POPI Compliance and digital signatures

Aug 3, 2021, 09:14 AM by Riaan De Villiers
How do you ensure that your digital signature collection is legally compliant?

POPI Compliance and digital signatures

POPI compliance and digital signing.

By Rian Schoeman

With POPI being rolled out across the country and GDPR already implemented globally, how do you ensure your digital signature collection is legally compliant? 

As organisations become digitised, they naturally collect and exchange data. Considering the complex interactions that happen online (such as financial transactions, medical check-ups or government services), the nature of the data has become sensitive and valuable, so governments worldwide are creating regulations to protect it, including South Africa. 

POPI Act and digital signatures defined

The Protection of Personal Information Act (or POPI Act) is South Africa's data protection law. It applies to any organisation that processes personal information. All organisations that handle personal data are legally obligated to protect the personal information of citizens. This includes;

  • Financial institutions like retail banks, insurance companies or stokvels.
  • Government agencies like councils, regulators and state-owned enterprises.
  • Healthcare providers such as hospitals, clinics and doctors.
  • Digital companies like online stores and digital marketing companies.
  • Educational institutions from preschool to varsity and
  • Private companies ranging from stores with loyalty programs and hospitality industries that collect guest information to the local mechanic.

Once an organisation, no matter the size, collects private information (name, contact details and other information), it must comply with POPI. In short, POPI;

  • States the basic requirements for public and private bodies to process personal information.
  • Provides rights of persons with regards to unsolicited electronic communications and automated decision-making
  • Regulates the cross border flow of personal information of South African data.

What is POPI?

is a law that information officers, compliance officers, legal advisors, IT managers, and risk officers need to know. Non-compliance with POPI can result in reputational damage, fines and imprisonment, penalties of up to R10 million, and the paying out of damages claims to data subjects. The Act took effect in 2020 under a grace period, but as of 1 July 2021, it will be in full effect. Monitoring and enforcing compliance will be the duty of the Information Regulator.

Digital signatures

A digital signature is the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent security. A digital signature is intended to solve the problem of tampering and impersonation in digital communications.

Advanced electronic signatures

An advanced electronic signature is a digital signature created with a digital certificate that uniquely identifies the signer. Advanced electronic signatures can only be issued by an accredited Authentication Service Provider, such as LawTrust, after a face-to-face verification process with the signatory. The signatory will have sole control of the signature keys. 

Digital signatures in POPI 

The POPI Act protects personal information, while the Electronic Communications and Transactions Act (ECTA) regulates digital signing in South Africa. While an organisation can use digital signatures to meet some of the requirements under POPI, the Act itself does not regulate the use of digital signatures.

An organisation can use digital signatures to;

  • Notarise documents
  • Provide suretyship
  • Certify documents
  • Sign exclusive licensing agreements
  • Sign credit agreements governed by the National Credit Act
  • Sign any document requiring a signature

How digital signatures reduce fraud and identity theft

The nature of a secure digital signature or an Advanced Electronic Signature is such that only a person who has gone through a thorough identification process (which includes verifying the identity document of that individual) can be issued one. This gives whoever relies on a digital signature the assurance that the signature was made by the person who applied the signature.

When in use, the digital certificate that contains the digital signature is embedded into the PDF document. So if anyone tries to tamper with the document or make any changes to it, the document itself will show that it has been modified and cannot be trusted. The signature will then appear as invalid.

Not long ago, the news was full of incidents where bad actors intercepted invoices sent by email and changed the banking details. However, if a digital signatory signed the document, the parties would have detected those changes on the document, and the document would have indicated that it had been tampered with. The invoice recipient would then see that the document is not trustworthy and would not pay into the fraudulent bank account. So, in this way, identity theft is stopped (the verification of the ID process), and you can prevent fraud. 

This is just one scenario, but there are plenty more examples, such as fraudulent applications for bank accounts, the release of funds, contracts, tenders and more. Thus, the use cases of digital signatures to prevent fraud are numerous.

Invalid digital signature.

The above image is an example of a document that can no longer be trusted because it has been edited.

Financial and health regulators' compliance with POPI

As part of the government's digital ecosystem, financial and health regulators will all be subject to POPI provisions. As a result, there is a significant responsibility to protect the large amounts of personal information that will come their way. Regulators and government agencies can use digital signatures to protect and secure a document, which is one of the provisions under POPIA. 

Within the entire Governmental space, there is a massive drive towards modernisation and digitalisation. Various departments are already using or investigating the use of digital signatures in the different spheres of government. The government has published guidelines. The only remaining part is to make the necessary amendments to the ECT Act to ensure that Advanced Electronic Signatures become more accessible, especially in a more decentralised world, where many people will not be returning to their offices in the long term.

Industry compliance

Data is continuously exchanging hands between organisations and consumers. Not only do regulators require organisations to comply with guidelines, but consumers expect organisations to go the extra mile and protect their data. Building a secure framework from which they can process data is the organisation's responsibility.

Here's how digital signatures can help organisations remain POPI compliant;

  • Digital signatures let you know who signed a document and when. That will add accountability to every document and data that the organisation processes.
  • Digital signatures are part of a framework that validates and authenticates identities. In a digital world, identity management is key to maintaining the integrity of communications and interactions.
  • If a bad actor tampered with a digital signature, it would be evident. Therefore, communication between parties can be secure.
  • The law recognises the strength and fidelity of digital signatures. So all contracts are binding.
  • The courts recognise digital signatures as accountable, so a user can't deny, after the fact, that they committed the act. Advanced electronic signatures carry prima facie validity. That means, in court, the burden of proof is moved to the signatory to prove that the signature on the document is not valid.
How a business or individual can check if a digital signature certificate is legitimate

The document which has the digital signature certificate will immediately show if the signature is trusted. If it is not trusted, it will clearly indicate that you cannot trust it. Other ways to check is to see if a Public Trusted Certificate Authority issued the certificate, and you can do this by clicking on the certificate itself. When you open the digital certificate, it will show you the entire trust chain, which will prove whether a legitimate provider issued it.

Digital signatures will become standard for business and individuals.

There will always be use cases where the standard hand-written signature will apply, and in many cases, it is still the easiest way to sign documents. However, in the business world and in a world where technological advancement is on the increase and where speed and trust of transactions are critical, there is no doubt that digital signatures will become the standard for business. Almost all the banks and large corporations have switched over or are in the process of switching over to digital signing. They will, in turn, require the same from their corporate customers and partners.

South Africa is also doing more and more international business, and with international travel being forced to a standstill due to COVID-19, for one thing, it is just not possible to get documents signed in the traditional ways. This requires that digital means be employed, and once the organisation initiates it, there is no reason to change back to old modalities.

Governments and regulators are already using the technology behind digital signatures and certificates to create health passes for those who have been vaccinated. The technology has been in contemplation for regular travel, but the pandemic fast-tracked the use of secure, efficient, cost-effective, reliable, paperless e-passports.

Yes, there will always be use cases for the traditional way of signing, but those use cases will become fewer and fewer as digital signatures become the norm.