Subscribe
About

POPI: where the law meets IT security

By Clare Matthes, Deputy editor at iWeek.
Johannesburg, 31 Jan 2014

South African companies will soon have to fall in line with the strict provisions of the Protection of Personal Information (POPI) Act, which regulates how they handle, store and secure personal information, or face substantial penalties.

The POPI Act was signed into law by president Jacob Zuma in November last year, but a commencement date is yet to be announced.

Speaking at a conference hosted by the Gauteng Chapter of the International Information Systems Security Certification Consortium, in Sandton yesterday, IT law consultant Prof David Taylor drilled into parts of the legislation specifically dealing with the safeguarding of personal information and the security measures required to do this.

He explained that POPI deals with privacy and the requirements and conditions needed to properly handle personal information, meaning any information that can be used to identify an individual, whether it be a natural human being or a juristic person.

"If you process information," said Taylor, "and I don't mean in IT terms, I mean in legal terms - if you're going to handle this information, whether it be customers', suppliers', employees' information and that information is released or accessed in an unauthorised way, then you could be seen to be in breach of the legislation. You need to meet those conditions."

Notification of compromise

Section 22, subsection (1) of the Act states: "Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify:

(a) the regulator; and
(b) the data subject, unless the identity of such data subject cannot be established.

"The noti?cation referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party's information system.

"Remember, you might be a responsible party. That is the person that takes responsibility for that data, or you may be a processor, a subcontractor or supplier, so this notice of security compromise can apply to both those organisations. It's a contractual relationship," said Taylor.

He explained that the legislation is clear - where there are reasonable grounds to believe personal information has been accessed or acquired by any unauthorised person or party, steps need to be followed.

"How well does your configuration management database work? If someone is fired and they're still accessing your data, are they authorised?"

He noted that Section 22 of Act explains the manner in which to proceed with notification, once a breach has been established and the individual needs to be informed of what consequences may occur and guided on how to mitigate the situation from their side.

Taylor pointed out that merely writing a letter and claiming all steps were taking to notify an individual of a breach is also unacceptable. "The regulator will investigate whether you exhausted all your resources to advise and inform the individual of the breach."

A typical South African attitude is to pretend nothing has happened, he said. "But you will be found out. Do you really think those credit card details you lost won't be up for sale on the Internet? And then the regulator will be after you.

"So any attempt to simply fill the formalities is not enough."

While a company only has to make an effort to notify if information was accessed by an unauthorised party, the distinction between authorised or unauthorised can be blurry, Taylor warned. He added that access to information is still gained all too often and, if the information is strictly personal, then permission needs to be given by the individual to distribute it, or it needs to be encrypted or disposed of.

Authorisation

Taylor explained that a distinction needs to be made between actual authority granted to access information, which can be express, implied or usual conduct, and ostensible authority.

Ostensible authority is no authority at all, as it's more about creating an impression of authority; for example, a person who still has access to company e-mails and correspondence via that e-mail address is creating an impression that they still work for the company, he said. It is a company's responsibility to make sure clients know that an employee no longer works there, or the company can be held liable.

Authorised and unauthorised access can, therefore, be deduced from the circumstances, he noted.

Situations regarding the breaching of data will have to be looked at individually to establish whether there was malicious intent to access that information, or if it was a mere mistake on an employee's part.

"Answers here are not straightforward - companies will have to answer these for themselves. The more crucial question, however, is liability. Are you going to be held liable for the behaviour of that individual?

"As the security professional in that company, is your head going to roll, because you didn't put the proper measures into place?"

Taylor explained that in law, an employer will be held responsible, because they have allowed access of information they were supposed to hold safe, whether an employee was merely innocent or negligent.

In contrast though, if a company has indeed taken all the necessary steps to secure information and employees manage to acquire that information and sell it, the company might be in breach of the POPI Act, but will not be held liable, he said.

According to the Act, contravening POPI's provisions could incur possible prison terms and fines of up to R10 million. The Act also allows individuals to institute civil claims.

Share