Data protection legislation in a nutshell

July 2012 Security Services & Risk Management

When an organisation’s client, employee or customer’s personal details or information goes missing (for example, through human error, theft, hacking, data loss, or any other variety of data breaches), chances are good that these persons or so-called data subjects would not be made aware thereof by the organisation. In most instances, these data subjects’ first awareness would most probably be at the hand of fraudsters utilising their personal information to open bogus financial or retail accounts or to gain access to the data subjects’ existing accounts.

This usually leaves victims of such information theft with irrevocable harm that might range from bad credit records to unending lawyers’ letters. Examples are rife and it has been reported elsewhere that identity theft costs the country in the region of one billion rand per year. The bottom line; personal information is big business.

Until now in South Africa, organisations have paid little or no attention to the protection of personal information and data subjects have been left to fit the bill for their own financial, legal, administrative and emotional distress when data breaches affect them. Concomitantly, organisations have turned a blind eye. That however is all about to change and is already changing due to South Africa’s own data protection initiative; the soon to be promulgated Protection of Personal Information Act (POPI) whereby data subjects will not only have recourse to legislation but also access to and protection under POPI’s enforcer, the Information Regulator.

Under POPI, almost every person or organisation that processes (collects, uses, retains, stores or destroys) personal information would be held accountable for that information. Typical examples of personal information are information relating to an identifiable, living person’s name, address, e-mail address, telephone number, race, gender, account numbers, blood type, ID number etc.

Accountability means that organisations that are subject to POPI would have to ensure conditions for lawful processing. Such conditions are:

* A limitation on the processing of personal information (one would, for instance, only be allowed to process personal information if you have obtained the data subject’s consent);

* Purpose specification (personal information must be collected for a specific purpose and can only be retained for as long as necessary);

* Further processing limitation (in other words, not to process personal information for any additional purposes beyond the initial purpose or data subject’s consent);

* Information quality (the organisation must ensure that the personal information is accurate, complete, not misleading and updated where necessary);

* Openness (organisations must make the data subject aware of the information being collected and indicate for what purpose it is going to be utilised or processed);

* Security safeguards (ensuring the confidentiality, integrity and availability of personal information according to best practice but also ensuring that third parties processing on your behalf, comply with the same rigorous standards); and

* Data subject participation (facilitating processes whereby data subjects can amend or correct information pertaining to them).

From a technological and IT perspective certain aspects contained in these conditions stand out:

* CCTV;

* Information and data classification;

* Retention and backup;

* Information and data quality;

* Information and IT security; and for the purpose of our conclusion below, more significantly.

* Third-party processors.

Third-party processors, those organisations that make your organisation’s processing troubles seemingly go away, are now your organisation’s responsibility, under POPI, that is.

If personal information belonging to your organisation processed by these third-parties ends up in the form of a laptop on eBay, or goes astray and data subjects’ information is exposed or misplaced, then your organisation would be held accountable. And no, you cannot contract yourself out of a statutory duty.

So next time when a cloud computing service provider tells you that cloud computing has become a hot topic in the CIO’s arsenal and that IT departments across the board have discovered that the cloud is a significant weapon in freeing up budget, think carefully as to which questions you should really be asking them.

In my next article, I will be addressing some of these.

Francis Cronjé
Francis Cronjé

Francis Cronjé is an information governance specialist with a strong legal background having completed his LLM at the University of Oslo in Norway on ICT Law and Data Protection. He completed his BLC and LLB degrees at the University of Pretoria and obtained CIPP/US and CIPP/IT certification from the International Association of Privacy Professionals. He is the co-editor and co-author of Cyberlaw@SA and is heading up the consultancy firm, Φ franciscronje.com.

For more information contact Francis Cronjé, francis@franciscronje.com, www.franciscronje.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

Read more...
What you can expect from digital identity in 2024
Access Control & Identity Management Security Services & Risk Management
As biometric identity becomes a central tenet in secure access to finance, government, telecommunications, healthcare services and more, 2024 is expected to be a year where biometrics evolve and important regulatory conversations occur.

Read more...
More than just a criminal record check
iFacts Security Services & Risk Management
When it comes to human-related risks, organisations and their most senior leaders focus on a narrow set of workforce risks, the potential risks that human workers pose to the business.

Read more...
Tech developments lead hologram growth in 2024
News & Events Security Services & Risk Management
Micro-lenses, micro-mirrors and plasmonics are among the rapidly-emerging optical devices that have evolved on the back of holographic and diffractive technologies, and are seen as part of the natural evolution of optical science by R&D teams.

Read more...
Are you leaving money on the table?
Editor's Choice Security Services & Risk Management
How many customers have you helped since starting your business? Where does most of your new business come from? If the answer is not from your database’s existing customers, you might have a problem.

Read more...
The business value of ChatGPT
Security Services & Risk Management Risk Management & Resilience
Transparency, policy and integrity. It is critical for organisations to have a line of sight into processes and procedures that clearly define employee use cases when it comes to ChatGPT, says Lizaan Lewis, Head of the Legal Department at Altron Systems Integration.

Read more...
BMS for smaller businesses
Security Services & Risk Management Products & Solutions Risk Management & Resilience
Small businesses can also benefit from tailored energy management solutions just like large corporations. Effective energy management is essential for more sustainable and efficient operations.

Read more...
Kidnapping for ransom
News & Events Security Services & Risk Management Risk Management & Resilience
There has been an 8,6% increase in reported kidnapping cases in South Africa compared to last year, with 3 854 cases reported between April and June this year, leaving ordinary South Africans increasingly vulnerable.

Read more...
The difference between a SOP and a SOP
Residential Estate (Industry) Integrated Solutions Security Services & Risk Management Risk Management & Resilience
SOPs are a touchy issue that need careful attention and automation to ensure they deliver the desired security results. Beyond design and automation, implementation is the ultimate road to success.

Read more...