Tag: POPI Act

POPI and the cloud

When legendary Canadian singer-songwriter Joni Mitchell released her hugely successful album “Clouds” in May 1969 little could she have guessed that nearly 50 years later the subject of clouds would be part of the global conversation around the protection of personal information (PI).

Her words “I’ve looked at clouds from both sides now” with the conclusion “I really don’t know clouds at all” might well apply to information officers (IOs) here in South Africa and data protection officers (DPOs) across the globe and who are trying to understand how to go about selecting their cloud service providers from a security perspecitve.

In fact, Mitchell was prophetic in looking at multiple clouds, not just one, because that’s a reality for today’s IOs/DPOs who need to satisfy the demands of multiple stakeholders who are unlikely to be satisfied with a single cloud services supplier. Of course Mitchell has not been alone in looking at clouds closely. The European Network and Information Security Agency in 2015 launched its Cloud Certification Schemes Metaframework. “CCSM is a metaframework, which maps detailed security requirements used in the public sector to describe security objectives in existing cloud certification schemes. The goal of CCSM is to provide more transparency about certification schemes and to help customers with procurement of cloud computing services. This first version of CCSM is restricted to network and information security [NIS] requirements. It is based on 29 documents with NIS requirements from 11 countries (United Kingdom, Italy, Netherlands, Spain, Sweden, Germany, Finland, Austria, Slovakia, Greece, Denmark). It covers 27 security objectives, and maps these to 5 cloud certification schemes.” (source https://www.enisa.europa.eu/news/enisa-news/enisa-cloud-certification-schemes-metaframework). The rest of this article will take a look at just some of those 27 security objectives as an aid to helping you select your cloud services providers.

Cloud security objectives when selecting a cloud services provider

This list is the full 27 (title and brief description) in the ENISA CCSM and should give you a flavor of the potential complexity involved in evaluating your suppliers from a security perspective. Of course a full evaluation will cover a number of other areas, such as functionality, value for money and relevant experience. This list has not been prioritized to reflect the issues which you evaluate as more or less important in the specific circumstances, such as the risk appetite, applicable to you organisation.

The text that follows is all sourced from the CCSM document.

  1. Information security policy. Cloud provider establishes and maintains an information security policy.
  2. Risk management. Cloud provider establishes and maintains an appropriate governance and risk management framework, to identify and address risks for the security of the cloud services.
  3. Security roles. Cloud provider assigns appropriate security roles and security responsibilities.
  4. Security in Supplier relationships. Cloud provider establishes and maintains a policy with security requirements for contracts with suppliers to ensure that dependencies on suppliers do not negatively affect security of the cloud services.
  5. Background checks. Cloud provider performs appropriate background checks on personnel (employees, contractors and third party users) if required for their duties and responsibilities.
  6. Security knowledge and training. Cloud provider verifies and ensures that personnel have sufficient security knowledge and that they are provided with regular security training.
  7. Personnel changes. Cloud provider establishes and maintains an appropriate process for managing changes in personnel or changes in their roles and responsibilities.
  8. Physical and environmental security. Cloud provider establishes and maintains policies and measures for physical and environmental security of cloud data centres.
  9. Security of supporting utilities. Cloud provider establishes and maintains appropriate security of supporting utilities (electricity, fuel, etc.).
  10. Access control to network and information systems. Cloud provider establishes and maintains appropriate policies and measures for access to cloud resources.
  11. Integrity of network and information systems. Cloud provider establishes and maintains the integrity of its own network, platforms and services and protect from viruses, code injections and other malware that can alter the functionality of the systems.
  12. Operating procedures. Cloud provider establishes and maintains procedures for the operation of key network and information systems by personnel.
  13. Change management. Cloud provider establishes and maintains change management procedures for key network and information systems.
  14. Asset management Cloud provider establishes and maintains asset management procedures and configuration controls for key network and information systems.
  15. Security incident detection and response. Cloud provider establishes and maintains procedures for detecting and responding to incidents appropriately.
  16. Security incident reporting. Cloud providers establishes and maintain appropriate procedures for reporting and communicating about security incidents.
  17. Business continuity. Cloud provider establishes and maintains contingency plans and a continuity strategy for ensuring continuity of cloud services.
  18. Disaster recovery capabilities. Cloud provider establishes and maintains an appropriate disaster recovery capability for restoring cloud services provided in case of natural and/or major disasters.
  19. Monitoring and logging policies. Cloud provider establishes and maintains systems for monitoring and logging of cloud services.
  20. System tests. Cloud provider establishes and maintains appropriate procedures for testing key network and information systems underpinning the cloud services.
  21. Security assessments. Cloud provider establishes and maintains appropriate procedures for performing security assessments of critical assets.
  22. Checking compliance. Cloud provider establishes and maintains a policy for checking compliance to policies and legal requirements.
  23. Cloud data security. Cloud provider establishes and maintains appropriate mechanisms for the protection of the customer data in the cloud service.
  24. Cloud interface security. Cloud provider establishes and maintains an appropriate policy for keeping he cloud services interfaces secure.
  25. Cloud software security. Cloud provider establishes and maintains a policy for keeping software secure.
  26. Cloud interoperability and portability. Cloud provider uses standards which allow customers to interface with other cloud services and/or if needed migrate to other providers offering similar services.
  27. Cloud monitoring and log access. Cloud provider provides customers with access to relevant transaction and performance logs so customers can investigate issues or incidents when needed.

Summary and next steps

It is recommended that you evaluate how to deploy this list of security objectives to best meet the needs of your own organisation. If you have not already, open the conversation about cloud security with your suppliers or potential suppliers. Challenge them to satisfy you in terms of their ability to meet these objectives, in particular whether they can offer one or more of the 11 certifications to which the CCSM is mapped. If they are not willing to do that it may be time to start looking for another supplier. While you are doing all that you may even enjoy listening to Joni Mitchell.

By Dr Peter Tobin

POPI is here, there and everywhere

Global recognition of the importance of data privacy can be traced back to the United Nations (UN) which has a long history of promoting the right to privacy through its Human Rights treaties.

This includes article 12 of the Universal Declaration of Human Rights in 1948 and article 17 of the International Covenant on Civil and Political Rights in 1966. More recently in July 2015 the UN appointed a “Special Rapporteur on the right to privacy” to bring additional focus to the importance of data privacy. Supporting the UN is the Organisation for Economic Co-operation and Development (OECD) which in 1980 issued its “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” which were revised and re-issued in 2013, just as the POPI Act (POPIA) was gazetted in South Africa. Following the UN and OECD initiatives, nearly one hundred countries and territories have established or are developing data protection laws.

African data privacy

In Africa, the African Union (AU) Commission and the Economic Commission for Africa have spearheaded the development of the AU Convention on Cybersecurity and Personal Data Protection, which was adopted by the AU Heads of States and Governments Summit in June 2014 in Malabo, Equatorial Guinea. Eight Countries had already signed the convention by July 2016 according to AU Commission: Benin, Chad , Congo, Guinea Bissau, Mauritania , Sierra Leone, Sao Tome & Principe and Zambia. At a regional level in Africa there are also several initiatives, notably the ECOWAS Cybersecurity guidelines and the SADC Model Law on data protection, e-transactions and cybercrime. There is also the HIPSSA initiative (Harmonization of the ICT Policies in Sub-Saharan Africa) which covers 30 countries across the continent. Latest estimates show that 16 African countries have data privacy legislation, with an additional 14 countries working on legislation, leaving a balance of 24 currently having taken no action so far.

POPIA and the European Union

The POPI Act can trace its origins not just to the OECD guidelines but also Directive 95/46/EC of the European Parliament in 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This Directive will have been completely replaced across all member states of the EU (including the United Kingdom, despite BREXIT) by May 2018 by the General Data Protection Regulation – commonly known as the GDPR. The GDPR has potentially wide-ranging implications for companies based outside the EU trading with the EU member states. Of particular interest is the following extract from the GDPR document: “The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.” This tells us two things: the faster our Information Regulator South Africa (IRSA) gets POPIA full commenced and SA becomes a trusted trading partner in terms of data protection, the easier trade with the EU will become. The downside is if the IRSA is ineffective then potentially the whole country could be put at a significant disadvantage.

International trade recommendations

For those of you who trade in Africa and more broadly across the globe an understanding of data privacy legislation can be an important consideration when establishing trading relationships. This view is supported by DataGuidance, a London-based organisation that provides advice on a global basis concerning data privacy and protection through a global network of experts, including coverage of South Africa. “Our clients tell us that a clear understanding of the data privacy and protection legislation applicable to the territories and countries in which they trade can have a significant influence on the way they do business. Privacy professionals are facing a fast changing global legislative landscape and constant attention needs to be given to ensure consistent compliance with national laws” says David Longford, CEO at DataGuidance. So the key recommendation is to create and maintain awareness of privacy laws when doing business outside of SA, just as much as paying attention to the requirements of POPIA in SA.

My thanks to the Beatles for prompting the title of this article which is in part based on their August 1996 hit song “Here, there and everywhere” released as a track on the hugely successful Revolver album.

By Dr Peter Tobin
Submit queries or feedback from these articles to petert@iact-africa.com.

The functions of the Information Regulator include:

  • to provide education about the Protection of Personal Information Act, for example, giving advice to data
  • subjects in the exercise of their rights;
  • to monitor and enforce compliance with POPI;
  • to consult with interested parties;
  • to handle complaints;
  • to conduct research and to report to Parliament;
  • to issue codes of conduct and make guidelines to assist bodies to develop codes of conduct; and
  • to facilitate cross-border cooperation in the enforcement of privacy laws.

The Information Regulator will have the power to conduct investigations, order publicity of data breaches, and issue administrative fines of up to R10-million.

Next steps

Regulations must be promulgated under POPI, for example, including regulations setting out the cost of making a subject access request and the prescribed standards for codes of conduct.
The announcement of a commencement date. Organisations will not be liable for fines or non-compliance for a period of 12 months from the commencement date.
If you haven’t started yet, now is the time for organisations to start or ramp up their POPI implementation efforts. Our virtual privacy lawyer, POPI Counsel, can assist with your privacy law questions and provide practical guidance through your implementation process. POPI Counsel produces legal opinions for you on demand, anytime and anywhere. Contact us for more information.

The chairperson, Pansy Tlakula, full-time members, Lebogang Stroom and Johannes Weapond, and part-time members, Tana Pistorius and Sizwe Snail, have been appointed to the Information Regulator with effect from 1 December 2016 and will serve for a period of five years.

By Nerushka Bowan for www.financialinstitutionslegalsnapshot.com

Follow us on social media: 


View our magazine archives: 


My Office News Ⓒ 2017 - Designed by A Collective