Imminent Enactment of the Protection of Personal Information Act – POPI
Although an exact date for its enactment has not yet been given, the new Protection of Personal Information Act – POPI – will be on the statute books in the relatively near future – and any business organization that handles clients’ personal details must take notice of its terms or they could find themselves subject to a criminal prosecution.
POPI will bring South Africa into line with the most advanced European legislation already in force to protect personal information and is designed to prevent the use of client contact details or information for any purpose other than that for which it was originally submitted. For example, if I give my email address or my cell phone number at security, or details of my income, my health, my home or my hobbies and pastimes to an insurance or investment company, a medical aid group, an estate agency, a bond originator, a firm of attorneys, or any other body, those passing on information without my express consent will now be acting contrary to the provisions of the Act – even though I might personally have no objection to this process taking place.
A one year grace period to comply with POPI
South African companies and organizations are being given one year from the date of enactment, to ensure compliance with POPI and Companies are advised to put systems in place to prevent the disclosure or dissemination of personal information. Implementation of an Information Security Management System (ISMS) that is certifiable in terms of the ISO27001 international standard for ISMSs is strongly recommended. Companies who handle personal information should employ a certificated auditor who is fully au fait with POPI and its implications to ensure that any ISMS implemented actually will actually ensure compliance with POPI.
The information security challenges of cloud computing
One of the challenges in the coming year will be for the IT companies involved in the field of server and web hosting, especially those who offer cloud computing services to develop systems which are genuinely fool-proof, and “hack-proof” such that the requirements of POPI (for them and the companies that employ their services) are complied with.
The clients of such IT companies will now want full reassurance that personal information stored on these servers is protected in terms of POPI. However, this will not be that easy to achieve and it probably means that companies who are strong on the IT side and who use IT service providers who use secure servers with a certified ISMS will gain by being ahead of others in being able genuinely to guarantee confidentiality. It should be added that it may be difficult for companies who make use of cloud computing such as Dropbox, Google Drive or any other cloud solution where personal information is stored off-site, and possibly even internationally on servers owned and managed by foreign companies not subject to POPI, to comply with POPI.
In the coming year it will be essential that the contracts drawn up by IT service providers be reviewed and updated by legal experts in the field of information security to ensure that IT service providers do offer the full measure of protection that POPI requires. This is so because personal information is not stored on the premises of the company liable in terms of POPI, but on the servers of the IT company. One’s compliance with POPI will depend on the compliance of POPI by one’s IT service provider.
The early bird still catches the worm
It is predicted that companies and law firms which offer services to implement ISMSs and ensure that companies are able to comply with POPI as well as ensure that such companies are contractually protected against non-compliance by IT service providers will find themselves very much in demand. Companies are therefore advised to start now in ensuring that systems are put in place and the necessary clauses in contracts are included so as to comply with POPI.
For more information or assistance contact Garth Watson