Manage your data appropriately
September 2017, This Week's Editor's Pick, Security Services & Risk Management, Residential Estate (Industry)
Nobody thinks twice about providing personal information to organisations tasked with managing an estate. One assumes the people employed will automatically treat sensitive information with care and not let it fall into the wrong hands.
Unfortunately, as people and businesses across South Africa have discovered, this is not the case. Whether through carelessness, ignorance or malicious intent, personal information seems to be easy to obtain and use in criminal endeavours. When it comes to an estate, the information collected by managing agents, body corporates and home owners’ associations (HoA) is the very essence of ‘personal’ information and seeing it fall into the wrong hands can have far reaching consequences.
Businesses across South Africa know they have a limited time to comply with the stipulations of the Protection of Personal Information Act (PoPI) and many have started the process of understanding what data they possess and what they need to do with it. Residential estates may think they have secured the sensitive information on their servers or held by their cloud service providers, but PoPI may be a rude awakening for estate managers.
John Cato, a director of IACT-Africa warns that PoPI is a general law that applies to any organisation or person that collects personal information. So from an estate’s point of view, this means the data collected at the gate when visitors or contractors arrive, to the personal data of its residents, such as addresses, phone numbers, email addresses, and even banking details qualify as data that PoPI wants protected.
Even those estates that still rely on the old visitor’s book will find themselves in contravention of the law once PoPI is enforced – which is expected to be somewhere towards the end of 2018. The visitor’s book simply doesn’t make the grade and storing them in a drawer somewhere is even more of a failure in terms of PoPI.
That’s not to say that simply because you have a biometric access system at the gate, or an access control solution that sends an SMS with an entry code that you are in the clear. PoPI doesn’t really care how information is collected, it focuses on why you are collecting it, obtaining consent for collecting it, what you plan to do with it in terms of lawful processing, how you will destroy it, and how you store it in the meantime.
Data handling processes
Cato explains that PoPI expects every organisation or person to handle personal information with appropriate and reasonable organisational and technical safeguards. This means the “secure and lawful processing of personal information”, according to Cato.
In preparing to meet the requirements of PoPI, he says every organisation needs to identify where personal information is collected, held and processed, and ensure the rules governing how the information is handled are set in stone. And while personal information applies to people, it also applies to businesses (juristic persons). If you collect sensitive information about a service provider, for example, that information also needs to be governed by the same processes.
In a business environment, the CEO would normally be the person responsible for PoPI compliance as the information officer. He/she would then appoint a deputy to handle the compliance on behalf of the CEO’s office. In an estate things aren’t so clear. Would the chair or the HoA or the estate manager be the responsible party? Cato advises every estate to appoint one individual to handle compliance to ensure there is accountability for information management.
Where to start?
Assuming compliance because your vendor or service provider says you are compliant is not a good idea. Cato suggests each estate starts by assessing what data they have and what data they collect on an ongoing basis. Then ascertain if the storage and processing of that data is in line with the Act – that you have taken ‘appropriate and reasonable’ measures in line with industry practices to secure and manage the data.
A simple example would be whether access to the database in which your residents’ personal information is stored is controlled so that only certain people can access the information. When it comes to access control at the gate, the same principles apply.
Estates often outsource their access control to third parties, which Cato says is basically a standard practice. However, the estate needs to have a written agreement with the service provider that defines responsibilities for the estate and the service provider for the collection, processing and destruction of data. He adds that the law does not allow you to abdicate responsibility. The estate will be held accountable, but will have legal recourse against the service provider if the latter has contravened the Act.
Similar rules apply to all service providers used by the estate. The company running the resident portal, for example, also needs to have a written contract with the estate setting out the terms under which information is processed. And this even goes as far as procurement. The estate needs to be sure its procurement providers are compliant and handle personal data correctly.
The reach of PoPI even stretches to the golf club. Golf estates, for example, will also have to have a set of processes managing how data about members and guests is handled. And what about the bowls team?
Destruction is mandated
This article has referred to the destruction of data as part of the stipulations of PoPI. There is more than one story about finding visitor’s books under a table or simply thrown away into the garbage. Such an act is irresponsible at a minimum and will be illegal under PoPI (as will the visitor’s book). The concept of processing information not only covers what data is collected and how, as well as how it is stored and used, it also covers its destruction.
Firstly, the estate needs to determine how long it will store information. For residents the storage term is not set while they are living on the estate, but what happens to their data when they leave? How long does the estate keep visitor or contractor information? Cato says there is an argument to be made for keeping this information available to make it easier for people to gain access in future, but how long will data remain on the system without being accessed? This is another issue estates need to sort out when they assess their PoPI readiness. They should clearly define their retention practices in an appropriate policy to protect themselves against their practices being mistakenly interpreted in the event of a compromise or breach.
Then, when it is determined that data must be destroyed, how do you do it? Cato explains that for paper records, a consumer-grade shredder is not compliant. Information must be destroyed so that it cannot be reconstructed and a person identified, meaning you need a more expensive shredder that slices and dices paper finely.
For electronic data, pressing the delete key is not acceptable either as it is not a difficult job for someone with a bit of technical knowhow to recover files or parts of a file. Estates will need to wipe their data properly, especially in the case of upgrading computers. A hardware shredder or technology such as disk degaussing should be used.
Cyber security and estates
Hi-Tech Security Solutions knows of at least one estate in South Africa that has had its data encrypted by ransomware. The estate in question could not recover its data from backups because the backups were also encrypted. Good fortune prevailed and one of the estate’s service providers was able to resolve the issue (in a manner that would be illegal under PoPI), but the cyber security question is as pertinent to an estate as it is to any business.
Estate’s computerised systems must be protected by anti-virus software and firewalls, and a reliable backup process must be in place. This means a backup that is made to media that is stored offsite – not simply a Dropbox copy. For estates that can afford it and have the technical capabilities, Cato says they could even look at encrypting their data to ensure that it is safe even if some malicious actors get their hands on it.
It’s also worth noting that using cloud services such as Dropbox and the many others also raises a concern as PoPI compliance means the laws of the country where the service is hosted must be equal to or better than PoPI’s stipulations.
Similarly, the new General Data Protection Regulation (GDPR) regulations in Europe will also be causing a headache in South Africa. Cato explains these regulations govern the collection and use of EU residents’ personal data globally. That means collecting personal information from your German summer-time resident will be governed by PoPI and GDPR rules.
And, Cato warns, let’s not forget about the people with tablets and smartphones who have a legitimate reason to access data from their devices. It is both the individual’s and the estate’s responsibility to make sure their devices are appropriately secured.
Appropriate and reasonable
When looking at all the implications PoPI can have on an estate’s collection and management of data, one can go on forever about what should or should not be done. However, Cato advises that it need not be such a complicated task as long as the efforts by the estate are seen as appropriate and reasonable, and are formally documented.
With the correct advice and assessment assistance, there should be no reason for an estate to fall foul of the law. There is still enough time to ensure PoPI compliance, although not too much time when considering the scope of the project. But in short, as long as the estate can show its efforts to comply were reasonable and appropriate, the HoA will probably not have a jailbird on the committee.
For more information, contact John Cato, IACT-Africa, +27 (0)10 500 1038, email@example.com, www.popisolutions.co.za