Demystifying data storage

August 2014 Integrated Solutions

The advent of the PoPI (Protection of Personal Information) Act sent many companies reaching for the tranquilisers. Ignorance of the Act is no excuse but organisations can quickly and easily come to grips with the parameters of data storage in terms of legislation. Hi-Tech Security Solutions discusses effective data storage, retention and disposal.

Metrofile’s managing director, Guy Kimble, points out that while the PoPI Act might be the latest act instituted for the management and storage of data, the effective management of records should already form part of an organisation’s business modus operandi.

Guy Kimble.
Guy Kimble.

According to Justin Parry, managing director of Perceptive Software’s local distributor, OrangeNow, PoPI requires proactive records management with the prescription that records of personal information should not be retained for any longer than is necessary for achieving the purpose for which the information was collected, unless the underlying law, contractual terms or in certain cases, the individual’s consent, dictate holding longer than the required retention period.

The first step in the process of managing data in accordance with PoPI is determining what data the organisation holds that is relevant to the PoPI Act. This data should then be tagged as PoPI sensitive in order to differentiate it from other company data that does not contain personal information.

Parry says that it is important for companies to put an education programme together and ensure corporate buy in. “A big part of PoPI is transparency and the ability to demonstrate a roadmap that includes both business and technology involvement. Once this is in place we normally recommend a thorough content audit – understanding specifically which processes collect, capture and store personal information and importantly the purpose for which such information is stored.

“Once understood and optimised, organisations should then ensure that documents or content management systems are sufficiently flexible to manage and classify such information with systemic and process level ability to deliver control and auditability of the document and records management components,” he adds.

It must be stressed that organisations take full responsibility for the management, secure storage and eventual disposal of data. As per the Regulator, this responsibility cannot be transferred to a third party and the third party cannot be held solely accountable for the data. By appointing a senior executive in the company as the responsible custodian of this data, they will comprehend and accept the seriousness and need to protect PoPi related data adequately.

A privacy officer should be appointed and thereby becomes responsible for the data from the moment it enters the organisation to the moment it is purged or physically destroyed. This entails identifying PoPI sensitive data together with the relevant departments throughout the organisation, classifying data, reviewing the manner of storing data, setting of retention periods, and the final disposal of the data.

When capturing data, the onus is on the organisation to make sure that the person from whom the data is being gathered is made fully aware of what data is being collected, why it is being collected, how it will be stored and for how long it will be stored. In addition, they must give permission (or not) to the organisation regarding whether information can be used by the organisation or shared with a third party for any reason other than the original intended purpose.

If for example, a visitor to the premises has to gain entrance via a boom gate, then typically the driver’s licence will be scanned and electronically stored. The organisation is responsible for ensuring that the server on which this data is stored has the requisite firewalls and SSL certificates that provide encryption of the organisation’s IT system to prevent unauthorised access to the data.

It is critical to have a records management policy and plan of action in place to ensure compliance with the PoPI Act. This will detail the type of information held by the organisation, in what format (physical/hardcopy or electronic/digital) the data will be stored and the retention policy.

In the event of a data breach, organisations must inform the Regulator and if the information is extremely sensitive (banking details and/or passwords or PIN codes) then the company needs to contact the people to whom the information belongs and provide full disclosure of the breach.

The retention period is very subjective and should be discussed with the company auditors to ensure that it complements rather than conflicts with what is required in terms of the legislated requirements. Sensibility is the keyword here and retention periods should be reasonable and justifiable.

With regard to purging and destruction of data, Kimble suggests that organisations determine feasible and reasonable retention review periods, then implement a cyclical purge of electronic data that has reached this window. Similarly, hard copy data can be destroyed, by for instance, shredding, on predefined dates. Since the fines and ­penalties around inappropriate disposal of hardcopy material are quite onerous, it is often prudent to secure the services of a company that will provide a secure shredding service. The appointed privacy officer will be responsible for ensuring that a record is kept as evidence as to the manner in which data was disposed of.

Depending on the size of your organisation, the amount of data you have, and the competencies and capacities of your employees, it is often advisable to seek counsel and assistance from specialists in the field of data storage.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Intelligent analytics and the brains to match
September 2019, Bosch Building Technologies , CCTV, Surveillance & Remote Monitoring, Integrated Solutions
What if the brains behind our security cameras could be trained to improve their cognitive ability to pay attention, learn, and problem-solve according to specific rules and situations?

AI-powered autonomous Drone-in-a-Box
September 2019 , CCTV, Surveillance & Remote Monitoring, Integrated Solutions
Organisations in the mining, energy and industrial, oil and gas, ports and terminals sectors can optimise security and business operations, whilst reducing risks and operational costs

A platform approach to innovation and value
September 2019, Technews Publishing , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Integrated Solutions, IT infrastructure
Moving to the platform model of doing business holds tremendous advantages for end users and smaller developers, but also for the whole technology supply chain.

Open does not always mean easy integration
September 2019, VERACITECH, Technews Publishing , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Integrated Solutions
Customers who opt for best-of-breed solutions will have to rely on their integrators to develop customised integrated solutions for them.

Video analytics and AI
September 2019, Axis Communications SA, Dallmeier Electronic Southern Africa , Hikvision South Africa, Technews Publishing, Dahua Technology South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Integrated Solutions
Artificial intelligence has the potential to deliver real benefits in the world of video analytics and many companies are already delivering customer benefits.

Cloudy with a chance of AI
September 2019 , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Integrated Solutions
One local company has developed an AI solution that can be added to existing surveillance installations, offering 24-hour intelligence.

Integration insights
September 2019, Gijima Electronic and Security Systems (GESS), Technews Publishing, neaMetrics , Integrated Solutions
The security industry would be a vastly different place if installers and integrators were not able to make a range of different products work together.

Video and audio analytics
September 2019, Wisenet CCTV - Hanwha Techwin , CCTV, Surveillance & Remote Monitoring, Integrated Solutions
Viewing many monitors and cameras simultaneously can lead to an increased probability of missing critical situations due to viewing fatigue. Analytics has the answer.

Enhance video analytics with Augmented Vision
September 2019, IDEMIA , Technews Publishing , CCTV, Surveillance & Remote Monitoring, Integrated Solutions
Augmented Vision is a video analytics application from IDEMIA designed to enhance security in public and private places.

A tangible return on investment
September 2019, Bidvest Protea Coin, Technews Publishing , CCTV, Surveillance & Remote Monitoring, Integrated Solutions
The key to a successful security solution for any environment is the strategy and processes that define what you need, where, when, how and why.