POPI and the cloud

August 2012 Security Services & Risk Management

In my previous article I gave a short breakdown of the new proposed Protection of Personal Information Act (POPI) and highlighted some of the issues that entities might encounter in terms thereof, especially when outsourcing processes to third parties.

In this article, we will have a closer look at POPI and cloud computing. As promised, I will deal with some of the questions one needs to ask your potential cloud service provider before entering into an agreement. But first, I will aim to dispel a common POPI myth that has been manifested by cloud doomsayers in the advisory sphere.

Myth: moving information or data to the cloud is bad for securing such information or data in terms of POPI.

The fact is that employee malice and negligence cause the majority of data breaches worldwide and unauthorised access (e.g. hacking) is on the increase. You should therefore rather ask yourself whether your in-house system is better configured to provide superior security measures than the proposed cloud provider. So yes, moving data to the cloud can be a bad thing if the provider has weak security measures. But it is an absolute myth if you utilise a provider that assists your company to manage the integrity, confidentiality, retention of and access to information or data by bringing skill, manpower, experience and superior technologies.

Fact: whatever version of the cloud your company wants to use, cloud issues in terms of POPI are the same. Whether public, hybrid or private, the key issue is the security of your information or data. A second and equally relevant issue is the location thereof, which can be seen as a particular aspect of information or data security.

Remember, when outsourcing personal information to a cloud provider, POPI places the responsibility for the security of such information squarely on your company.

Security in this context can therefore be seen from two perspectives:

* You must ensure that the provider processes your information or data only with your company’s knowledge or authorisation;

* You must ensure that the provider secures the integrity and confidentiality of information in its possession or under its control, by taking appropriate, reasonable technical and organisational measures to prevent:

- loss of, damage to or unauthorised destruction of such information; and

- unlawful access to or processing of such information.

POPI further necessitates that this must be governed by a written contract between you and the cloud provider.

* So before entering into such an agreement with a cloud provider, it might be good to first consider asking some of the following questions:

* Will my company have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data’s location?

* Can you provide me with assurances that unauthorised access to my company’s information or data is prevented (covers both protection against external hacking attacks and access by the cloud provider’s personnel or by other users of the data centre)?

* Do you have adequate oversight of any sub-processors (irrespective of their location) you use or might use and subsequent to that, do you have the necessary agreements and contracts in place to ensure the security of my company’s information or data?

* Do you have sufficient procedures in place in the event of a data breach that would enable my company to take the necessary actions in terms of POPI?

* Could you provide my company with a guarantee in the contract that it will have the right to remove or transfer its information or data at any time?

These few questions are mainly based on European precedent and companies or entities are therefore well advised, in addition to having received answers in the affirmative, to conduct a POPI detailed technical analysis incorporating an audit of the cloud provider.

Francis Cronjé
Francis Cronjé

For more information contact Francis Cronjé, francis@franciscronje.com, www.franciscronje.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

Read more...
Stolen credentials on the Dark Web
October 2019 , Cyber Security, Security Services & Risk Management
Over 21 million credentials belonging to Fortune 500 companies, 16 million of which were compromised during the last 12 months, are up for sale.

Read more...
Vodacom and SAPS launch MySAPS mobile app
October 2019 , Security Services & Risk Management
Vodacom, in partnership with the South African Police Service, will empower citizens to contribute to their own safety as well as the safety of their communities through the newly launched MySAPS app.

Read more...
Enterprise security must change
October 2019 , Cyber Security, Security Services & Risk Management
The recent wave of cyberattacks against local banks has highlighted the importance of protecting data against malicious users.

Read more...
Drones improve risk management
October 2019 , Security Services & Risk Management
Indwe embraces drone technology to help improve risk management and optimise insurance.

Read more...
Body-worn cameras transforming security
October 2019 , CCTV, Surveillance & Remote Monitoring, Security Services & Risk Management
Police Service Northern Ireland now has over 7 000 officers using 2 500 cameras covering approximately 173 000 incidents each year.

Read more...
Protecting your customers’ data
October 2019 , Training & Education, Security Services & Risk Management
Simon Murrell, head of development and executive director at BrandQuantum says companies need to protect their customers from identity theft and data breaches.

Read more...
Success lies in planning
November 2019, Vox Telecom , Security Services & Risk Management
A safe and smart city will only be successful if it is planned properly, if there is buy-in from all the stakeholders and if it is managed efficiently.

Read more...
Matching governance to context
November 2019, ContinuitySA , Security Services & Risk Management
When building resilience and planning for business continuity, take proportionality to heart, advises Michael Davies, CEO of ContinuitySA.

Read more...
Essential tips for a successful disaster recovery plan
November 2019 , Security Services & Risk Management
Arcserve Southern Africa offers six crucial steps necessary to design a successful disaster recovery (DR) plan.

Read more...