“I have an advisory business serving private and corporate clients. Our client information is stored on a central server in our offices. I have been advised to review our data security due to the growing risk of being hacked and the requirements of POPI to protect the personal information of my clients. What does POPI require of me in this regard?”
The Protection of Personal Information Act 4 of 2013 (“POPI”) aligns South Africa with the international position in respect of information and data protection. Although POPI has not yet fully come into operation, it is only a matter of time before it does.
An important aim of POPI is to protect persons from suffering damage and harm by requiring entities and persons who receive our personal information to protect such information. POPI therefore places an important responsibility on parties who collect, store, use and destroy personal information (“responsible parties”) and provides rights and remedies to persons whose rights have been infringed (“data subjects”).
POPI obliges responsible parties to ensure the integrity and confidentiality of personal information in their possession. Data security is promoted by appropriate and reasonable technical (electronic) and organisational (physical) measures to prevent the loss of, damage to, unauthorised destruction of, unlawful access to and/or the unlawful processing of personal information. It is important to understand that data security is not restricted to personal information that is processed electronically (technical). Even physical records containing personal information of data subjects (organisational) may need to be secured.
Information security breaches in the modern business environment may occur through various means, including theft, deliberate attacks on electronic systems, unauthorised use of personal information of data subjects by an employee, accidental loss or even equipment failure. Although POPI does not specify the technical requirements that must be met, it will be the responsibility of each responsible party to ensure that they have the necessary and appropriate technical and organisational measures in place to protect data.
In the event that a responsible party’s data security safeguards are compromised and unauthorised access to personal information ensues, responsible parties will be required to notify the Information Regulator as well as the affected data subjects as soon as is reasonably possible after the discovery of the compromise. The notice will also have to contain sufficient information for data subjects to adequately protect themselves against any potential consequences of the compromise in data security.
A responsible party will also have to contain the breach, aim to recover any compromised data (if possible), assess the risks associated with the breach, including the potential harm for data subjects and conduct an investigation into the cause of the breach and the effectiveness of the response thereto.
Responsible parties will therefore carry an extensive burden in terms of POPI in respect of their network and data security and it would be advisable to enlist the help of a technical expert or POPI specialist to review your current data security systems and develop the necessary security plans and procedures for your business.