Advertise Here


IconAccounting & Tax
IconAccreditation Bodies
IconAssociations and Institutes
IconBBBEE Consulting and Verification Agencies
IconBusiness Process Management
IconBusiness Process Outsourcing
IconCompany Secretarial Services
IconCompare Medical Scheme Benefits
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDebit Order Collection Facilities
IconEducation and Training
IconEmergency Medical Rescue
IconExpatriate Cover
IconHealthcare Consultants
IconHuman Resources
IconInformation Technology and Software Partners
IconManaged Healthcare Service Providers
IconMedical Aid Administrators
IconMedical Aid Schemes
IconMedical Schemes Trustees Liability Insurance
IconMedical Service Providers
IconPolicy Administration
IconRegulatory Authorities
IconSurveys & Research
IconTraining Courses & Workshops
IconWellness Programs
  Subscribe To »

Associated Compliance Protection of Personal Information Act Series: Part 7






Protection of Personal Information Act (POPIA) – Security Safeguards
Over the last seven months the POPIA articles have dealt with responsibility, processing, purpose, further processing, information quality and transparency or openness.
Now that you have established the reason and purpose for processing the personal information, in addition to establishing whether you are a “responsible party” or an “operator”, the next question is how to manage privacy risks. In other words, how to ensure that the personal information in your possession is safe and secure. This is information security discipline, which is defined as “protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.” Remember that information may reside on information systems such as computer servers, networks, desktop and laptop computers, and cell phones, etc., and will most likely constitute intellectual property or confidential information.
It is a well-known fact that to protect information systems from increasing levels of cyber threats, organisations are compelled to institute security programmes. To do so, you will need to establish and understand what personal information, be it hard copy and electronic copy, your business has in its possession.
Section 19(1) of POPIA requires organisations to “secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent; loss of, damage to or unauthorised destruction of personal information.”
Sections 20 and 21 deal with personal information that is being processed by operators or persons acting under authority and the required security measures as required by section 19.
What Condition 7 (Security Safeguards) tells you is what aspects of personal information must be secured, but not how you should go about implementing the required security safeguards.
The question to ask yourselves as a business is “what data or personal information” you have, because you cannot protect data that you don’t know you have. The solution is to do a complete data inventory and data flow mapping exercise of personal information (risk identification of personal information), by establishing standards to classify the sensitivity of the personal information and as such determine the levels of protection that would be required. This would include an inventory of all types of personal information and the related processing activities, systems, and third parties that are involved in the handling and processing of such information. So, for example, what personal information the business uses, assessments and audits of databases and data flows/processing activities, with the outcome being a personal data inventory/dashboard and a data map of the data analysed enabling you to have a clear picture of the personal data you use across your business. It also needs to include the transfers of personal information data to and from third parties, and the collection and processing of data by third parties.
Once you’ve completed the risk identification of personal information, the next step is to assess the risks associated with specific information security-related risks, for example special personal information and children’s personal information. The rationale here is that to choose effective and efficient information security measures, management must identify the assets to be protected, the threats to the assets, and the vulnerability of the assets or their environment to the threats.
The risk assessment should include the following activities:
  • Identification and classification of information assets;
  • Identification of the threats to these information assets; and
  • Identification of any vulnerabilities in the current information asset safeguards.
Your risk assessment should include assessments on the types of risk, for example:
  • Intentional Conduct;
  • Hackers;
  • Organised Crime;
  • Insider Attacks; and
  • Attacks by service providers and other third parties, among others.
Once you’ve completed your risk assessments, the next step is to decide how to treat or manage the risk factors that have been assessed through:
  • Avoidance: not performing the activity that generates the risk;
  • Reduction: using controls to reduce or eliminate the risks by way of preventative, detective or corrective controls;
  • Sharing or Transfer: sharing the risk via outsourcing or insurance; or
  • Retention: where you decide to retain or self-insure the identified risk.
After assessing the assets, threats and vulnerability to threats of these personal information assets, you should now be able to start drafting and implementing information security programmes and privacy controls, such as data encryption, identity management and authorisation, computer security controls, network security controls, physical security, personnel security, application security and breach incident management.
The purpose of the controls would be to:
  • Ensure the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorised access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
Remember that where your organisation is regarded as being the “responsible party”, it is necessary to ensure the security of personal information, since according to POPIA the responsible party is ultimately accountable for the personal information of the data subject, even if the privacy breach was caused by the third party, such as an operator. You would be recommended to discuss your security safeguards with your IT department or service provider/s.
The last section dealing with security safeguards is section 22. In short, the section requires you to draft and implement a “Breach Notification” policy supported by:
  • a process for identifying the notification and related requirements of other applicable jurisdictions relating to the data subjects affected by the breach;
  • a process for assessing the need for stakeholder’s breach notification, if required by law, regulation, or policy; and
  • a process for delivering the notice in a timely manner.
To summarise, physical security controls to include deterrent, detective, and preventive measures, are the means you put in place to mitigate physical security issues.
Deterrents aim to discourage those that might violate your security, detective measures alert you to or allow you to detect when you have a potential intrusion, and preventive controls actually prevent intrusions from taking place. In isolation, none of these controls is a complete solution, but together they can put you on a much stronger footing for physical security.
For previous parts, see links below:

Part 1

Part 2

Part 3

Part 4

Part 5

Part 6

Source: Associated Compliance
« Back to previous page Print this page » |

Breaking News »

The NHI, funding healthcare and medico-legal claims

With the publication of the National Health Insurance Bill, proposed amendments to the Medical Schemes Act, and the anticipation of amendments to another 12 or so pieces of legislation needed to implement National ...
Read More »


Managing the medical malpractice litigation crush

Readers will have read of the enormous pressure placed on both the public and private healthcare sectors by an ever-increasing number of medical malpractice claims and quantum of awards or settlements of those ...
Read More »


Allianz Global Corporate & Specialty appoints new Global Head of Human Resources

        Dr Melanie Gillig, currently Regional Head of Human Resources for Central and Eastern Europe will be appointed AGCS Global Head of Human Resources as of January ...
Read More »


The FPI announces the shortlist for the Financial Planner of the Year award

Hardi Swart, Craig Turton and Johan Swart would all be worthy recipients of the accolade – but only one can prevail when the winner is announced on 17 July. The Financial Planner of the Year award is the ...
Read More »


More News »


Investment »


Life »


Retirement »


Short-term »


Have Your Say »

Is insurance a priority for South African millennial's

|Results »
Advertise Here

From The Glossary »


Pooled Fund:

An investment contract by means of which a life insurance company offers investment participation in one or more funds operated on similar lines to unit trusts. Another more common meaning is an investment fund in which a number of unrelated employers participate.
More Definitions »






Contact IG


Media Pack


RSS Feeds

By using this website you agree to the Terms of Use.
Copyright © Insurance Gateway (Pty) Ltd 2004 - 2019. All Rights Reserved.