On Facebook this week yet another of my friends was bemoaning the fact that they had been hacked! While it is awful to have your social profile messed with, the consequences are quite mild in comparison to your company server being penetrated.
As consumers we are all very aware of our personal information and the rights we have for its proper protection. I sure you joined in the collective sigh of relief when the Protection of Personal Information Act was promulgated, in the hopes that this would stop the sale of your personal information (especially your cell phone number) to yet another direct marketing company. Well, in theory anyway.
So, what does the POPI Act say?
This act sets some conditions to lawfully process the personal information of data subjects (both natural and juristic persons aka me and you… as well as your customers and your employees). The POPI Act does not stop processing of information, nor does it require consent from data subjects to process their personal information. The person who is deciding to process that personal information is however, responsible for complying with the conditions. There are eight general conditions and three extra conditions. The responsible party is also responsible for a failure by their operators to meet the conditions (i.e. the people who process the information on their behalf).
The POPI Act is important because it protects data subjects from harm, like theft and discrimination. The risks include reputational damage, fines and imprisonment, and paying out damages claims to data subjects. The biggest risk, after reputational damage, is a fine for failing to protect account numbers.
The biggest impact of the Act is on organisations that process lots of personal information, especially special personal information, children’s information and account numbers. The most affected industries are financial services, healthcare and marketing but every company will be impacted in some way. You have your customers account numbers, don’t you? You have your employees’ ID numbers and bank account numbers, don’t you?
Here’s what “personal information” looks like
Safeguarding the Data
One of the requirements of the legislation is ensuring the data, once collected in the correct way – another discussion), is adequately safeguarded. This requires controlling:
- who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information
- how and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
- the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it)
POPI and information security
There are a number of steps that every business needs to take to ensure they comply with these requirements. One of the pillars for success will be your IT security systems. Some advice:
- Information security is all about confidentiality, integrity and availability of data. Ask your IT system supplier what controls are in place to ensure these and what they are doing to continually ensure the appropriate management of risks.
- Secondly, find out how your IT system supplier is ensuring the security of unstructured data. This is important because effectively securing the personal information of patients goes much wider than the IT department; most breaches occur when staff and other suppliers process personal information using unstructured data processing method. This includes unsecure email; file shares; call centres; unsecure printing; and using mobile devices which are not encrypted.
ISO to your POPI rescue
The security safeguards for personal information will probably require the most work in your organisation. In short this means you most probably will need to change the way you work with information. You will need to implement a host of processes to ensure information is handled in a responsible way. Keep in mind, it will be YOUR responsibility to prove that you’ve done what is possible to keep information secure.
The concept of an Information Security Management System might be foreign, but in the same way that all organisations have a financial management system, your information security management is also just a set of rules and “ways of doing” when it comes to handling information. Information Security Management Systems are well defined through international standards such as ISO 27000 as it deals not only with personal information but the full spectrum of information security.
An ISO 27001 information security management system (ISMS) ensures that the information security strategy and practices are aligned with your business needs and strategic goals regarding privacy. An appropriate implementation of ISO 27001 will assist you to demonstrate your commitment compliance with the POPI requirements. And the best thing is that this standard will integrate with your food safety and quality management systems. ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large.
A word of caution
This is not just about firewalls and passwords! While both information security and POPI has a large IT component, your whole organisation needs to be involved and on board. With the implementation of POPI comes a culture change, so everyone dealing with personal information must understand their responsibilities and the risks that they are exposed to. This approach will ensure that you have the organizational resilience to manage all the risks and challenges that come your way.
If implementing ISO 27001 is too daunting, then we recommend following a risk-based approached where you analyse all your processes and systems that deal with personal information, assess the risks you are exposed to and create a risk treatment plan based on priorities that is revised and updated frequently.
The lawyers are advising that you don’t underestimate POPI compliance, either in terms of its requirements or the time needed to get your compliance plan implemented. It’s time to get yourself on a ISO 27000 course asap.
References
https://www.workpool.co/featured/popi
https://www.camargueum.co.za/article/31032016/10-steps-popi-act-compliance
http://ehealthnews.co.za/preparing-for-popi/