POPI and the cloud

August 2012 Security Services & Risk Management

In my previous article I gave a short breakdown of the new proposed Protection of Personal Information Act (POPI) and highlighted some of the issues that entities might encounter in terms thereof, especially when outsourcing processes to third parties.

In this article, we will have a closer look at POPI and cloud computing. As promised, I will deal with some of the questions one needs to ask your potential cloud service provider before entering into an agreement. But first, I will aim to dispel a common POPI myth that has been manifested by cloud doomsayers in the advisory sphere.

Myth: moving information or data to the cloud is bad for securing such information or data in terms of POPI.

The fact is that employee malice and negligence cause the majority of data breaches worldwide and unauthorised access (e.g. hacking) is on the increase. You should therefore rather ask yourself whether your in-house system is better configured to provide superior security measures than the proposed cloud provider. So yes, moving data to the cloud can be a bad thing if the provider has weak security measures. But it is an absolute myth if you utilise a provider that assists your company to manage the integrity, confidentiality, retention of and access to information or data by bringing skill, manpower, experience and superior technologies.

Fact: whatever version of the cloud your company wants to use, cloud issues in terms of POPI are the same. Whether public, hybrid or private, the key issue is the security of your information or data. A second and equally relevant issue is the location thereof, which can be seen as a particular aspect of information or data security.

Remember, when outsourcing personal information to a cloud provider, POPI places the responsibility for the security of such information squarely on your company.

Security in this context can therefore be seen from two perspectives:

* You must ensure that the provider processes your information or data only with your company’s knowledge or authorisation;

* You must ensure that the provider secures the integrity and confidentiality of information in its possession or under its control, by taking appropriate, reasonable technical and organisational measures to prevent:

- loss of, damage to or unauthorised destruction of such information; and

- unlawful access to or processing of such information.

POPI further necessitates that this must be governed by a written contract between you and the cloud provider.

* So before entering into such an agreement with a cloud provider, it might be good to first consider asking some of the following questions:

* Will my company have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data’s location?

* Can you provide me with assurances that unauthorised access to my company’s information or data is prevented (covers both protection against external hacking attacks and access by the cloud provider’s personnel or by other users of the data centre)?

* Do you have adequate oversight of any sub-processors (irrespective of their location) you use or might use and subsequent to that, do you have the necessary agreements and contracts in place to ensure the security of my company’s information or data?

* Do you have sufficient procedures in place in the event of a data breach that would enable my company to take the necessary actions in terms of POPI?

* Could you provide my company with a guarantee in the contract that it will have the right to remove or transfer its information or data at any time?

These few questions are mainly based on European precedent and companies or entities are therefore well advised, in addition to having received answers in the affirmative, to conduct a POPI detailed technical analysis incorporating an audit of the cloud provider.

Francis Cronjé
Francis Cronjé

For more information contact Francis Cronjé, francis@franciscronje.com, www.franciscronje.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

More than just a criminal record check
iFacts Security Services & Risk Management
When it comes to human-related risks, organisations and their most senior leaders focus on a narrow set of workforce risks, the potential risks that human workers pose to the business.

Read more...
Tech developments lead hologram growth in 2024
News & Events Security Services & Risk Management
Micro-lenses, micro-mirrors and plasmonics are among the rapidly-emerging optical devices that have evolved on the back of holographic and diffractive technologies, and are seen as part of the natural evolution of optical science by R&D teams.

Read more...
Are you leaving money on the table?
Editor's Choice Security Services & Risk Management
How many customers have you helped since starting your business? Where does most of your new business come from? If the answer is not from your database’s existing customers, you might have a problem.

Read more...
The business value of ChatGPT
Security Services & Risk Management Risk Management & Resilience
Transparency, policy and integrity. It is critical for organisations to have a line of sight into processes and procedures that clearly define employee use cases when it comes to ChatGPT, says Lizaan Lewis, Head of the Legal Department at Altron Systems Integration.

Read more...
BMS for smaller businesses
Security Services & Risk Management Products & Solutions Risk Management & Resilience
Small businesses can also benefit from tailored energy management solutions just like large corporations. Effective energy management is essential for more sustainable and efficient operations.

Read more...
Kidnapping for ransom
News & Events Security Services & Risk Management Risk Management & Resilience
There has been an 8,6% increase in reported kidnapping cases in South Africa compared to last year, with 3 854 cases reported between April and June this year, leaving ordinary South Africans increasingly vulnerable.

Read more...
The difference between a SOP and a SOP
Residential Estate (Industry) Integrated Solutions Security Services & Risk Management Risk Management & Resilience
SOPs are a touchy issue that need careful attention and automation to ensure they deliver the desired security results. Beyond design and automation, implementation is the ultimate road to success.

Read more...
Scoping out potential estates
Alwinco Security Services & Risk Management
When an intruder surveys a residential estate of 200 houses, they see at least 200 cars, 400 cell phones, 400 computers, 200 flat screen TVs, 600 bank cards, and various other items of value.

Read more...
Your face is the key
Suprema Editor's Choice Access Control & Identity Management Security Services & Risk Management Risk Management & Resilience
FaceStation 2, Suprema’s newest facial authentication terminal, is an access control, time and attendance terminal, featuring a better user experience with Android 5.0 Lollipop and Suprema’s latest algorithm, hardware, and software.

Read more...
Security without the skin
Alwinco Editor's Choice Security Services & Risk Management Residential Estate (Industry) Risk Management & Resilience
We all know about the layers of security required to form a comprehensive solution, but the layers go deeper than most consider. Andre Mundell dissects security in this article to start the journey into what is under the covers.

Read more...