How many digital devices does you have in use in your business which could represent a risk for loss of personal information? This question is a lot tougher to answer than you might at first think and in this article we will find out why that’s the case.
The most obvious place to start is by looking at the fixed assets register where you record all of the information and communications technology (ICT) devices which you own, manage and depreciate in line with the rules issued by SARS. In times past this would capture most if not all the ICT items a company used: tech used to relatively high value, centrally procured and tightly managed.
That’s no longer the case for several reasons. First, the emergence of the “throw away” tech era. Items are now so low cost that they fall below the minimum limit to be classified as an asset for depreciation purposes and so they never make it on to the fixed assets register in the first place. Second the extensive use in business today of outsourcing or service agreements. Now we can find that the use of service providers may see our fixed assets register entries drop to zero as we no longer acquire assets in the name of our own organisation.
One of the more recent contributors to this is cloud computing, where entire layers of tech can simply disappear (think traditional server rooms) as they are replaced with a service (think offerings from Microsoft, Google, Amazon, Dropbox and other home-grown cloud service providers). Having said that, most organisations are still holding a significant inventory of desktop/tower PCs, laptops, servers and so on.
Outside of the corporate asset register the next place to look for digital devices which might represent a risk of personal information security compromises taking place covered under the POPI Act (POPIA) (see Condition 7, Security Safeguards for details) are your service agreements. This is where we need to think broadly, as so much of what we do in business today is digital without being a part of our core operations or production or accounting systems.
Examples are physical security systems such as access control – including biometric-based recognition and authorisation systems – whether used for staff or visitors or service providers. Coupled to tracking physical access through digital logging systems are digital monitoring systems, such as CCTV. Where this used to mean a network of fixed location cameras this is fast evolving as more companies start to use drone-based technology to complement their wired land-based platforms. Then there are the specialist tracking systems using a variety of technologies such as WiFi, Bluetooth and RFID to track people as they go about their work, particularly in high hazard job roles as are found in mining and other similar industries.
This can also apply in specialist applications such as health care where bedside monitoring systems track some of the most personal of data relating to health and wellness. Common other examples include multi-function devices such as the print/copy/scan/fax machines or digital switchboard you have on a lease agreement.
One of the largest areas that needs attention has nothing to do with what your organisation manages or pays for, directly or indirectly. It’s what’s become known as BYOD – Bring Your Own Device. As tech has moved into the hands of the consumer and out of the narrow control of the IT/ICT community the use of personally owned and funded devices has mushroomed.
Laptops, tablets, smartphones and smart watches are just some of the devices typically deployed to support directors, management and employees as they go about their daily business. In truth this list is much longer and should include home-based desktop PCs and servers, USB memory sticks (flash drives), CD/DVD disks, digital cameras, external hard drives and digital memory cards and no doubt more that you are probably thinking of right now. Every one of these BYOD devices represents a potential carrier of and therefore potential source of loss of personal information.
Just identifying all these devices can represent a major challenge if not tackled in a formal, structured and consistent way. Remember, POPIA requires (section 19) that the responsible party (the organisation doing the processing, or services providers – called operators in POPIA) takes “reasonable measures” to “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control”.
Clearly in today’s digitally diverse world that must go beyond consulting the fixed assets register. Look at your service agreements. Run a staff survey. Be inquisitive about where the risks are and how to address them. What to do once you have found those devices will be the subject of my next article.
By Dr Peter Tobin, www.popisolutions.co.za
Since the Information Regulator South Africa – IRSA – came into office in December 2016, the pace has been picking up in the market for Protection of Personal Information Act (POPIA) products and services.
This has had a spill-over effect on the Promotion of Access to Information Act (PAIA), which also forms part of the responsibilities of the IRSA.
Unfortunately not only has the pace picked up but there has been some confusion sown through what might best be described as questionable marketing practices and erroneous reporting. One contact of mine recently received an email which included the following statement “The Promulgation of POPI, (The Protection Of Personal Information Act) in the Gazette on 26 November 2013 now means you are required to update your PAIA Manual to incorporate the POPI.”
This is misleading, since the Government Gazette did not include the commencement of the POPI Act or even the commencement of the transition period. The same marketing email continued with the statement “ALL information users now must have strict chain-of-custody processes in place.” This is far from the case, as the POPI Act makes no reference to a “strict chain-of-custody”. In similar vein the email stated “Businesses or persons who use/hold/verify or even request your Personal Information MUST now conform to the Act.” Not true.
This will only be so under certain conditions once the POPIA transition period has ended and right now it has not even started.
The same email then offers to help with the appointment of a “Compliance Officer”. No such individual is mentioned or required in terms of either POPIA or PAIA. What is required is an Information Officer, possibly supported by one or more deputies depending on the needs of each organisation. In September the IRSA issued a set of draft regulations which included specific reference to the role and duties of the Information Officer, more about which is available at the IRSA web site.
Perhaps of greatest concern is the statement that “at (name withheld) we made it very easy for you to get compliant in a simple and completely tax deductible manner. It takes you about 10 minutes to complete this process on our website.” Given the duties outlined in the IRSA draft regulations this statement should at least be seen as misleading.
This and other marketing emails that I have seen also push organisations to create or update a manual to comply with PAIA. In truth there are numerous exemptions to that requirement. To check whether you need to publish a PAIA manual please refer to the notice that appeared in the Government Gazette on 11 December 2015, signed by the then Minister of Justice and Correctional Services. For a free copy of the notice visit www.gpwonline.co.za and search for edition 39504.
Not only commercial organisations are guilty of mis-stating the facts. The Star newspaper ran an article in the Saturday Star Personal Finance column during September 2017 which contained the statement “The 12-month grace period to comply with the PoPI Act has expired, and the legislation is being applied in the public and private sectors.” That is factually incorrect and I wrote to the author of the article twice in an attempt to have this incorrect statement corrected.
One of my letters (in part) appeared in the Personal Finance column on Saturday 30 September 2017 under the heading “Incorrect correction about PoPI Act”. The explanation of the true state of affairs was published along with an apology to me personally from the editor.
I repeat those contents below for completeness:
“On September 23 2017 on page 21 in the Personal Finance section an item appeared titled “Correction to article on PoPI Act”. Unfortunately the correction itself is incorrect. To state that the “12 month grace period for market compliance is now in force” is factually incorrect. The only sections of the PoPI Act that have commenced refer to the definitions of the Act and those provisions allowing the establishment of the Information Regulator South Africa (IRSA). These appeared in the Government Gazette in April 2014.”
In summary, be sure you are dealing with reputable sources when seeking advice on how and when to comply with new legislation in general and POPIA and PAIA in particular.
By Dr Peter Tobin
During June 2017 the Information Regulator South Africa (IRSA) released a number of documents on its web site which give an insight into how the IRSA will conduct its work in the coming years.
In this article we will take a look at the Strategic Plan, incorporating the Annual Performance Plan and see what we can learn about the IRSA and the status of the Protection of Personal Information Act (POPIA) and Promotion of Access to Information Act (PAIA) which fall under the responsibility of the IRSA. In a later article we will look at the various committees that have been established by the IRSA. Before we start it is worth remembering that as the IRSA is an arm of government the approach and terminology used is more aligned to government-speak than that familiar to a commercial or non-state owned entity.
Strategic Plan, incorporating the Annual Performance Plan
This thirty one page document covers the period 2017-2020. This is shorter than the usual five year period used by government entities as the IRSA is entering into operation part way through the current SA government planning cycle. The first point of interest is that there appears to be an attempt to seek independent insight in the assistance sought from the Monitoring and Evaluation Unit of the Department of Telecommunications and Postal Services in the development of the plan, as is referred to in the “Foreword” signed by the IRSA Chairperson.
The Vision, Mission and Values are laid out in the Strategic Plan and hold no surprises given the mandate of the IRSA. As part of the mandate the core functions are listed (Part A, section 4), in line with the POPIA and PAIA remit of the IRSA and are worth mentioning here:
• Mandate for POPIA: provide education; monitor and enforce compliance; to consult with interested parties; to handle complaints; to conduct research; codes of conduct; facilitate cross-border co-operation.
• Mandate for PAIA: complaints; investigations; assessments of compliance; a list of more than a dozen “additional functions” including both educational and operational issues.
The final item listed under the mandate is the requirement to submit an annual report to the national assembly.
None of this coverage of the mandate is particularly revealing, except the strange imbalance in the way the mandate for POPIA and PAIA have been presented. One might have expected a balanced approach to presenting the mandate in terms of the focus on education, compliance monitoring and other issues for both pieces of legislation. For example we see the term “enforce compliance” being used in relation to POPIA and not being used in the same way in relation to PAIA. Another inconsistency is the explicit emphasis on training Information Officers and Deputy Information Officers under the PAIA mandate and no such explicit reference under POPIA. Could this be a statement of intent or a mere oversight? A similar inconsistency is the involvement of the Public Protector under PAIA but no similar mention of the Public Protector under POPIA. Perhaps the reasons for these inconsistencies will become clear later?
Section 5 of the Strategic Overview focuses on planned initiatives. There are five areas that are listed that the IRSA will be treating as priorities:
• The adoption of the Regulations
• Codes of conduct needs assessment
• Stakeholder engagement
• Analysis of legislation that impacts on its operating environment
A major disappointment is that these initiatives are stated without reference to POPIA or PAIA specifically, and only by implication can be seen to apply more directly to POPIA. What is absent is any sense that enforcement action is a priority (for either POPIA or PAIA), suggesting a less aggressive approach than some have anticipated.
A curious anomaly in terms of a conventional strategic plan is part A section 6 (Litigation) which is presented more as a report back on recent activity than a commitment to be involved in future litigation as part of a strategic commitment.
