The Protection of Personal Information (PoPI) Act has been signed into law and will soon be implemented. For organisations yet to become PoPI compliant soon, it is going to have huge implications not only for policies, but how they enable these processes and ensure that they are implemented throughout the organisation.
Information guru Mark Heyink points out that the issue is bigger than many compliance officers think, by virtue of the fact that we live in a connected world. ‘The Internet changes everything,” he told delegates to an AxizWorkgroup and MicroFocus information session.
Every one of us is a data subject, he says, and we are subject to four forces: architecture, market, the law and norms.
The architecture refers to the constantly changing world that we live in – the insider threat of the future could be a fridge or a camera, and changing daily.
“Yes, we can control the environment at a micro-level, but we can’t really control it altogether.”
The market is huge, he adds, but the currency in the new market is people – the users of services who agree to their information being used.
The law, he says, sets the parameters within which organisations and people are allowed to operate. Individuals and organisations still need to manage risk, he adds.
Norms refer to the accepted behaviours within society – and this is the only element of our own information and privacy that we can manage, says Heyink. Privacy is a constitutional right – but, it is a personal decision that people take when they do things like setting their passwords or setting boundaries.
“It’s our right, and it must be respected,” Heyink says. “In the 20th century a lot of these rights were trampled on and we need to claw them back.”
If you don’t think privacy breaches are happening in South Africa, you are not paying attention, Heyink says.
Privacy, he says, is the most critical issue. “There are so many different aspects. One of the things we are trying to do is balance the issue of cybersecurity with privacy rights.”
Cyber-war is a reality and other areas of cyber-intrusion are increasing. Big data raises new issues as well.
“We need to look at these things carefully.”
The law in the US doesn’t apply here, Heyink adds, and there is a more commercial view of privacy issues.
In the US, laws apply differently to different industry sectors and, as a result, doesn’t necessarily apply to the individual.
In the wake of 9/11 many laws swept through congress, usurping many individual rights. Among the implications of the Snowden leaks, Heyink says, is not just the fact that the government spies on people, but also receives data from organisations that have access to personal data.
South African legislation is more influenced by laws in Europe, where human rights are often embedded. In fact, Germany has the best human rights regime in the world, according to Heyink.
There are also new rights being created in Europe, such as the right to be forgotten, which contribute to privacy.
On 24 May 2016, the EU promulgated the General Data Protection Regulation, which European companies and those dealing with Europe have to comply with it.
In South Africa, the PoPI regulator is expected to be appointed soon, and companies will have a one-year grace period thereafter to become compliant.
With Europe’s GDPR set to come into force on 28 May 2018, it’s likely that PoPI will come into effect on that date as well – and companies that are not on the road to compliance now are well behind the curve, Heyink says.
The act itself is quite long, he adds, but companies that understand and comply with section three will cover about 90% of their obligations.
He definition of personal information is pretty wide, Heyink says, and includes anything that can be related to a specific person. Processing is equally wide, referring to the collection, storage, use and destruction of any information.
Accountability rests of the responsible person, who has to ensure that the law is complied with, that personal information is identified and is processed in an appropriate manner.
This extends to third party operators who may process information on behalf of the responsible person, so companies should ensure that suppliers observe the same care with personal information.
The process limitation clause says that personal information must be processed lawfully and in a responsible manner that doesn’t infringe on people’s privacy. Minimality adds that companies may collect only that information that is relevant for the purpose at hand.
Consent is different to other justifications, which include contract, legal obligation, legitimate interests and public law duty.
There are also processing limitations, says Heyink, noting that the first of these is that information must collected directly from the data subject. However, there are exceptions – including the use of public records deliberately made public by the data subject. This collection mustn’t prejudice the data subject but can be used in the enforcement of law, for court proceedings and in the national interest.
Importantly, data can be collected only for an explicit purpose that is specified upfront. The data subject needs to be aware of the purpose and collection of the personal information.
Further processing has to be compatible with the purpose for which the information was initially collected, and there are guidelines for determining this.
In terms of information quality, the responsible party needs to take reasonably practicable steps to ensure that information remains complete, accurate, not misleading and is updated where necessary.
Openness refers to transparency and makes provision for the ability for data subjects to see their information. The crux of much of the privacy issue is security, Heyink adds. The act says companies have to put in appropriate measures to secure the confidentiality and integrity of personal information.
There are many standards around information security, he says and companies need to apply these to themselves and to any third party operators.
In addition, they have to inform data subjects and the regulator if there are any security breaches or compromises.
Unsolicited electronic transactions are covered by the act, but applies only to electronic or automated communication.
This means that direct marketing is prohibited unless the subject’s consent is obtained, or if the subject is already a customer. This also means that directories are unlawful unless the people or companies listed therein have consented.
The act also has implications on automated decision-making because data subjects may not be adversely affected, and must be given the opportunity to make representation.
Being that information has no effective borders, the responsible party needs to ensure that trans-border information flows are properly covered by contracts and in fact.
Contracts with all suppliers should be examined in the context of PoPI because there is a cascade effect with various providers who must treat information according to the responsible party’s obligations.
Codes of conduct can go a long way to ensuring the PoPI is observed throughout the value chain, and play a role in education and compliance.
A new twist with PoPI is that penalties can be applied, consisting of fines – which have no limitation – and prison time. Importantly, these penalties could be both criminal and civil.
On a separate note, the Cybercrime and Cybersecurity Bill will soon be presented to cabinet, and Heyink points out that it criminalises several cyber-related offences. This act also provides for severe penalties for vague offences – even though the capacity to police and prosecute against the issues in the Bill doesn’t actually exist.