Whether or not we are obligated to share our personal information is an important question and one we should prioritise. Not because the PoPI Act (PoPIA) has been in the spotlight, but because it is in our interest to safeguard our personal information (PI). This PI includes everything from ID numbers and bank details to sexual orientation or political affiliation. It is the very blueprint of who we are.
Legislation such as PoPIA intends to safeguard this by holding organisations and individuals accountable for upholding its principles. However, organisations should not only comply with the law to avoid punishment; they should value privacy because it is the right thing to do.
ATG Digital’s priority is to ensure compliance with PoPIA, and it completed the first phase of its compliance process in 2019. However, it is constantly evolving and improving as the business grows.
The company offers the following advice to data subjects entering a private gated community or office park where they are asked for personal information.
Under the Act:
• 'Data Subject' are the people or entities to whom the PI belongs.
• The 'Responsible Party' is the organisation that determines what information they need to collect and why. An organisation may collect data provided it has adhered to the eight conditions for lawful processing.
• ATG is defined as an 'Operator'.
As an Operator, the company has made it a prerogative to learn how the legislation applies to itself and share this with clients, resellers and data subjects. Its position is that POPIA compliance is rooted in the points below, and ATG has applied them to its gate scanners. ATG encourages all data subjects to interrogate the responsible party and operator providing such services to ensure the same has been done.
Standard privacy requirements
Accountability: Every ATG client knows they are a Responsible Party (RP) and understands their obligations under the Act. ATG provides educational materials and hosts regular webinars to assist them in meeting the requirements for compliance.
Processing limitations: Information is scanned for the legitimate purpose of protecting private sites, which is both in the interest of the site owners/tenants and the data subjects themselves, for the safety and security of themselves and their property.
Purpose specification: Information is limited to that which is absolutely necessary for the operational requirements of each site; it is deleted as soon as reasonably possible following the RP’s requirements; and guards are empowered with lanyard cards and boards to assist in communicating to data subjects the reasons for the data being collected.
Further processing limitation: ATG does not share the data with any third parties and has safeguards to ensure this.
Information quality: Data is scanned directly from source documents to prevent errors in capturing, and the data subject is encouraged to engage with ATG if they believe any data it holds is incorrect.
Openness: The RP is provided with the necessary signage for their entrances to communicate to the data subject the reasons for capturing, who ATG is, and how they may contact the company.
Data subject participation: ATG has a comprehensive complaints policy and a dedicated email address to assist any data subject requiring additional information on POPIA policies or processes. However, as it is not the RP, it is not authorised to access or delete the information without the RP’s consent and involvement.
Security safeguards: The list of safeguards implemented is too extensive to list completely, but it includes the following:
• All employees are trained in information security; they are legally and contractually obligated to keep personal information confidential; only authorised persons can access such information.
• Staff only access backend data upon receiving a written request from an authorised representative of the responsible party, and no information is shared with anyone who is not on this authorised list.
• The ATG devices hold no data, so the security guards, other guests, site managers or criminals cannot access the data via the device. Once data is scanned, it is immediately encrypted and uploaded to secure cloud-based storage. ATG uses Google Cloud Services. This decision is based on the service levels provided by Google and its commitment to data security and international data protection legislation. Google Cloud Services holds multiple ISO certifications and is considered the ‘Gold Standard’ in secure cloud storage.
• Data can only be accessed via a secure platform using a password. ATG has a suite of information security policies implemented to ensure IT security is of the highest international standard. Regular penetration testing ensures this security is in place.
ATG has adopted the appropriate, reasonable, technical, and organisational measures expected for the industry in South Africa. It has implemented robust policies governing all areas of the business, including electronic and physical records, as well as the physical security of its premises.
For more information, contact ATG Digital,
| Email: | megan@atthegate.biz |
| www: | www.atgdigital.biz |
| Articles: | More information and articles about ATG Digital |
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version