breach is about ensuring that all eight conditions of the Act are adhered to. No condition should be given precedent over another," says Jethva.
What POPI means for business
POPI ensures the right to privacy is taken seriously and does include the right to be protected against any unlawful collection, retention, dissemination and use of an individual's personal information.
Companies, therefore, have to receive consent from individuals before they can obtain and retain personal information for communication or any other purpose. "Personal Information" includes contact details, demographic information, personal history, as well as communication records," says who.
In the realm of the IT industry, explains Jethva, POPI translates into the need for a greater understanding of the manner in which personal information is stored and processed, including the systems, processes and how logical and physical access is maintained and managed for the systems and areas housing personal information.
Physical and information security functions must be intensified when it comes to dealing with the protection of personal information. As simple as this may sound, says Jethva, the crux of POPI is to protect the personal information and prevent the information from getting into the wrong hands, thereby, protecting individuals and juristic entities from any damage, including financial fraud, identity theft, misuse and the abuse of personal information.
Hence, in terms of IT, POPI dictates that a set of streamlined processes and systems are established that can easily identify where personal information is stored, understand how this information is processed electronically, who has access to this information, as well as for what purpose and how it is being processed.
Within IT environments, says Jethva, where flat network structures are in place, more challenges will be experienced, as it will be difficult to ring-fence those systems and applications which process or store personal information, given the integrated nature of systems on a flat network. This makes the application of protection measures even more challenging and expensive, as more than just personal information-related systems would need to adopt a set of heightened security controls.
The automated management of consents and audit trails, which facilitates the logging of information related to who accessed personal information, on which date and time and for what reason, will be become key for evidentiary purposes in the event of a breach.
Not to mention the challenges that arise with mobile device strategies, bring your own device (BYOD), adoption of social media and cloud-based strategies.
According to Jethva, these technologies and mediums puts control of personal information back with the end user/consumer, so organisations adopting these strategies need to think carefully about where the boundaries start and stop and what policies, processes and monitoring mechanisms will need to be put in place in order to clearly understand what is being done with personal information for which the organisation is responsible.
Failure to adhere
The POPI Act allows for a R10 million penalty and/or a jail sentence to be handed down, should an entity be in breach of the legislation.
"This for me is not the important factor upon which to implement privacy," says Jethva. "Penalties will be relevant based on the extent of the breach concerned, as well as the extent of negligence found on the part of the responsible party.
"If one looks internationally - it is clear that penalties are based on the extent of non-compliance to the Act, as well as the intent around how privacy was implemented across the organisation.
"It is for this reason that the spirit of POPI must be taken into account when implementing it across the organisation, as this will speak to the intent of what the organisation aimed to achieve."
You can have security without privacy, but you cannot have privacy without securityRitasha Jethva, GRC Lead, Group Process and Technology for the Liberty Group
Some countries, such as the UK for example, are exploring penalties which could have serious financial implications on the business, relating a penalty to a percentage of annual gross turnover. This is substantial and significant in monetary terms.
Organisations need to, therefore, treat POPI as less of a piece of legislation and rather as practical legislation that stems from the need to ensure that individuals and juristic entities are kept abreast of what is being done with their information and the associated reasoning.
Jethva says that those concerned have the right to complain and escalate any issues related to privacy, especially if they believe that their right to information privacy has been violated. Once the information regulator has been established, greater clarity will be obtained as to how this issue will be dealt with. For now, it is important that employees and the public understand their right to information privacy and to ensure that those rights are upheld in the right spirit.
How POPI will be implemented
There is no straight forward answer as to how POPI will be implemented. The Act is relative to the organisation concerned.
"POPI should be implemented based on ensuring that the interests of the individuals and juristic entities concerned must be kept at heart. If one ensures that their interests are kept at heart, then implementation can't go wrong. The reason for this is that a clear understanding would be adopted in ensuring that the eight conditions are fairly and equally applied in an integrated manner in order to ensure that impact to individuals and juristic parties are kept to a minimum," says Jethva.
In accordance with the Act, as soon as a privacy breach is detected and established, it must be reported to the regulator and to the party whose information was accessed.
All responsible parties need to know and be able to explain how the breach occurred, what has been done to contain any harm and how will any such breach be prevented in the future.
All affected parties will need to be given written notice of the breach, so, it is important to understand what personal information was breached in order to know who the impacted audience was. The quality of contact information in order to notify impacted parties needs to be kept as up to date and accurate as possible at all times.
The Act explains the manner in which to proceed with notification, once a breach has been established and the individual needs to be informed of what consequences may occur and guided on how to mitigate the situation from their side.
IT law consultant professor David Taylor points out though that merely writing a letter and claiming that all steps were taking to notify an individual of a breach is unacceptable. "The regulator will investigate whether you exhausted all your resources to advise and inform the individual of the breach."
A typical South African attitude is to pretend nothing has happened. "But you will be found out," warns Taylor. "Do you really think those credit card details you lost won't be up for sale on the Internet? And then the regulator will be after you.
"So any attempt to simply fill the formalities is not enough."
Furthermore, breach responses need to be well coordinated at executive level, as impacted parties will want to understand what transpired and how they will be further protected.
According to POPI legislation, it is required that any security compromise is disclosed. "Remember," says Taylor, "You might be a responsible party. That is the person that takes responsibility for that data or you may be a processor, a subcontractor or supplier, so this notice of security compromise can apply to both those organisations. It's a contractual relationship."
Situations regarding the breaching of data will have to be looked at individually to establish whether there was malicious intent to access that information, or if it was a mere mistake on an employee's part.
"Answers here are not straightforward - companies will have to answer these for themselves. The more crucial question, however, is liability. Are you going to be held liable for the behaviour of that individual?
"As the security professional in that company, is your head going to roll, because you didn't put the proper measures into place?"
Taylor explains that, in law, an employer will be held responsible as they have allowed access of information they were supposed to hold safe, regardless of whether an employee was merely innocent or negligent.
In contrast though, if a company has indeed taken all the necessary steps to secure information and employees manage to acquire that information and sell it, the company might be in breach of the POPI Act, but will not be held liable, he said.
"Protecting personal information is almost an inherent expectation that entities have when they engage with you. It's based on an implicit trust that the information will be protected as required," says Jethva.
"Hence, a breach of that information shakes the foundation of the trust that people/juristic entities have in the responsible party and they begin to question and doubt the governance, risk and compliance measures which the responsible party adopts," says Jethva.