Get Focus insights straight to your inbox
Data privacy is a critical issue considering the Protection of Personal Information Act (PoPIA) legislation that has recently come into effect. The practical implementation is now a focus, as businesses have until 1 July 2021 to ensure that they are compliant.
PoPIA is governed by the Information Regulator (IR), whose mandate is to protect the personal information of natural (living persons) and juristic persons. Non-compliance could result in a fine of up to R10 million or 10 years in jail.
To avoid financial loss and reputational damage, it is important to have a focus on data protection and to consider establishing an owner that will drive this throughout the business. This can either be a person or a team that is responsible for the data privacy function, no matter the size of the business. They act on behalf of the head of the organisation and are specifically tasked with upholding the requirements and reporting.
That being said, it is everyone’s responsibility to protect the privacy of information that data subjects share with a business and to ensure compliance established by the origanisation in accordance with the legal framework relevant to the data processing system they work within.
The eight conditions of PoPIA
There are eight conditions in PoPIA for adhering to lawful processing:
Accountability: When processing personal information, the party (“responsible party” in terms of PoPIA) handling the information must ensure they are doing so in compliance with the legislation.
Employee training is a critical component of becoming compliant. Employees need to know how to manage data correctly and take accountability for their actions. Training can be done in many formats including educational emails, face-to-face sessions, posters, or videos.
This is of particular importance as many people are working from home and it is difficult to track data processing. What is being printed? How is it being stored? Is it being discarded properly? You need to ensure that you have similar controls in your employee’s home environments as you would have in the office. Teams managing data protection, information security and operational risk within an organisation should take required steps to ensure employees’ home offices are a safe and secure workspace.
Processing limitation: Processing of personal information must be done lawfully and must not infringe on the privacy of the data subject. Ensure that only the data required for the particular purposes is collected and processed, that when consent is provided by the person/organisation, such consent is clear and unambiguous, justified in relation to the purpose for which it is given and that they are able to object to the processing or opt-out if they need to.
Purpose specification: As a business owner, you should know what personal information is processed, where it is processed and who processes it. It is important to know where the data is stored, how long it is required to be stored for and when should it be destroyed.
One of the greatest risks is the transferring of personal information to third parties and the need to continually assess the third party’s compliance with the relevant data protection regulations. The data processing chain needs to be secure from beginning to end.
Further processing limitation: Additional processing of the information should be done for the reason it was collected e.g. the personal information that was given when applying for a mobile phone contract should not be used by another company for marketing purposes without the consent of the data subject. There is a limitation on processing – you can’t share or transfer information forever!
Information quality: Only accurate data should be kept on file and regular, proactive updates should be done.
Openness: Be open with people about what happens with their data once it has been captured, why it will be processed, who else will process it (will it be sent to a third party, etc.), what rights they have to the control of their data and when it will be destroyed.
Security safeguards: It is not only the IT / Information Security department’s job to put security in place. The bigger risk is the people who work with the data every day - where are you leaving files or are you working on your laptop? Understand what the internal and external risks are. When a data breach occurs, it must be reported to the company’s Information Officer (IO). In terms of PoPIA, every data breach needs to be reported to the IR, regardless of the materiality of the data breach.
Data Subject participation: This is where the Promotion of Access to Information Act (PAIA) comes into play. Data subjects have the right to ask for access to their data and to stop it from being processed. If their data is inaccurately captured, they can ask for it to be corrected or erased (dependent on other laws and the time periods required for keeping the data in accordance with such laws).
Put yourself in the shoes of the client
People have the right to decline decision-making through an automated process and ask for human intervention. It is important to know where these requests go and how they are handled within an organisation.
Special care needs to be taken when processing information related to children or other sensitive information e.g. race, biometric and health information etc. Always put yourself in the shoes of the client - if this were your personal information, how would you want it to be processed and protected?
Becoming PoPIA compliant is not as difficult as it seems. Once appointed, the privacy officer will champion the culture of data protection in the business. They will implement the internal policies and train staff to manage data correctly with good documentation.
By understanding how data is processed, stored, and used, organisations will be well-equipped to deal with the ever-changing data environment.