Privacy is a confusing topic. Firstly, there's the question of what privacy is considered to be; and if that seems obvious, consider the degree to which people willingly allow technology - and social media - to erode it.
Most investigations show people unwittingly give their information away.
Anthony Olivier is MD of Performanta Consulting and is on the ISG Africa management team.
While the press often reports on companies losing personal information, Internet fraud investigators assure me that most investigations show people unwittingly give their information away, and then deny it when money is lost.
People want privacy when they want it - and they want to be able to ignore it in the interests of simplicity when they don't - none of which simplifies the task of those who have to protect it.
Complicated
One would think this is easily regulated - but as anyone familiar with the space will explain - it's not. Government has made a start by passing the Protection of Personal Information (POPI) Bill and overcoming the following hurdles to date:
* The investigation, approved by The South African Law Reform Commission (SALRC), commenced in 2000;
* By 2005, an issue paper and a draft Bill had been published for public comment; and
* A subsequent draft was submitted to the minister of justice in 2009, and in August, the POPI Bill was approved by Cabinet.
POPI has been looming for a while now - judging by the content of the Bill it will be a complex effort to adequately address in any company. Aside from the scale of the exercise, it is at the intersection of related bodies of legislation, including the Constitution, the Promotion of Access to Information Act, the Electronic Communications and Transactions Act, the Consumer Protection Act, and the Regulation of Interception of Communications Act.
It is clear that only the foolish would attempt to implement the requirements of the Bill without advice - and already corporates are paying consultants for frameworks and insights. The consultants are very aware of this demand - note how they are building their legal capacity through both growth and acquisition. All of which is fine for those companies that have the budget to throw at the problem, but not ideal for the greater mass of companies that will be obliged to comply while not having deep pockets. There's a gap for advisory assistance on a budget - and the Information Security Group of Africa (ISGA), a non-profit company, established in 2005, is stepping into the breach.
Priceless
For a year, ISGAfrica has been undergoing a minor revolution, aimed at providing meaningful services to its community. ISGA runs a number of special interest groups (SIGs) focusing on topical issues, with the intent of producing valuable material - and the first of these, focused on privacy, is about to be released.
Entitled: “Revealing Privacy in South Africa: What You Need to Know”, it's a 90-page guide that positions the concept of privacy, the various bodies of legislation, describes POPI in some detail, and then gives consideration to implementation.
This is where the guide begins to add value: rather than discussing general principles, it specifically targets implications for specific industries, with various sections devoted to:
* The financial and insurance sector
* The healthcare sector
* The ICT industry
* The South African public sector
Moreover, it gives consideration to business units that will be most affected, specifically:
* Legal and regulatory
* Governance, risk and compliance
* Information technology
* Human resources development and training
* Procurement services, vendor and third-party management
* Marketing
* Product and service development
In addition, it discusses nine acts apart from POPI that currently require the protection of personal information. The document also unpacks the eight principles of POPI, and relates it to key controls that organisations would need to consider. There is also an emphasis on the fostering of an information protection culture to aid employees to change their behaviour to be in line with the new protection controls and procedures defined by the organisation.
The team could consider this broad a scope because of the number of willing participants. Overseen by Dr Adele Veiga, 20 parties contributed to the content, while Deloitte and Touche and Legate ICT Consulting performed the legal review of the content. So while addressing the specific requirements of both particular industries and the needs of individual departments, it is underpinned by an academic understanding of the legislative environment and a practical sense of how to implement this in the real world.
Of course, there is real value to a document of this nature - something ISGA appreciates will be of benefit of South African firms embarking on the journey to implement POPI. As a free document, it makes a meaningful contribution to improving privacy in South Africa.
Copies of the document are obtainable from ISGA at http://www.isgafrica.org/ or from craig@isgafrica.org.
Share