printer friendly version

It’s finally here!

After many years of speculation and eye rolling, the Protection of Personal Information Act (POPIA) has finally arrived and will be enforced from July 2021.

After many years of speculation and eye rolling, the Protection of Personal Information Act (POPIA) has finally arrived and will be enforced from July 2021.

Although the Residential Estate Security Handbook has covered POPIA in the past, for this handbook we approached some experts in the local privacy legislation to find out whether we are ready for the new standards estates (and everyone) will be held to, and to perhaps glean any last-minute advice for those not ready for the new law.

Before getting into the details of POPIA’s requirements, the million-dollar question is: are estates ready and able to handle the requirements of the law? Perhaps more importantly, are security staff up to speed with what will be required of them?

Andy Lawler, MD of Sentinel Risk Management is of the opinion that South Africa in general is not mature enough in terms of the protection of private information. “It is, unfortunately, the opinion of this writer that the education level of the average security guard does not allow for risk-based thought processes in terms of what could happen should certain information find itself in the wrong hands. This low education level combined with a low salary level leaves many security personnel members with a ‘don’t care’ attitude.

“As a security assessor and consultant, I have been exposed to many unkempt guard rooms, incomplete and scribbled occurrence books and poorly written standard operating procedures. These are unfortunately the norm rather than the exception. With this in mind, I have extraordinarily little confidence that security personnel in South Africa will mature to the expected level, in terms of the POPIA, anytime soon.”

He therefore suggests that residential estates in general are going to struggle to become compliant, not because they have not put procedures in place, but because the lack of understanding and foresight of security guards leaves those procedures lacking in terms of execution.

Added to this, unfortunately, is the expense needed to become compliant and the resistance of boards of trustees to expend funds not budgeted for. “Thus, most estates will remain with the entrance book, which, unless handled correctly, is the biggest threat to the information security of residents and visitors within estates.”

Andy Lawler.

Anna Collard.

Another threat he sees in terms of the estate, is that security guards refuse entry to people who refuse to fill in sensitive information such as identity numbers, as they have no knowledge of the Act about the protection of private information. Thus, drivers wishing to enter an estate will fill in this information under protest. Furthermore, the guards do not have the facility to ensure that the information being filled in is correct unless they check the number against the driver’s identity document. Too many guards, unfortunately, place too much trust on the word of the driver.

Any person entering the private information onto any document or database has the right to know that their information is being protected. Thus, residents and visitors to estates should have the right to ask where their privacy information is being stored, how it is being protected from unauthorised scrutiny, how long the information is being stored for and, finally, who has access to this information.

“Security guards will need to be trained properly to handle such requests,” Lawler states.

The responsible party

Anna Collard, SVP Content Strategy and evangelist at KnowBe4 Africa adds to this, noting: “To be considered compliant with POPIA, estates or any responsible party for that matter, will have to establish policies and procedures to ensure they adequately process and protect the personal information they collect.

“Furthermore, they need to identify, assess and act upon the risks related to the processing of personal information and adequately protect it. This may require a bit of outside expertise, especially when using information technology. So, in my opinion, I doubt that many smaller organisations, including estates would be fully compliant come July.”

Rieka van Wyk, global privacy manager at PayU says: “It is key that estates are able to indicate, at a minimum, how they process personal information, what type of personal information is collected and be transparent on their legal basis for collection. Be sure to be ready to reply to data subject requests if individuals ask.”

She adds that full compliance is also a misnomer; estates, as responsible parties, will have to meet the conditions under POPIA as well ensure that the operators (processors) which process personal information on their behalf meet the requisite requirements as well. “Given the breadth of POPIA, I would be dubious of any estates, even larger organisations, claiming to be POPIA certified or fully compliant.”

Top POPIA checklist items

As Van Wyk noted above, POPIA is very complex and compliance is not simple. Nonetheless, we asked if our respondents would be able to break down the requirements of the law into a simple (and short) checklist estates could refer to.

Collard recommends the following:

1. Make someone responsible for the protection of personal information, namely by appointing an information officer or designated information officer (if no one is appointed, the CEO is de facto information officer by law). A bus needs a driver and the same applies to data protection programmes.

2. Identify what type of personal information is currently collected and why (the purpose for it). Challenge yourself about the purpose. For example, is it really necessary to ask for visitors’ IDs? What is the purpose of this, and can’t that purpose be fulfilled with less personal information? Is there a way to ‘de-identify’ the personal information and still meet the same security estate requirements?

3. Understand where the personal information is stored, whom it is shared with and how it is currently protected from unauthorised access, theft or destruction. It helps to start this process by visualising the data flow in a simple data flow diagram and identifying the controls that are currently in place (or missing).

Van Wyk recommends paying careful attention to the use and storage of CCTV recordings and how and where such data is going. “Understand that it is your responsibility to understand where personal data is being processed.”

4. Identify and assess risks. Here, it might be good to talk to someone with an IT or security background to understand what could happen to the personal information you are responsible for. Think about things like a laptop or smartphone might be lost or stolen, your cloud username and password may be compromised or someone may fall for a phishing attack resulting in malicious software such as ransomware destroying all the data unless a ransom is paid.

5. Educate yourself as well as your staff about the key conditions of POPIA, security best practices and the value of personal information, and how to handle personal information with care.

Lawler suggests that the residents within an estate should ideally have a clear idea as to where private information is kept by the management of the estate, who has limited or unlimited access to this information, how is the access to this information managed, and finally, who is responsible for the protection of this information. Furthermore, he adds:

1. Are the processes used to collect and store this information audited.

2. Once used, how long is this information stored for and how is it destroyed when it is no longer required.

3. Are guards and other collectors of privacy information for whatever purpose, trained to protect that information according to the POPIA stipulations?

4. Are policies and procedures in place to ensure the protection of this information?

What about smaller estates and complexes?

Smaller estates may not have dedicated security managers or the budget to opt for large POPIA training programmes. They, however, are still subject to the law and must also prepare. Quite simply, Lawler says smaller complexes, despite their limited budget, need to comply with the minimum standards stipulated within the Act or they stand the risk of legal action. “Thus, as far as possible, they need to look at moving away from the so-called ‘truth book’ and move towards an automated computer-scanner based system.”

As an estate manager, the first step Collard would take is to learn more about the basic privacy principles laid out in POPIA and how they may apply to the estate. “Remember that less is more, so the less personal information you collect, the less you need to protect,” she advises. “Review the business needs for collecting and storing personal information and try to limit it wherever possible. If possible, get some outside help to assist in the assessment of your current situation and the controls you may have to put in place. There are many reputable organisations in South Africa which offer some free advice, educational webinars as well as training and actual hand holding.”

Services offered

Sentinel Risk Management is a security assessment firm that assesses the efficacy of guardrooms, guards and processes, explains Lawler. “Our audits include the condition of the information gathered in terms of the estate’s policy and procedures, and we offer bespoke advice, within the budget of the estate, on how to improve their Threats, Risks and Vulnerabilities, both in physical security as well as information security.” Contact Sentinel Risk Management at [email protected] or www.sentinelriskmanagement.com.

Collard says KnowBe4 “provides security and compliance awareness training to assist organisations in driving internal awareness and equipping their employees to make better security decisions, every day.”

More information is available at www.knowbe4.com

Share this article:

Further reading: