printer friendly version

More than just compliance

The Protection of Personal Information Act (POPIA) has been doing the rounds for many years and now it has eventually been signed by the president. This means that from 1 July 2021, failing to look after personal information entrusted to you can land you in serious trouble.

Hi-Tech Security Solutions therefore asked John Cato, director of IACT-Africa and previous presenter at the Residential Estate Security Conference (on the topic of POPIA), to provide us some insight into POPIA. While this article was initially written for the Residential Estate Security Handbook 2020, the applicability of the points made by Cato make it relevant to a larger segment of the security industry, which is why we are publishing it here.

What to do?

One of the first things Cato notes is that we should recognise that POPIA is not simply a matter of ticking a few boxes and being compliant. Organisations should view it as the start of a journey for protecting the personal information of people and organisations for which boards and management teams are responsible. “It involves privacy and data protection, which is a global issue and an expectation today.”

He says it is important for management to understand the eight conditions (principles) of the act or they will struggle to relate to the subject. These are:

1. Accountability.

2. Processing limitation.

3. Purpose specification.

4. Further processing limitation.

5. Information quality.

6. Openness.

7. Security safeguards.

8. Data subject participation.

The conditions explained in full can be found in the document at https://justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf (also available via the short URL www.securitysa.com/*popia), from page 29 onwards.

Cato explains that two key aspects of POPIA are ‘Consent’ and ‘Purpose’. That means only collecting and processing personal information (PI) for a clear purpose and with the person’s consent. While the act is long (the above document is over 150 pages long), Cato summarises and offers the following advice to begin preparations:

• The starting point is to formally appoint an information officer (IO) and deputy information officer (DIO) where required.

• The next point to consider is the responsibilities of the IO and DIO. These are summarised in the regulations of December 2018. The first responsibility is the development, implementation, monitoring and maintenance of a compliance framework. This is not defined, but our recommended approach which is based on international practices includes:

º Establishing privacy policies and notices – this should include visible signage.

º Establishing information security related policies and technical measures, e.g. strong password practices, access controls to systems, encryption, data leak prevention (DLP), etc. Policies should include CCTV polices and biometric polices.

º Developing an inventory of PI, i.e. ,what PI is where (systems, files, etc.).

º Identifying activities and processes that include the collection processing, sharing and destruction of PI.

º Conducting a personal information risk assessment and establishing risk treatments plans (important because of fines).

º Reviewing agreements with service providers where their services involves PI (e.g. security companies, IT service providers, accountants, auditors, etc.).

These must include a commitment by the service provider to protect PI in line with POPIA as well as the rights of the company for assessing their information security practices. We offer a Responsible Party (RP) to Operator (OP) contract template which has the appropriate clauses and references to sections in POPIA. It is important to check if any of these are hosted services outside of SA as transborder requirements exist (if, for example, you use Dropbox or other such cloud services).

º Obtaining consent for collecting PI from residents (current and new), visitors, contractors, etc. Special care should be taken regarding the PI of children, as this requires the parent’s or legal guardian’s consent.

º Defining retention periods in a policy and ensuring that PI is not kept for longer than it is needed.

º Conduct a privacy impact assessment for any new initiatives.

º Implementing a PAIA manual with a process for requesting access to information.

º Train staff and board members and promote awareness to residents about POPIA and privacy.

º Implement an ongoing compliance monitoring and management plan – things will change, such as service providers, board members, HOA staff, etc.

Adds Cato: “We encourage organisations to start a project with the above as key project tasks together with target dates and persons responsible for completing the tasks. If the initiative is not done as a project, there will be many gaps in the compliance framework.”

John Cato.

The above ‘simplified’ advice from Cato should make it perfectly clear that POPIA is definitely more than a box-ticking exercise. Cato has already been involved in a case where an individual laid a complaint with the Information Regulator about a residential estate’s use of PI. He can’t provide much information except to say that the estate received a stern letter and had to respond within a short timeframe, detailing what and how they handled the PI of the person concerned.

Fortunately, the estate in question was on track with POPIA preparations and was able to reply to all the questions and the issue was thus settled. If they did not have the processes in place, the time allowed for a response would not have been sufficient to gather the required information in a panic and the eventual penalties the regulator could impose are severe.

Who would be held accountable?

People with experience in the corporate world will be very aware of how skilled some people are at finding someone else to blame. This will be a bit more difficult with respect to POPIA. As Cato states, the IO is accountable when something goes wrong, but the company will not be able to wash its hands in innocence. Even if the company outsources, it still needs to make sure the PI the service provider holds is secure. “Outsourcing doesn’t mean you outsource accountability,” warns Cato, “you only outsource the responsibilities for carrying out the service activities. Fines will not be imposed on the SP, but on the organisation.”

He explains that the company (RP) has an obligation to establish a written contract with service providers (OP) in which a commitment by the service provider to protecting PI processed for the company is detailed. The organisation also needs to ensure that its service providers maintain security-related compliance. In other words, they should check what security safeguards are in place based on generally accepted processes and standards such as ISO 27001 or NIST.

“A related development is that there is now an ISO standard for a PIMS: ISO 27701. This complements ISO 27001 – the ISMS standard,” he advises.

Assessing compliance and advice

This article is a small snippet of advice with respect to POPIA, there is obviously a lot more to understand about the act. IACT-Africa has a website dedicated to POPIA at www.popisolutions.co.za, where it offers a free POPIA compliance heath check.

IACT-Africa also conducts detailed assessments which will highlight shortfalls and provide recommendations for remediation. “We also provide multiple assessment tools, templates for policies, notices and contracts, as well as training material and general recommendation items from third parties.”

Share this article:

Further reading: