POPI and the cloud

August 2012 Security Services & Risk Management

In my previous article I gave a short breakdown of the new proposed Protection of Personal Information Act (POPI) and highlighted some of the issues that entities might encounter in terms thereof, especially when outsourcing processes to third parties.

In this article, we will have a closer look at POPI and cloud computing. As promised, I will deal with some of the questions one needs to ask your potential cloud service provider before entering into an agreement. But first, I will aim to dispel a common POPI myth that has been manifested by cloud doomsayers in the advisory sphere.

Myth: moving information or data to the cloud is bad for securing such information or data in terms of POPI.

The fact is that employee malice and negligence cause the majority of data breaches worldwide and unauthorised access (e.g. hacking) is on the increase. You should therefore rather ask yourself whether your in-house system is better configured to provide superior security measures than the proposed cloud provider. So yes, moving data to the cloud can be a bad thing if the provider has weak security measures. But it is an absolute myth if you utilise a provider that assists your company to manage the integrity, confidentiality, retention of and access to information or data by bringing skill, manpower, experience and superior technologies.

Fact: whatever version of the cloud your company wants to use, cloud issues in terms of POPI are the same. Whether public, hybrid or private, the key issue is the security of your information or data. A second and equally relevant issue is the location thereof, which can be seen as a particular aspect of information or data security.

Remember, when outsourcing personal information to a cloud provider, POPI places the responsibility for the security of such information squarely on your company.

Security in this context can therefore be seen from two perspectives:

* You must ensure that the provider processes your information or data only with your company’s knowledge or authorisation;

* You must ensure that the provider secures the integrity and confidentiality of information in its possession or under its control, by taking appropriate, reasonable technical and organisational measures to prevent:

- loss of, damage to or unauthorised destruction of such information; and

- unlawful access to or processing of such information.

POPI further necessitates that this must be governed by a written contract between you and the cloud provider.

* So before entering into such an agreement with a cloud provider, it might be good to first consider asking some of the following questions:

* Will my company have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data’s location?

* Can you provide me with assurances that unauthorised access to my company’s information or data is prevented (covers both protection against external hacking attacks and access by the cloud provider’s personnel or by other users of the data centre)?

* Do you have adequate oversight of any sub-processors (irrespective of their location) you use or might use and subsequent to that, do you have the necessary agreements and contracts in place to ensure the security of my company’s information or data?

* Do you have sufficient procedures in place in the event of a data breach that would enable my company to take the necessary actions in terms of POPI?

* Could you provide my company with a guarantee in the contract that it will have the right to remove or transfer its information or data at any time?

These few questions are mainly based on European precedent and companies or entities are therefore well advised, in addition to having received answers in the affirmative, to conduct a POPI detailed technical analysis incorporating an audit of the cloud provider.

Francis Cronjé
Francis Cronjé

For more information contact Francis Cronjé, francis@franciscronje.com, www.franciscronje.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Communication in any situation
Issue 8 2020, Elvey Security Technologies , Global Communications , Security Services & Risk Management
Global Communications offers an industry-first with five-year warranty on select Kenwood two-way radios.

Read more...
The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Read more...
The reality of farm attacks
Issue 3 2021, Technews Publishing , Security Services & Risk Management
Nowhere in the world are people being as brutally attacked and murdered like farmers in South Africa (including a number of black emerging farmers and black farm labourers that have been attacked and injured or killed).

Read more...
Insights into PoPIA compliance
Issue 3 2021, Technews Publishing , Security Services & Risk Management
Hi-Tech Security Solutions asked Carrie Peter, solution owner at Impression Signatures, for a few insights on what this piece of legislation means in the real world.

Read more...
Top 10 security misperceptions
Issue 3 2021 , Cyber Security, Security Services & Risk Management
The Sophos Rapid Response team has compiled a list of the most commonly held security misperceptions they’ve encountered in the last 12 months while neutralising and investigating cyberattacks in a wide range of organisations.

Read more...
The supply chain of the future
Issue 3 2021 , Integrated Solutions, Security Services & Risk Management, Retail (Industry)
For retailers to maximise their bottom line, the supply chain needs to be fast, efficient and responsive, which requires the use of intelligent, integrated technology.

Read more...
PoPIA: Time Is up
Issue 3 2021 , Security Services & Risk Management, IT infrastructure
The Protection of Personal Information Act (PoPIA) comes into full effect on 1 July 2021 and there remains much confusion and ambiguity regarding its definitions, requirements and enforcement.

Read more...
Anomaly detection is the first layer
Issue 3 2021 , Security Services & Risk Management
A multi-layered, proactive approach to data management and protection is essential and this begins with anomaly detection as the first line of defence.

Read more...
Towards a cashless world
Issue 3 2021 , Security Services & Risk Management
In addition to being safer from a viral transmission perspective, contactless payment is also faster and integrating multiple contactless payment methods assists small businesses to better maintain financial liquidity.

Read more...
mySOS targets neighbourhood safety
Issue 2 2021 , Security Services & Risk Management
Beyond protection for valuables and premises, people are also looking to ensure their personal safety and that of their loved ones as they move around and within community areas.

Read more...