The advent of the PoPI (Protection of Personal Information) Act sent many companies reaching for the tranquilisers. Ignorance of the Act is no excuse but organisations can quickly and easily come to grips with the parameters of data storage in terms of legislation. Hi-Tech Security Solutions discusses effective data storage, retention and disposal.
Metrofile’s managing director, Guy Kimble, points out that while the PoPI Act might be the latest act instituted for the management and storage of data, the effective management of records should already form part of an organisation’s business modus operandi.
According to Justin Parry, managing director of Perceptive Software’s local distributor, OrangeNow, PoPI requires proactive records management with the prescription that records of personal information should not be retained for any longer than is necessary for achieving the purpose for which the information was collected, unless the underlying law, contractual terms or in certain cases, the individual’s consent, dictate holding longer than the required retention period.
The first step in the process of managing data in accordance with PoPI is determining what data the organisation holds that is relevant to the PoPI Act. This data should then be tagged as PoPI sensitive in order to differentiate it from other company data that does not contain personal information.
Parry says that it is important for companies to put an education programme together and ensure corporate buy in. “A big part of PoPI is transparency and the ability to demonstrate a roadmap that includes both business and technology involvement. Once this is in place we normally recommend a thorough content audit – understanding specifically which processes collect, capture and store personal information and importantly the purpose for which such information is stored.
“Once understood and optimised, organisations should then ensure that documents or content management systems are sufficiently flexible to manage and classify such information with systemic and process level ability to deliver control and auditability of the document and records management components,” he adds.
It must be stressed that organisations take full responsibility for the management, secure storage and eventual disposal of data. As per the Regulator, this responsibility cannot be transferred to a third party and the third party cannot be held solely accountable for the data. By appointing a senior executive in the company as the responsible custodian of this data, they will comprehend and accept the seriousness and need to protect PoPi related data adequately.
A privacy officer should be appointed and thereby becomes responsible for the data from the moment it enters the organisation to the moment it is purged or physically destroyed. This entails identifying PoPI sensitive data together with the relevant departments throughout the organisation, classifying data, reviewing the manner of storing data, setting of retention periods, and the final disposal of the data.
When capturing data, the onus is on the organisation to make sure that the person from whom the data is being gathered is made fully aware of what data is being collected, why it is being collected, how it will be stored and for how long it will be stored. In addition, they must give permission (or not) to the organisation regarding whether information can be used by the organisation or shared with a third party for any reason other than the original intended purpose.
If for example, a visitor to the premises has to gain entrance via a boom gate, then typically the driver’s licence will be scanned and electronically stored. The organisation is responsible for ensuring that the server on which this data is stored has the requisite firewalls and SSL certificates that provide encryption of the organisation’s IT system to prevent unauthorised access to the data.
It is critical to have a records management policy and plan of action in place to ensure compliance with the PoPI Act. This will detail the type of information held by the organisation, in what format (physical/hardcopy or electronic/digital) the data will be stored and the retention policy.
In the event of a data breach, organisations must inform the Regulator and if the information is extremely sensitive (banking details and/or passwords or PIN codes) then the company needs to contact the people to whom the information belongs and provide full disclosure of the breach.
The retention period is very subjective and should be discussed with the company auditors to ensure that it complements rather than conflicts with what is required in terms of the legislated requirements. Sensibility is the keyword here and retention periods should be reasonable and justifiable.
With regard to purging and destruction of data, Kimble suggests that organisations determine feasible and reasonable retention review periods, then implement a cyclical purge of electronic data that has reached this window. Similarly, hard copy data can be destroyed, by for instance, shredding, on predefined dates. Since the fines and penalties around inappropriate disposal of hardcopy material are quite onerous, it is often prudent to secure the services of a company that will provide a secure shredding service. The appointed privacy officer will be responsible for ensuring that a record is kept as evidence as to the manner in which data was disposed of.
Depending on the size of your organisation, the amount of data you have, and the competencies and capacities of your employees, it is often advisable to seek counsel and assistance from specialists in the field of data storage.
© Technews Publishing (Pty) Ltd | All Rights Reserved