Section 7 covers the situational analysis. The first two sections focus on the internal procedural matters of interest to the IRSA (performance and organisational environment) and add no value in terms of the external environment, in particular global influences on the performance of a national information regulator and the external political, economic, social, legislative and other influences it operates under. The final part of section 7 covers the IRSA strategic planning process. Sadly therefore the situation analysis adds little value in terms of the local (national) regional (SADC) or continental (AU) context for the work of the IRSA.
Section 8 claims to cover the high level governance structure. Sadly, given the launch the King IV Report and Code™ in the month prior to the IRSA taking office, there is no acknowledgement of then overall approach to ensuring effective governance as outlined in King IV™. Given the intense focus on the performance of the Chairperson of the IRSA in her previous position at the IEC one might expect a more proactive approach to establishing the legitimacy of the IRSA as a governance outcome. In fact section 8 presents more of an organisation chart than a governance structure.
Section 9 covers the budget overview and mid-term expenditure estimates. These clearly demonstrate that the IRSA will be severely limited in its abilities to deliver on its mandate unless there is a significant change to the budget for the period covered. With compensation of employees pegged at a flat R17,486,000.00 for each year from 2017/18 to 2019/2020 there is little chance that the highly knowledgeable, skilled and experience staff required will grow in any meaningful way for the foreseeable future.
The final part of the Strategic Overview (Part A of the document) covers in section 10 strategic outcome oriented goals. There are seven goal listed, and in the next article we will look at these in relation to the strategic objectives and annual performance plan that make up parts B and C of the overall strategic plan document.
By Dr Peter Tobin
South African organisations need to prioritise the protection of confidential information or face putting their businesses at risk of hefty financial penalties, irrevocable reputational damage, and even legal repercussions, a leading information security company has warned.
With the average data breach costing South African businesses R28.6 million each year, Shred-it South Africa said organisations cannot afford to ignore the importance of implementing robust information security policies and practices. The loss of confidential information can also impact customer confidence and may also put businesses at risk of legal action.
“Many South African businesses are not aware of the costly impact that a data security breach can have, both in terms of lost business and non-compliance fines. It’s more than a financial risk; damage to a hard earned reputation is time-intensive and costly to repair. Prevention is always better than a cure, and I urge organisations in South Africa to make sure information security is top of the business agenda,” says Tony Fitzpatrick, country manager at Shred-it South Africa.
Businesses also need to be aware of the legal requirements when it comes to protecting confidential information. According to Shred-it’s Security Tracker Survey, only 37% of SMEs understand the implications the forthcoming enforcement of the Protection of Personal Information (POPI) Act will have on their business compared to 70% of C-Suite Executives. However, the enforcement of POPI will hold all businesses accountable should they abuse or compromise personal information in any way. Organisations could face substantial financial penalties of up to R10 million, or a prison sentence of up to 10 years could be imposed should an entity be in breach of the legislation.
“The clock is ticking for businesses when it comes to being properly prepared to meet the terms of the POPI Act. When the POPI Act comes into full effect, it is crucial that all businesses adhere to the outlined requirements of the legislation when collecting, processing, storing and sharing another entity’s personal information. Businesses should note that the POPI Act is more than a compliance checkbox exercise; it is ultimately for the benefit of business, by ensuring that all information is securely protected so that organisations can build trust with their customers, employees and partners,” Fitzpatrick concludes.
Shred-it, which helps businesses in South Africa to improve their information security practices and protect their workplaces against the damage caused by data breaches, has issued the following five tips to help organisations put information security at the forefront of business planning:
• Schedule regular information security audits to identify problem areas where confidential information could go astray, e.g. printer stations and meeting rooms. Put measures in place to ensure that documents are securely disposed of, e.g. reminding staff to keep documents secure and store them in locked consoles or containers when they are no longer needed, ready for secure disposal.
• Introduce a Shred-it all Policy, which means all documents are destroyed prior to disposal. This means employees do not need to make a decision as to what is or is not confidential when disposing of paperwork. The decision to use the recycling bin or shredding container is often left to chance or convenience where both options are available. In practice, when outsourcing to a secure destruction provider such as Shred-it, all shredded paper is recycled, keeping you secure and protecting the environment at the same time.
• A clean desk is one of the simplest yet most effective safeguards that can significantly reduce the risk of a data breach. A formal Clean Desk Policy directs employees to put away all paper documents and lock all electronic equipment when leaving workstations, so confidential information is not at risk of falling into the wrong hands or left vulnerable to ‘visual hacking‘ from unauthorised prying eyes.
• Ensure employees are informed about the risks associated with data protection breaches and are well trained on which documents they should consider shredding as well as how to dispose of electronic data.
• Work with a reputable professional information destruction company that not only has a secure shredding process but can offer guidance and help with implementing robust information security practices.
The recent article by Hanna Barry, Personal information laws risk stifling small business, highlighted the diversity of opinions about the impact of the Protection of Personal Information (POPI) Act.
Trustwave has released its findings from a survey of 113 South African IT professionals, asking if they are ready for POPI – South Africa’s Protection of Personal Information Act which seeks to regulate the processing of personal information and standardise compliance with privacy and data protection legislation.