Data protection legislation in a nutshell

July 2012 Security Services & Risk Management

When an organisation’s client, employee or customer’s personal details or information goes missing (for example, through human error, theft, hacking, data loss, or any other variety of data breaches), chances are good that these persons or so-called data subjects would not be made aware thereof by the organisation. In most instances, these data subjects’ first awareness would most probably be at the hand of fraudsters utilising their personal information to open bogus financial or retail accounts or to gain access to the data subjects’ existing accounts.

This usually leaves victims of such information theft with irrevocable harm that might range from bad credit records to unending lawyers’ letters. Examples are rife and it has been reported elsewhere that identity theft costs the country in the region of one billion rand per year. The bottom line; personal information is big business.

Until now in South Africa, organisations have paid little or no attention to the protection of personal information and data subjects have been left to fit the bill for their own financial, legal, administrative and emotional distress when data breaches affect them. Concomitantly, organisations have turned a blind eye. That however is all about to change and is already changing due to South Africa’s own data protection initiative; the soon to be promulgated Protection of Personal Information Act (POPI) whereby data subjects will not only have recourse to legislation but also access to and protection under POPI’s enforcer, the Information Regulator.

Under POPI, almost every person or organisation that processes (collects, uses, retains, stores or destroys) personal information would be held accountable for that information. Typical examples of personal information are information relating to an identifiable, living person’s name, address, e-mail address, telephone number, race, gender, account numbers, blood type, ID number etc.

Accountability means that organisations that are subject to POPI would have to ensure conditions for lawful processing. Such conditions are:

* A limitation on the processing of personal information (one would, for instance, only be allowed to process personal information if you have obtained the data subject’s consent);

* Purpose specification (personal information must be collected for a specific purpose and can only be retained for as long as necessary);

* Further processing limitation (in other words, not to process personal information for any additional purposes beyond the initial purpose or data subject’s consent);

* Information quality (the organisation must ensure that the personal information is accurate, complete, not misleading and updated where necessary);

* Openness (organisations must make the data subject aware of the information being collected and indicate for what purpose it is going to be utilised or processed);

* Security safeguards (ensuring the confidentiality, integrity and availability of personal information according to best practice but also ensuring that third parties processing on your behalf, comply with the same rigorous standards); and

* Data subject participation (facilitating processes whereby data subjects can amend or correct information pertaining to them).

From a technological and IT perspective certain aspects contained in these conditions stand out:

* CCTV;

* Information and data classification;

* Retention and backup;

* Information and data quality;

* Information and IT security; and for the purpose of our conclusion below, more significantly.

* Third-party processors.

Third-party processors, those organisations that make your organisation’s processing troubles seemingly go away, are now your organisation’s responsibility, under POPI, that is.

If personal information belonging to your organisation processed by these third-parties ends up in the form of a laptop on eBay, or goes astray and data subjects’ information is exposed or misplaced, then your organisation would be held accountable. And no, you cannot contract yourself out of a statutory duty.

So next time when a cloud computing service provider tells you that cloud computing has become a hot topic in the CIO’s arsenal and that IT departments across the board have discovered that the cloud is a significant weapon in freeing up budget, think carefully as to which questions you should really be asking them.

In my next article, I will be addressing some of these.

Francis Cronjé
Francis Cronjé

Francis Cronjé is an information governance specialist with a strong legal background having completed his LLM at the University of Oslo in Norway on ICT Law and Data Protection. He completed his BLC and LLB degrees at the University of Pretoria and obtained CIPP/US and CIPP/IT certification from the International Association of Privacy Professionals. He is the co-editor and co-author of Cyberlaw@SA and is heading up the consultancy firm, Φ franciscronje.com.

For more information contact Francis Cronjé, francis@franciscronje.com, www.franciscronje.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Fire safety in South Africa
Technoswitch Fire Detection & Suppression Technews Publishing SMART Security Solutions Editor's Choice Fire & Safety Security Services & Risk Management
Fire safety is sometimes ignored, sometimes relegated to whatever is cheapest, and sometimes treated with the seriousness it deserves, given that it focuses on protecting life and assets. SMART Security Solutions asked Brett Birch, MD of Technoswitch, for some insights into the realities of fire safety in South Africa.

Read more...
A risk-based approach to fire safety
Fire & Safety Security Services & Risk Management Industrial (Industry) Agriculture (Industry)
A report by fire engineering consultancy ASP Fire is challenging blanket assumptions around combustible-core sandwich panels, arguing instead for a rational, risk-based approach that balances fire safety requirements with commercial realities in sectors such as agriculture, manufacturing and industrial processing.

Read more...
Preventing and suppressing lithium fires
SMART Security Solutions Technews Publishing Editor's Choice Fire & Safety Security Services & Risk Management Smart Home Automation
SMART Security Solutions asked Clyde Becker, director of Pyro Brand, for some insight into the mechanics of lithium-ion battery fire risks, especially thermal runaway, and to define a comprehensive, layered approach to fire detection and suppression.

Read more...
Identity recovery matters most
Security Services & Risk Management
As cyberattacks grow more targeted, more destructive, and increasingly aimed at the very fabric of trust within the enterprise, the ability to restore identities has become just as critical as restoring data.

Read more...
ISO 27701 helps demonstrate privacy compliance beyond POPIA
Security Services & Risk Management
ISO 27701 include privacy-specific controls and provides a structured way to manage Personally Identifiable Information (PII) throughout its lifecycle, giving organisations a way to demonstrate how privacy is managed.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
Increase in cyberattacks on the manufacturing sector
Security Services & Risk Management News & Events Industrial (Industry)
According to a new Kaspersky ICS CERT report, in the first quarter of 2026, the percentage of industrial control systems (ICS) on which malicious objects were blocked reached 19,6% globally.

Read more...
Next-generation cash-in-transit vehicle
News & Events Security Services & Risk Management
Fidelity Services Group has unveiled a new, purpose-engineered Cash-in-Transit (CIT) vehicle designed to redefine crew protection, deter threats, and enhance operational resilience in an increasingly complex criminal environment.

Read more...
The risk at the edge of South Africa’s agriculture supply chain
Security Services & Risk Management Agriculture (Industry) Logistics (Industry)
Research from ESET has found that a significant number of South African agritech operators and farmers continue to believe their companies are not attractive targets for cybercriminals. Unfortunately, that belief is precisely what makes them one.

Read more...
AURA partners with Discovery to launch Discovery 911
News & Events Security Services & Risk Management
AURA has announced a partnership with Discovery Insure to power the security-response component of its new Discovery 911 virtual panic-button offering, which is available through the Discovery Insure app.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.