To avoid going into a spin at the mere mention of a Section 89 PoPIA Assessment, it is important to see PoPIA compliance as a journey that can only be matured with time due to the enormous amount of translating legislation into practical policies, processes and procedures tailored to individual organisations. Celene La Cock, PoPIA Specialist at Bizmod says that the outcome of a Section 89 Assessment is ultimately dependent on the organisation’s current state of PoPIA compliance.
“PoPIA clothed the Information Regulator with the authority, among other things, to measure and enforce compliance to the Act. Although the Information Regulator does not discriminate or target specific organisations based on an agenda, in my experience, there are a few factors that will ultimately put an organisation on the Information Regulator’s radar for such an assessment,” says La Cock. These are:
- The number of complaints lodged with the Information Regulator. Special note should be taken regarding the type of Information Regulator complaints (pre-investigation notices) received on a regular basis or specific complaints that recur as this can be indicative of an underlying gap or non-compliance issue that needs to be addressed.
- The nature of the responsible party’s business. Is your organisation working with a lot of customers’, employees’ or third parties’ personal information? This might mean that your organisation would be at a high risk for personal information exposure or compromises.
- The number of security compromises that you have reported to the Information Regulator.
“The Information Regulator has instituted an active drive to execute Section 89 Assessments against organisations,” says La Cock, “and therefore organisations need to be prepared, as the chances are they will be assessed at some point.” Since the inception of PoPIA, she believes that many organisations have not anticipated such assessments or level of scrutiny from the Information Regulator. Organisations are now being held responsible for their actions and their obligation to protect the personal information they process.
What is a Section 89 Assessment?
This assessment can be instituted by the Information Regulator, or a data subject who has requested that the Information Regulator assess a responsible party’s current compliance to PoPIA. Ultimately the aim is to ensure that the responsible party process data subjects’ personal information in a manner that complies with the provisions of PoPIA. During this assessment the responsible party must demonstrate how it complies with the conditions for lawful processing as set out in the Act.
What to expect from a Section 89 Assessment:
The journey to a Section 89 Assessment requires preparation, internal and organisational alignment pertaining to every aspect being presented, as well as transparency in terms of the level of detail being disclosed. It is important to find the perfect balance between “less is more” and “not providing enough” information.
La Cock says that Bizmod advises clients that every statement being made as part of the assessment, needs to have supporting evidence and accountability. In the buildup to an assessment, she prepares clients for the below high-level events that will take place:
- The Information Regulator will formally issue an assessment notice to the responsible party advising that they will be assessed in terms of Section 89 of PoPIA and will provide dates on which the on-site assessment will take place. (Based on experience, this is usually a two – day on-site assessment.)
- Upon confirmation from the responsible party, the Information Regulator will issue a formal agenda for the on-site assessment which will guide the responsible party to prepare for the assessment.
- From the date of notice to the date of assessment, the responsible party has a calendar month to prepare.
- During the on-site assessment the agenda items will be dealt, and collaboration will take place.
- Upon finalisation of the on-site assessment the Information Regulator will formally engage with the responsible party for more information and supporting evidence on matters discussed during the on-site assessment as set out in Section 90 of PoPIA. Dependent on the amount of information requested, the responsible party will be given a mutually agreed time period to provide formal feedback on.
- Once the Information Regulator is satisfied with all the information and supporting evidence provided and have finalised its assessment, the Information Regulator will formally provide the responsible party with the result of its assessment in terms of Section 91 of PoPIA.
- Dependent on the Information Regulator’s findings, it may refer the findings to its Enforcement Committee as prescribed by Section 92 of PoPIA and ultimately issue the responsible party with an enforcement notice to rectify certain elements, should it be deemed necessary by the Committee as prescribed by Section 95 of PoPIA. (The responsible party will also be given an opportunity to respond to the findings/ enforcement notice within a specific time period in terms of Section 96 of PoPIA.)
“Though this assessment may seem daunting, it must be seen for what it is, an assessment,” says La Cock. To obtain a successful outcome, this cannot be regarded as a once off preparation exercise. PoPIA compliance is a journey and with proper preparation, commitment to compliance and a continuous drive to address gaps and aligning on interpretation, a successful Section 89 Assessment will be a natural by product to an organisation’s PoPIA compliance journey.
“My personal philosophy has always been to shed light on issues and shortcomings and to welcome input to rectify elements of non-compliance. As PoPIA is still maturing within South Africa and dependent on interpretation, we as organisations should use this opportunity to work together with the Information Regulator to build a firm foundation on the interpretation of the conditions entrenched in PoPIA,” concludes La Cock.