printer friendly version

POPI and the cloud

In my previous article I gave a short breakdown of the new proposed Protection of Personal Information Act (POPI) and highlighted some of the issues that entities might encounter in terms thereof, especially when outsourcing processes to third parties.

In this article, we will have a closer look at POPI and cloud computing. As promised, I will deal with some of the questions one needs to ask your potential cloud service provider before entering into an agreement. But first, I will aim to dispel a common POPI myth that has been manifested by cloud doomsayers in the advisory sphere.

Myth: moving information or data to the cloud is bad for securing such information or data in terms of POPI.

The fact is that employee malice and negligence cause the majority of data breaches worldwide and unauthorised access (e.g. hacking) is on the increase. You should therefore rather ask yourself whether your in-house system is better configured to provide superior security measures than the proposed cloud provider. So yes, moving data to the cloud can be a bad thing if the provider has weak security measures. But it is an absolute myth if you utilise a provider that assists your company to manage the integrity, confidentiality, retention of and access to information or data by bringing skill, manpower, experience and superior technologies.

Fact: whatever version of the cloud your company wants to use, cloud issues in terms of POPI are the same. Whether public, hybrid or private, the key issue is the security of your information or data. A second and equally relevant issue is the location thereof, which can be seen as a particular aspect of information or data security.

Remember, when outsourcing personal information to a cloud provider, POPI places the responsibility for the security of such information squarely on your company.

Security in this context can therefore be seen from two perspectives:

* You must ensure that the provider processes your information or data only with your company’s knowledge or authorisation;

* You must ensure that the provider secures the integrity and confidentiality of information in its possession or under its control, by taking appropriate, reasonable technical and organisational measures to prevent:

- loss of, damage to or unauthorised destruction of such information; and

- unlawful access to or processing of such information.

POPI further necessitates that this must be governed by a written contract between you and the cloud provider.

* So before entering into such an agreement with a cloud provider, it might be good to first consider asking some of the following questions:

* Will my company have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data’s location?

* Can you provide me with assurances that unauthorised access to my company’s information or data is prevented (covers both protection against external hacking attacks and access by the cloud provider’s personnel or by other users of the data centre)?

* Do you have adequate oversight of any sub-processors (irrespective of their location) you use or might use and subsequent to that, do you have the necessary agreements and contracts in place to ensure the security of my company’s information or data?

* Do you have sufficient procedures in place in the event of a data breach that would enable my company to take the necessary actions in terms of POPI?

* Could you provide my company with a guarantee in the contract that it will have the right to remove or transfer its information or data at any time?

These few questions are mainly based on European precedent and companies or entities are therefore well advised, in addition to having received answers in the affirmative, to conduct a POPI detailed technical analysis incorporating an audit of the cloud provider.

Francis Cronjé

Share this article:

Further reading: