POPI and the cloud

August 2012 Security Services & Risk Management

In my previous article I gave a short breakdown of the new proposed Protection of Personal Information Act (POPI) and highlighted some of the issues that entities might encounter in terms thereof, especially when outsourcing processes to third parties.

In this article, we will have a closer look at POPI and cloud computing. As promised, I will deal with some of the questions one needs to ask your potential cloud service provider before entering into an agreement. But first, I will aim to dispel a common POPI myth that has been manifested by cloud doomsayers in the advisory sphere.

Myth: moving information or data to the cloud is bad for securing such information or data in terms of POPI.

The fact is that employee malice and negligence cause the majority of data breaches worldwide and unauthorised access (e.g. hacking) is on the increase. You should therefore rather ask yourself whether your in-house system is better configured to provide superior security measures than the proposed cloud provider. So yes, moving data to the cloud can be a bad thing if the provider has weak security measures. But it is an absolute myth if you utilise a provider that assists your company to manage the integrity, confidentiality, retention of and access to information or data by bringing skill, manpower, experience and superior technologies.

Fact: whatever version of the cloud your company wants to use, cloud issues in terms of POPI are the same. Whether public, hybrid or private, the key issue is the security of your information or data. A second and equally relevant issue is the location thereof, which can be seen as a particular aspect of information or data security.

Remember, when outsourcing personal information to a cloud provider, POPI places the responsibility for the security of such information squarely on your company.

Security in this context can therefore be seen from two perspectives:

* You must ensure that the provider processes your information or data only with your company’s knowledge or authorisation;

* You must ensure that the provider secures the integrity and confidentiality of information in its possession or under its control, by taking appropriate, reasonable technical and organisational measures to prevent:

- loss of, damage to or unauthorised destruction of such information; and

- unlawful access to or processing of such information.

POPI further necessitates that this must be governed by a written contract between you and the cloud provider.

* So before entering into such an agreement with a cloud provider, it might be good to first consider asking some of the following questions:

* Will my company have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data’s location?

* Can you provide me with assurances that unauthorised access to my company’s information or data is prevented (covers both protection against external hacking attacks and access by the cloud provider’s personnel or by other users of the data centre)?

* Do you have adequate oversight of any sub-processors (irrespective of their location) you use or might use and subsequent to that, do you have the necessary agreements and contracts in place to ensure the security of my company’s information or data?

* Do you have sufficient procedures in place in the event of a data breach that would enable my company to take the necessary actions in terms of POPI?

* Could you provide my company with a guarantee in the contract that it will have the right to remove or transfer its information or data at any time?

These few questions are mainly based on European precedent and companies or entities are therefore well advised, in addition to having received answers in the affirmative, to conduct a POPI detailed technical analysis incorporating an audit of the cloud provider.

Francis Cronjé
Francis Cronjé

For more information contact Francis Cronjé, [email protected], www.franciscronje.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Visualise and mitigate cyber risks
Security Services & Risk Management
SecurityHQ announced its risk and incident management capabilities for the SHQ response platform. The SHQ Response Platform acts as the emergency room, and the risk centre provides the wellness hub for all cyber security monitoring and actions.

Read more...
Eighty percent of fraud fighters expect to deploy GenAI by 2025
Security Services & Risk Management
A global survey of anti-fraud pros by the ACFE and SAS reveals incredible GenAI enthusiasm, according to the latest anti-fraud tech study by the Association of Certified Fraud Examiners (ACFE) and SAS, but past benchmarking studies suggest a more challenging reality.

Read more...
Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

Read more...
How to prevent and survive fires
Fire & Safety Security Services & Risk Management
Since its launch in August 2023, Fidelity SecureFire, a division of the Fidelity Services Group, has been making significant strides in revolutionising fire response services in South Africa.

Read more...
A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...
Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Read more...
Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Read more...