Oct 26, 2020, 13:36 PM
Principle 7 – Security Safeguards
This is the POPIA principle that links privacy and security. Many companies consider privacy and security to be the same thing, but they are actually distinct fields.
MYTH: AS LONG AS I DO MY BEST TO PROTECT PERSONAL INFORMATION THERE WILL BE NO CONSEQUENCES TO MY COMPANY IN CASE OF A DATA BREACH
RESPONSE: ANY COMPROMISE OF PERSONAL INFORMATION MUST BE REPORTED TO THE INFORMATION REGULATOR AND AFFECTED DATA SUBJECTS, WHICH COULD HAVE A MASSIVE IMPACT ON YOUR COMPANY’S REPUTATION
There can be no doubt though, that the two disciplines have to work together to ensure POPIA compliance. After all it is one thing to have all this personal data and to do all other things, but if the data in not protected, you are still at risk of the information getting out and being fined or sued (not that this should be your motivation for compliance, but rather caring about your customers and getting your house in order).
So, let’s look at what POPIA has to say about security safeguards
Section 19(1) of POPIA requires the responsible party to secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical organisational measures to prevent
- Loss of, damage to or unauthorised destruction of personal information and
- Unlawful access to or processing of personal information.
There are two very distinct points here. First of all the data must be protected and backed up so that it is not lost or damaged (which we call data integrity) but it must also be protected against access or processing by persons who should not have access (which we call access). Unlawful is a strong word and leads to debate as to what it means. Does it mean that in a company that has the right to legitimately process the information, employees that would typically not need to have access to this information should not? Is that considered to be unlawful processing? This point is uncertain and I would argue while it is maybe not unlawful, employees that have no need to access the personal information should not have access to the information. It is just good risk management practice.
POPIA goes further to set out some requirements for compliance with Section 19(1) and requires all responsible parties to take reasonable measures to
- Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control. This clearly calls for some sort of risk management plan and regular discussion about how personal information is being dealt with within the company. IN a previous post we spoke about how important it is to keep as little personal information as possible and this is yet another very good reason to limit the personal information in a company’s possession. While it is likely impossible to identify all reasonably foreseeable risks there are the standard risks such as malware, a phishing attack, emails being sent to wrong parties etc. and it is very important to list these risks and have a plan in place to mitigate them
- Establish and maintain appropriate safeguards against the risks identified. So this takes the risk identification to the next step where the responsible party has to put active measure in place to make sure such risks are mitigated. It is here where items such as anti-malware software, encryption of databases and email, secure digital signing and document encryption and data loss prevention tools need to be considered. Again it is very important under this step to document policies that you can put into practice to assist with mitigating these risks.
- Regularly verify that the safeguards are implemented. This simply means that you can rest, you have to regularly test your safeguards.
- Ensure that the safeguards are continually updated in response to new risk or deficiencies in previously implemented safeguards. Again, this follows on the previous point, so if in these assessments process improvements are discovered or you find a weakness it is important to update the process. As always, remember to document what you are doing as this may serve in mitigation of any allegations against your company, in case of a breach.
To conclude Section 19, POPIA requires that the responsible party must have due regard to generally accepted information security practices and procedures that may apply to it generally or that is required in relation to a specific industry. Banks and financial institutions will have regard to payment card and other financial regulations, but many small business are not governed by any specific codes. Here it is important for you to consider the following when deciding on what to do secure your personal information.
- The size of your business
- The nature of your business
- How many customers you have
- What personal information you are processing
- How much money you have to spend on information security (it is always cheaper to spend money on information security than it is to spend money on fixing the problem after a breach)
- The sophistication of your business.
Take all of these measures into account and then decide what you can reasonably do to ensure that personal information is protected.
When an operator processes information under your authority remember that they may only do so with your knowledge and permission as the responsible party.
Operators are also required to implement generally acceptable information security practices that meet the satisfaction of the responsible party. In fact, section 21 of POPIA requires that there must be a written contract between the operator and the responsible party.
An operator must also notify the responsible party immediately where they reasonably believe that the personal information of a data subject has been accessed or acquired by an unauthorised third party.
This principle end off with the notification requirements of security compromises. This is very important so be sure to read this section carefully.
In a previous post we discussed the dual-accountability of the responsible party, in that they are accountable to both the Information Regulator and the data subject. This comes to the fore in that:
- POPIA requires that both the Information and the individual data subject have to be notified of any sort compromise of personal information, unless the individual data subjects cannot be identified.
- The notification must be made as soon as possible after discovery, taking into account the needs of law enforcement to do their job or any measures to determine the scope of the compromise and to restore the integrity of the personal information.
- The responsible party is only allowed to delay notification to a data subject if a public body is responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
- The notification to data subject must be in writing an in one of the following forms:
- Mailed to the data subject’s last known physical or postal address. In light of the seriousness of a data breach and the current inefficiencies of the postal system, this does not seem like an appropriate notification mechanism.
- Emailed to the data subject’s last known email address. When considering this option, it may be worth you while to look at the nature of the compromise. If email accounts have been hacked for example, this will not be an appropriate notification mechanism.
- Placed in a prominent position on the website of the responsible party. This is of course one that will cause the greatest reputational damage, but may the most effective way of getting the notice out to all affected parties. The drawback is that anyone else, will also see this notification, even if they were not victims.
- Published in the news media. This is similar to notification on a website but way less targeted and it is questionable of all the intended recipients will receive notice of the compromise in this way
- As directed by the Regulator.
The publication referred to in the bullet points above must contain sufficient information to allow the data subject to take protective measures against further compromise, including:
- A description of the possible consequences of the compromise. This may be hard to quantify in certain circumstances
- A description of the steps that the responsible party has taken or intends to take to prevent or mitigate the effects of the compromise.
- A description of the recommended steps a data subject can take to prevent further consequence of the breach. In this regard it is important to seek professional assistance, because few businesses are equipped to deal with this kind of notice. Many cyber liability insurance policies include a service whereby communication with data subjects will be dealt with by professionals.
- If know, the identity of the unauthorised person who has accessed the personal information of the data subjects.
The Information Regulator may also direct a responsible party to publicise in any way they deem fit the fact of a compromise of personal information if the Regulator believes that this will protect a data subject.
The take away from this part of POPIA is that there is no escape. If there has been a compromise you have to inform the Information Regulator and the data subjects affected. This means that there will be publication of the breach and as a consequence, massive bad publicity and reputational damage from your business. So, while it may seem onerous to employ the necessary security safeguards, it may just be worth your while to put them in place, instead of being faced with the alternative.
Please have a look at LAWtrust’s products such as Zix email encryption and SigningHub, or contact us on email@example.com to see how we can assist with the security aspect of your POPIA compliance journey
TIP: You can do a lot to protect personal information without spending a lot if you have proper processes and practices in place. When you set up your practices think like a criminal trying to access the information and not like a business trying to protect the information.
- Adv. Rian Schoeman