Just as companies start to become complacent in achieving POPI (Protection of Personal Information) compliance, the deputy minister of justice, John Jeffery, announced last week that the ball on establishing the regulator is starting to 'roll'.
Remember, POPI will have a huge impact on the record-keeping and non-disclosure disciplines of public and private bodies, not only in relation to personal information kept regarding consumer data, but in terms of impacting employee data as well.
In this Industry Insight, I will convey a brief insight into some common risk areas of non-compliance in the HR function. The opinions are based on the experience of some of PBT Group's principal consultants who advise clients' data management functions.
POPI conditions - common risk findings
POPI requires that responsible parties (employers) satisfy eight key conditions. For the purpose of this Industry Insight, key risks have been identified in some conditions.
The first principle of accountability refers to the principle of accepting accountability to comply. On the enterprise level, the portfolio of evidence would include: (1) the appointment of a formal information officer; (2) documented data privacy policy; (3) a formalised privacy breach management process; and even (4) a call centre hotline promoted on the company Web site and intranet.
On the HR function's level, HR will be expected to have sufficient governance-related documentation with detailed policies and standard operating procedures updated to interpret the enterprise data privacy policy - to make it tangible to all HR employees.
The most notable risk for accountability identified by PBT Group's principal consultant, Wayne Sedice, is the lack of HR standard operating procedure documentation in general, let alone ensuring it is updated to incorporate POPI-related guidelines.
Also, projects need to be initiated to revisit all HR processes to find any elements that need to be amended to ensure POPI compliance - for example: standards regarding HR data retention and disposal, and security control and privacy rights, need to be updated.
Sedice also identified failures to satisfy contracting requirements to ensure all third-party operators (eg, recruitment agencies) are effectively governed through service level agreements or non-disclosure agreements.
Further processing limitations (condition number four) regulate instances in which personal information is used for purposes other than originally defined. It boils down to the fact that the new purpose for processing must be compatible with the original purpose. For example: accessing the employee's personal information and sharing it with a training provider when scheduling training. Compliance to this condition implies the implementation of controls to detect/prevent further unauthorised processing.
The key processing risk for HR lies in the fact that HR processes are typically less formal and system-facilitated than core business operations, leading to a high frequency of personal information being shared via e-mails, non-encrypted unsecure portable devices and hard copies printed out pervasively throughout companies. This creates an environment where unauthorised disclosure of personal information is rife and difficult to control.
Security safeguards (condition number seven) are traditionally thought of as an IT responsibility. However, there are various other non-IT security safeguards required, especially in HR's less formal processes, which make it impossible for IT to control with confidence. This condition requires process controls being put in place to ensure the integrity and confidentiality of employee data not located in the formal IT systems (ie, employee files).
In assessing HR data security controls, security safeguard risk alarms go off regarding two specific aspects:
First, in the IT development and back-end access to production environments, IT professionals, like database administrators, have unlimited access to all data. This exposes large data sets to potential theft by aggrieved IT staff.
The most pertinent scenario of non-IT security controls would be the protection of physical data files.
Second, where HR staff members can copy bulk employee data to spreadsheets to use outside of the system for various less-formal HR processes. These spreadsheets are typically unmonitored and uncontrolled by IT.
The most pertinent scenario of non-IT security controls would be the protection of physical data files. These should be stored in locked storage facilities in designated areas. Access to the files need to be controlled and logged thoroughly.
The sixth condition and probably the most contentious in HR is that of openness, which obligates the HR department to notify the employee whenever information of a personal nature is collected about the employee. An obvious scenario would be when credit or reference checks are done on a job applicant without his/her consent, as that would result in collection of "views and opinions" about the candidate. The formal scenario where the majority of employee personal information is recorded is normally done with the direct involvement of the employee. Furthermore, sophisticated HR management systems provide functionality for employees to view and amend all personal information recorded about them.
The gross risk for openness is probably more on the level of detail the employee is aware of. The employee is aware that all personal information on his/her CV, and information s/he volunteered on the job application, is recorded. However, the regulation specifies the employer must also disclose the consequences of failure to provide the requested information, any laws authorising or requiring the collection, the scenarios where the employer intends to transfer this information to a third party in a different country, etc.
Becoming compliant
While awaiting the appointment of the proposed regulator and the subsequent publishing of a comprehensive supporting set of regulations and guidelines, I recommend HR management gets the ball rolling as soon as possible. Engage with the company's legal advisors and start an initial internal assessment.
As POPI is still in its infancy in SA, the above will advance over time, but the fact is: POPI is here to stay, and the deadline is dramatically close. Don't be so consumed by consumer data that employee data is forgotten.
Share