POPI REGULATIONS – ALARM BELLS OR XMAS BELLS?
We’ve all heard the saying: ‘The future is bright or it is just the lights of an oncoming train?’ Likewise, with all the alarmist comments about POPI (The Protection of Personal Information Act, Act 4 of 2013) being bandied about of late, I ask myself: are they alarms bells or has Xmas come early?
Let’s be honest, POPI has effectively been around for 8 years (The Bill was issued in 2009) so why these sudden noises of Armageddon? What makes it even more perplexing is that not much has changed in terms of content over this period during which a myriad of articles have been written and workshops conducted.
So let’s get to the point: the regulations were issued for comment recently and based on the content, I believe it is cause for celebration rather than alarm – in fact in terms of POPI Xmas has come early! The reason for this observation is that the regulations spell out the duties of the Information Officer (‘IO’ – Referred to in the ‘early days’ as the Information Protection Officer) to be appointed by each entity that is subject to POPI. The bottom line is that the appointee must ensure compliance with POPI by the entity.
Clearly, that is easier said than done: as the saying goes ‘Doing the right things is easy – the challenge is to know what the right thing is!’ Likewise appointing an IO is easy but the question is: who is the right person? More about that at the end of this article and first I will look at the duties ascribed to the IO (The numbers in brackets are the sections in POPI).
‘Compliance framework’ – this would be the broad canvass incorporating how the entity will meet the 8 conditions prescribed by POPI namely accountability (1): one of which is the appointment of the IO; process limitation (2&4); purpose specification (3); information quality (5); openness (6); security safeguards (7) and data subject (i.e. the person to whom the personal information [‘PI’] pertains) and in addition the issues of direct marketing and Spam (69 – 71).
‘Adequate measures’ – this would entail a business plan addressing the compliance strategy (‘lawful processing’) as well as the brand issue i.e. how to deal with any transgressions given the serious nature of, especially security breaches –
‘Global hospitality firm Hilton has been ordered to pay a $700,000 penalty for failing to disclose two separate payment card data breaches promptly enough.’ (TravelMole Saturday, October 04 2017).
‘A recent study by Wolfpack Information Risk found South Africa’s annual loss resulting from cybercrime in three sectors to be R2.65 billion.’ (Polity September 16, 2014) .
More than 3.6 billion data records have been exposed since 2013.
2015: 58% is ‘malicious outsiders’ & of this 53% is identity theft.
(Business Traveler April 2016)
‘Preliminary Assessment’ – once appointed, the IO will have to carry out a detailed assessment addressing inter alia what is the nature and frequency of PI handled by the entity; employees and third parties involved; how long is such information traditionally stored and shared with third parties; current levels of IT (Information Technology) security and whether direct marketing is done and how; cross border business; statutes pertaining to the entity that prescribes terms for information retention (and therefore exceptions) – essentially what will have to be carried out is some form of ‘GAP Analysis’
‘PAIA (Promotion of Access to Information Act, Act 2 of 2002’) manual’ – as we are/should all be aware this is a pervasive requirement (applicable to all entities) but the good news is that in preparing this document, many of the POPI requirements are met simultaneously – over and above the PAIA requirements, the manual must now address the following POPI aspects: purpose of processing; categories of data subjects, information and recipients thereof; transborder flow of PI and information security.
‘Transborder information flow’ (20 & 21) – if PI is exchanged or shared across international borders POPI contains very specific compliance parameters and one of the duties of the IO will be to earmark and ring-fence these and in the process to review all agreements with such transborder third parties as well as the privacy legislation applicable in the country where the third party is located.
‘Security measures’ – these pertain mainly, but not only, to IT (See ‘Adequate Measures’ above). Very apparently mundane issues such as employment contracts, cell phones on the premises, personal laptops and social media (and the terms and conditions applicable to these) will all need to be addressed and one would imagine this will require an in-depth review of related policies or lack thereof in each entity.
‘Internal measures’ – this has been addressed to a large extent above (See ‘Compliance framework’) but here it addresses the access to or request for PI.
‘Awareness sessions’ – similar to the duties of the CPA (‘Act 68 of 2008’) Consumer, Goods & Services Ombudsman (‘CGSO’) i.e. ‘Ensure that the relevant staff and agents in their business have adequate knowledge of the CPA and the Regulations issued thereunder, including the Code and their own internal complaints-handling procedure.’
The appointment and qualifications of the IO – as mentioned above the challenge is to find and appoint the right person! POPI defines the IO (in the case of a private as opposed to a public body) as ‘the head of the private body as contemplated in section 1 of PAIA’ i.e. • a natural person: that person or any person duly authorised by that natural person; • a partnership: any partner or duly authorised person; and • a juristic person: the chief executive officer, equivalent, acting officer or duly authorised officer.
POPI makes provision for the appointment of deputies (‘… a number … as is necessary to perform the duties and responsibilities..’) of the IO.
There are no terms of reference as such but clearly, the following would be advisable if not prerequisites: • An in-depth knowledge of POPI, PAIA and the CPA; • Familiarity with corporate governance, the various reports of the King Commission and international trends; • Training as a lawyer or accountant.
Disclaimer: This article is intended to provide a brief overview of legal matters pertaining to the tourism industry and is not intended as legal advice. © Adv Louis Nel, ‘Louis The Lawyer’, November 2017.
