During June 2017 the Information Regulator South Africa (IRSA) released a number of documents on its web site which give an insight into how the IRSA will conduct its work in the coming years.

In this article we will take a look at the Strategic Plan, incorporating the Annual Performance Plan and see what we can learn about the IRSA and the status of the Protection of Personal Information Act (POPIA) and Promotion of Access to Information Act (PAIA) which fall under the responsibility of the IRSA. In a later article we will look at the various committees that have been established by the IRSA. Before we start it is worth remembering that as the IRSA is an arm of government the approach and terminology used is more aligned to government-speak than that familiar to a commercial or non-state owned entity.

Strategic Plan, incorporating the Annual Performance Plan
This thirty one page document covers the period 2017-2020. This is shorter than the usual five year period used by government entities as the IRSA is entering into operation part way through the current SA government planning cycle. The first point of interest is that there appears to be an attempt to seek independent insight in the assistance sought from the Monitoring and Evaluation Unit of the Department of Telecommunications and Postal Services in the development of the plan, as is referred to in the “Foreword” signed by the IRSA Chairperson.

The Vision, Mission and Values are laid out in the Strategic Plan and hold no surprises given the mandate of the IRSA. As part of the mandate the core functions are listed (Part A, section 4), in line with the POPIA and PAIA remit of the IRSA and are worth mentioning here:

• Mandate for POPIA: provide education; monitor and enforce compliance; to consult with interested parties; to handle complaints; to conduct research; codes of conduct; facilitate cross-border co-operation.
• Mandate for PAIA: complaints; investigations; assessments of compliance; a list of more than a dozen “additional functions” including both educational and operational issues.

The final item listed under the mandate is the requirement to submit an annual report to the national assembly.
None of this coverage of the mandate is particularly revealing, except the strange imbalance in the way the mandate for POPIA and PAIA have been presented. One might have expected a balanced approach to presenting the mandate in terms of the focus on education, compliance monitoring and other issues for both pieces of legislation. For example we see the term “enforce compliance” being used in relation to POPIA and not being used in the same way in relation to PAIA. Another inconsistency is the explicit emphasis on training Information Officers and Deputy Information Officers under the PAIA mandate and no such explicit reference under POPIA. Could this be a statement of intent or a mere oversight? A similar inconsistency is the involvement of the Public Protector under PAIA but no similar mention of the Public Protector under POPIA. Perhaps the reasons for these inconsistencies will become clear later?

Section 5 of the Strategic Overview focuses on planned initiatives. There are five areas that are listed that the IRSA will be treating as priorities:
• The adoption of the Regulations
• Codes of conduct needs assessment
• Stakeholder engagement
• Analysis of legislation that impacts on its operating environment

A major disappointment is that these initiatives are stated without reference to POPIA or PAIA specifically, and only by implication can be seen to apply more directly to POPIA. What is absent is any sense that enforcement action is a priority (for either POPIA or PAIA), suggesting a less aggressive approach than some have anticipated.
A curious anomaly in terms of a conventional strategic plan is part A section 6 (Litigation) which is presented more as a report back on recent activity than a commitment to be involved in future litigation as part of a strategic commitment.

Section 7 covers the situational analysis. The first two sections focus on the internal procedural matters of interest to the IRSA (performance and organisational environment) and add no value in terms of the external environment, in particular global influences on the performance of a national information regulator and the external political, economic, social, legislative and other influences it operates under. The final part of section 7 covers the IRSA strategic planning process. Sadly therefore the situation analysis adds little value in terms of the local (national) regional (SADC) or continental (AU) context for the work of the IRSA.

Section 8 claims to cover the high level governance structure. Sadly, given the launch the King IV Report and Code™ in the month prior to the IRSA taking office, there is no acknowledgement of then overall approach to ensuring effective governance as outlined in King IV™. Given the intense focus on the performance of the Chairperson of the IRSA in her previous position at the IEC one might expect a more proactive approach to establishing the legitimacy of the IRSA as a governance outcome. In fact section 8 presents more of an organisation chart than a governance structure.
Section 9 covers the budget overview and mid-term expenditure estimates. These clearly demonstrate that the IRSA will be severely limited in its abilities to deliver on its mandate unless there is a significant change to the budget for the period covered. With compensation of employees pegged at a flat R17,486,000.00 for each year from 2017/18 to 2019/2020 there is little chance that the highly knowledgeable, skilled and experience staff required will grow in any meaningful way for the foreseeable future.
The final part of the Strategic Overview (Part A of the document) covers in section 10 strategic outcome oriented goals. There are seven goal listed, and in the next article we will look at these in relation to the strategic objectives and annual performance plan that make up parts B and C of the overall strategic plan document.

