The Protection of Personal Information Bill 2009 (POPI or the Bill*) aims to bring South Africa in line with international data protection laws. The impact of this legislation will be far-reaching and will significantly affect the way companies collect, store and disseminate personal information. Members of our Information Law and Data Protection Group provide some insight into the implications of POPI in this series of Snapshots.
Previous Snapshots have highlighted that the Bill sets out eight conditions that responsible parties will need to consider for the processing of personal information to be lawful. In this Snapshot Security Safeguards and Data Subject Participation, being the seventh and eighth conditions, are considered.
CONDITION 7: SECURITY SAFEGUARDS
A responsible party must secure the integrity and confidentiality of any personal information in its possession by implementing appropriate, reasonable technical and organisational measures to prevent loss, damage, and unauthorised and unlawful access to the personal information in its possession.
This condition specifically requires the responsible party to:
- identify all reasonably foreseeable internal and external risks to the personal information;
- establish and maintain "appropriate safeguards" against the risks identified;
- regularly verify the effective implementation of the safeguards; and
- ensure that the safeguards are up to date in response to new risks or deficiencies identified in previously implemented safeguards.
Generally accepted information security practices and procedures, as assessed across-the-board or in terms of specific industry or professional rules and regulations, will inform an assessment of compliance with this condition.
Processing by an operator
There may be instances when personal information under the control of a responsible party is processed by an 'operator' on behalf of the responsible party. This would include, for example, the outsourcing by a company of its payroll functions. It is the responsible party's duty to ensure that the operator complies with this condition.
The responsible party must:
- enter into a written contract with the operator to ensure that the operator establishes and maintains the security measures that the responsible party has adopted in accordance with this condition.
The operator must:
- process the personal information only with the knowledge or authorisation of the responsible party;
- treat the personal information as confidential; and
- notify the responsible party immediately when there are reasonable grounds to believe that the personal information has been accessed or acquired by an unauthorised person.
Notification of security compromises
A responsible party must notify the Information Regulator and the data subject (unless the identity of the data subject cannot be established) when there are reasonable grounds to believe that the personal information of that data subject has been accessed or acquired by an unauthorised person.
The notification must provide sufficient information to allow the data subject to mitigate against the potential consequences of the breach, including:
- a description of the possible consequences of the compromise;
- a description of the measures that the responsible party intends to take to address the compromise;
- a recommendation of measures to be taken by the data subject; and
- the identity of the unauthorised person who has accessed the personal information.
CONDITION 8: DATA SUBJECT PARTICIPATION
Right of access
The data subject has the right to request confirmation of whether or not the responsible party holds personal information about the data subject. Such a request is free of charge.
The data subject also has the right to request the record or a description of the personal information about the data subject being held by the responsible party, as well as information concerning the identity of all third parties who have had access to the personal information. Such a request may be subject to a prescribed fee.
The responsible party may or must refuse to disclose personal information to the data subject if grounds of refusal set out in the Promotion of Access to Information Act apply.
Right of correction
The data subject may request a responsible party to:
- correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; and
- delete or destroy personal information that the responsible party is no longer authorised to retain.
Click here to read clauses 19 to 25.
* The Bill has been adopted by the Portfolio Committee on Justice and Constitutional Development and by the National Assembly (NA). This Snapshot has been drafted using the latest version of the Bill as passed by the NA.
The Bill will now be referred to the National Council of Provinces for consideration and thereafter signed into law. It is anticipated that this process could take anything from one to six months. The Bill provides for a one year grace period before POPI's provisions become effective.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.