Advertise Here


IconAccounting & Tax
IconAccreditation Bodies
IconAssociations and Institutes
IconBBBEE Consulting and Verification Agencies
IconBusiness Process Management
IconBusiness Process Outsourcing
IconCompany Secretarial Services
IconCompare Medical Scheme Benefits
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDebit Order Collection Facilities
IconEducation and Training
IconEmergency Medical Rescue
IconExpatriate Cover
IconHealthcare Consultants
IconHuman Resources
IconInformation Technology and Software Partners
IconManaged Healthcare Service Providers
IconMedical Aid Administrators
IconMedical Aid Schemes
IconMedical Schemes Trustees Liability Insurance
IconMedical Service Providers
IconPolicy Administration
IconRegulatory Authorities
IconSurveys & Research
IconTraining Courses & Workshops
IconWellness Programs
  Subscribe To »

Associated Compliance Protection of Personal Information Act Series: Part 7






Protection of Personal Information Act (POPIA) – Security Safeguards
Over the last seven months the POPIA articles have dealt with responsibility, processing, purpose, further processing, information quality and transparency or openness.
Now that you have established the reason and purpose for processing the personal information, in addition to establishing whether you are a “responsible party” or an “operator”, the next question is how to manage privacy risks. In other words, how to ensure that the personal information in your possession is safe and secure. This is information security discipline, which is defined as “protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.” Remember that information may reside on information systems such as computer servers, networks, desktop and laptop computers, and cell phones, etc., and will most likely constitute intellectual property or confidential information.
It is a well-known fact that to protect information systems from increasing levels of cyber threats, organisations are compelled to institute security programmes. To do so, you will need to establish and understand what personal information, be it hard copy and electronic copy, your business has in its possession.
Section 19(1) of POPIA requires organisations to “secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent; loss of, damage to or unauthorised destruction of personal information.”
Sections 20 and 21 deal with personal information that is being processed by operators or persons acting under authority and the required security measures as required by section 19.
What Condition 7 (Security Safeguards) tells you is what aspects of personal information must be secured, but not how you should go about implementing the required security safeguards.
The question to ask yourselves as a business is “what data or personal information” you have, because you cannot protect data that you don’t know you have. The solution is to do a complete data inventory and data flow mapping exercise of personal information (risk identification of personal information), by establishing standards to classify the sensitivity of the personal information and as such determine the levels of protection that would be required. This would include an inventory of all types of personal information and the related processing activities, systems, and third parties that are involved in the handling and processing of such information. So, for example, what personal information the business uses, assessments and audits of databases and data flows/processing activities, with the outcome being a personal data inventory/dashboard and a data map of the data analysed enabling you to have a clear picture of the personal data you use across your business. It also needs to include the transfers of personal information data to and from third parties, and the collection and processing of data by third parties.
Once you’ve completed the risk identification of personal information, the next step is to assess the risks associated with specific information security-related risks, for example special personal information and children’s personal information. The rationale here is that to choose effective and efficient information security measures, management must identify the assets to be protected, the threats to the assets, and the vulnerability of the assets or their environment to the threats.
The risk assessment should include the following activities:
  • Identification and classification of information assets;
  • Identification of the threats to these information assets; and
  • Identification of any vulnerabilities in the current information asset safeguards.
Your risk assessment should include assessments on the types of risk, for example:
  • Intentional Conduct;
  • Hackers;
  • Organised Crime;
  • Insider Attacks; and
  • Attacks by service providers and other third parties, among others.
Once you’ve completed your risk assessments, the next step is to decide how to treat or manage the risk factors that have been assessed through:
  • Avoidance: not performing the activity that generates the risk;
  • Reduction: using controls to reduce or eliminate the risks by way of preventative, detective or corrective controls;
  • Sharing or Transfer: sharing the risk via outsourcing or insurance; or
  • Retention: where you decide to retain or self-insure the identified risk.
After assessing the assets, threats and vulnerability to threats of these personal information assets, you should now be able to start drafting and implementing information security programmes and privacy controls, such as data encryption, identity management and authorisation, computer security controls, network security controls, physical security, personnel security, application security and breach incident management.
The purpose of the controls would be to:
  • Ensure the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorised access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
Remember that where your organisation is regarded as being the “responsible party”, it is necessary to ensure the security of personal information, since according to POPIA the responsible party is ultimately accountable for the personal information of the data subject, even if the privacy breach was caused by the third party, such as an operator. You would be recommended to discuss your security safeguards with your IT department or service provider/s.
The last section dealing with security safeguards is section 22. In short, the section requires you to draft and implement a “Breach Notification” policy supported by:
  • a process for identifying the notification and related requirements of other applicable jurisdictions relating to the data subjects affected by the breach;
  • a process for assessing the need for stakeholder’s breach notification, if required by law, regulation, or policy; and
  • a process for delivering the notice in a timely manner.
To summarise, physical security controls to include deterrent, detective, and preventive measures, are the means you put in place to mitigate physical security issues.
Deterrents aim to discourage those that might violate your security, detective measures alert you to or allow you to detect when you have a potential intrusion, and preventive controls actually prevent intrusions from taking place. In isolation, none of these controls is a complete solution, but together they can put you on a much stronger footing for physical security.
For previous parts, see links below:

Part 1

Part 2

Part 3

Part 4

Part 5

Part 6

Source: Associated Compliance
« Back to previous page Print this page » |

Breaking News »

Sluggish adoption of DebiCheck is a cause for concern

Stellenbosch, 17 February 2020: In the face of rising debit order abuse, payment innovator Fintec calls on South African businesses to migrate their existing debit order collection facilities to DebiCheck. Also ...
Read More »


Coronavirus and its effects on international trade and insurance

The deadly novel coronavirus outbreak (2019-CoV) has resulted in passenger and cargo ships being quarantined around the world, partial and complete travel bans to parts of China and shipping and airlines being ...
Read More »


Negligent failure to perform caesarean section in time (UK)

The claimant, suing the UK National Health Service, had a medical history of having undergone two caesarean sections and a tear to her womb. Her fourth pregnancy was therefore regarded as “high risk” ...
Read More »


Euler Hermes Global Insolvency Index: Insolvencies expected to rise by 4% in South Africa

The upward trend in business insolvencies continued in 2019 for the third time in a row: +9% year on year, according to Euler Hermes Global Insolvency Index, which covers 44 countries that account for 87% of global ...
Read More »


More News »


Investment »


Life »


Retirement »


Short-term »

Advertise Here

From The Glossary »


Joint Life Policy:

A life policy arranged on two or more lives where the benefits are paid on the first death.
More Definitions »






Contact IG


Media Pack


RSS Feeds

By using this website you agree to the Terms of Use.
Copyright © Insurance Gateway (Pty) Ltd 2004 - 2020. All Rights Reserved.