By Dr Peter Tobin

Beware the data breach

South African organisations need to prioritise the protection of confidential information or face putting their businesses at risk of hefty financial penalties, irrevocable reputational damage, and even legal repercussions, a leading information security company has warned.

With the average data breach costing South African businesses R28.6 million each year, Shred-it South Africa said organisations cannot afford to ignore the importance of implementing robust information security policies and practices. The loss of confidential information can also impact customer confidence and may also put businesses at risk of legal action.

“Many South African businesses are not aware of the costly impact that a data security breach can have, both in terms of lost business and non-compliance fines. It’s more than a financial risk; damage to a hard earned reputation is time-intensive and costly to repair. Prevention is always better than a cure, and I urge organisations in South Africa to make sure information security is top of the business agenda,” says Tony Fitzpatrick, country manager at Shred-it South Africa.

Businesses also need to be aware of the legal requirements when it comes to protecting confidential information. According to Shred-it’s Security Tracker Survey, only 37% of SMEs understand the implications the forthcoming enforcement of the Protection of Personal Information (POPI) Act will have on their business compared to 70% of C-Suite Executives. However, the enforcement of POPI will hold all businesses accountable should they abuse or compromise personal information in any way. Organisations could face substantial financial penalties of up to R10 million, or a prison sentence of up to 10 years could be imposed should an entity be in breach of the legislation.

“The clock is ticking for businesses when it comes to being properly prepared to meet the terms of the POPI Act. When the POPI Act comes into full effect, it is crucial that all businesses adhere to the outlined requirements of the legislation when collecting, processing, storing and sharing another entity’s personal information. Businesses should note that the POPI Act is more than a compliance checkbox exercise; it is ultimately for the benefit of business, by ensuring that all information is securely protected so that organisations can build trust with their customers, employees and partners,” Fitzpatrick concludes.

Shred-it, which helps businesses in South Africa to improve their information security practices and protect their workplaces against the damage caused by data breaches, has issued the following five tips to help organisations put information security at the forefront of business planning:

• Schedule regular information security audits to identify problem areas where confidential information could go astray, e.g. printer stations and meeting rooms. Put measures in place to ensure that documents are securely disposed of, e.g. reminding staff to keep documents secure and store them in locked consoles or containers when they are no longer needed, ready for secure disposal.

• Introduce a Shred-it all Policy, which means all documents are destroyed prior to disposal. This means employees do not need to make a decision as to what is or is not confidential when disposing of paperwork. The decision to use the recycling bin or shredding container is often left to chance or convenience where both options are available. In practice, when outsourcing to a secure destruction provider such as Shred-it, all shredded paper is recycled, keeping you secure and protecting the environment at the same time.

• A clean desk is one of the simplest yet most effective safeguards that can significantly reduce the risk of a data breach. A formal Clean Desk Policy directs employees to put away all paper documents and lock all electronic equipment when leaving workstations, so confidential information is not at risk of falling into the wrong hands or left vulnerable to ‘visual hacking‘ from unauthorised prying eyes.

• Ensure employees are informed about the risks associated with data protection breaches and are well trained on which documents they should consider shredding as well as how to dispose of electronic data.

• Work with a reputable professional information destruction company that not only has a secure shredding process but can offer guidance and help with implementing robust information security practices.

SA companies not ready for POPI

Trustwave has released its findings from a survey of 113 South African IT professionals, asking if they are ready for POPI – South Africa’s Protection of Personal Information Act which seeks to regulate the processing of personal information and standardise compliance with privacy and data protection legislation.

Continue reading

Follow us on social media: 


View our magazine archives: 


My Office News Ⓒ 2017 - Designed by A Collective