Associated Compliance Protection of Personal Information Act Series: Part 7
Protection of Personal Information Act (POPIA) – Security Safeguards
Over the last seven months the POPIA articles have dealt with responsibility, processing, purpose, further processing, information quality and transparency or openness.
Now that you have established the reason and purpose for processing the personal information, in addition to establishing whether you are a “responsible party” or an “operator”, the next question is how to manage privacy risks. In other words, how to ensure that the personal information in your possession is safe and secure. This is information security discipline, which is defined as “protecting information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.” Remember that information may reside on information systems such as computer servers, networks, desktop and laptop computers, and cell phones, etc., and will most likely constitute intellectual property or confidential information.
It is a well-known fact that to protect information systems from increasing levels of cyber threats, organisations are compelled to institute security programmes. To do so, you will need to establish and understand what personal information, be it hard copy and electronic copy, your business has in its possession.
Section 19(1) of POPIA requires organisations to “secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent; loss of, damage to or unauthorised destruction of personal information.”
Sections 20 and 21 deal with personal information that is being processed by operators or persons acting under authority and the required security measures as required by section 19.
What Condition 7 (Security Safeguards) tells you is what aspects of personal information must be secured, but not how you should go about implementing the required security safeguards.
The question to ask yourselves as a business is “what data or personal information” you have, because you cannot protect data that you don’t know you have. The solution is to do a complete data inventory and data flow mapping exercise of personal information (risk identification of personal information), by establishing standards to classify the sensitivity of the personal information and as such determine the levels of protection that would be required. This would include an inventory of all types of personal information and the related processing activities, systems, and third parties that are involved in the handling and processing of such information. So, for example, what personal information the business uses, assessments and audits of databases and data flows/processing activities, with the outcome being a personal data inventory/dashboard and a data map of the data analysed enabling you to have a clear picture of the personal data you use across your business. It also needs to include the transfers of personal information data to and from third parties, and the collection and processing of data by third parties.
Once you’ve completed the risk identification of personal information, the next step is to assess the risks associated with specific information security-related risks, for example special personal information and children’s personal information. The rationale here is that to choose effective and efficient information security measures, management must identify the assets to be protected, the threats to the assets, and the vulnerability of the assets or their environment to the threats.
The risk assessment should include the following activities:
Identification and classification of information assets;
Identification of the threats to these information assets; and
Identification of any vulnerabilities in the current information asset safeguards.
Your risk assessment should include assessments on the types of risk, for example:
Once you’ve completed your risk assessments, the next step is to decide how to treat or manage the risk factors that have been assessed through:
Avoidance: not performing the activity that generates the risk;
Reduction: using controls to reduce or eliminate the risks by way of preventative, detective or corrective controls;
Sharing or Transfer: sharing the risk via outsourcing or insurance; or
Retention: where you decide to retain or self-insure the identified risk.
After assessing the assets, threats and vulnerability to threats of these personal information assets, you should now be able to start drafting and implementing information security programmes and privacy controls, such as data encryption, identity management and authorisation, computer security controls, network security controls, physical security, personnel security, application security and breach incident management.
The purpose of the controls would be to:
Ensure the security and confidentiality of personal information;
Protect against any anticipated threats or hazards to the security or integrity of such information; and
Protect against unauthorised access to or use of such information in a manner that creates a substantial risk of identity theft or fraud.
Remember that where your organisation is regarded as being the “responsible party”, it is necessary to ensure the security of personal information, since according to POPIA the responsible party is ultimately accountable for the personal information of the data subject, even if the privacy breach was caused by the third party, such as an operator. You would be recommended to discuss your security safeguards with your IT department or service provider/s.
The last section dealing with security safeguards is section 22. In short, the section requires you to draft and implement a “Breach Notification” policy supported by:
a process for identifying the notification and related requirements of other applicable jurisdictions relating to the data subjects affected by the breach;
a process for assessing the need for stakeholder’s breach notification, if required by law, regulation, or policy; and
a process for delivering the notice in a timely manner.
To summarise, physical security controls to include deterrent, detective, and preventive measures, are the means you put in place to mitigate physical security issues.
Deterrents aim to discourage those that might violate your security, detective measures alert you to or allow you to detect when you have a potential intrusion, and preventive controls actually prevent intrusions from taking place. In isolation, none of these controls is a complete solution, but together they can put you on a much stronger footing for physical security.
For previous parts, see links below:
Breaking News »