PoPI adds new di­men­sion to data pro­tec­tion

The Pro­tec­tion of Per­sonal In­for­ma­tion Act gives you greater con­trol over how your per­sonal de­tails are col­lected, stored and shared. re­ports

Saturday Star - - INSIGHT -

THE Pro­tec­tion of Per­sonal In­for­ma­tion (PoPI) Act has fun­da­men­tally al­tered how data must be man­aged in South Africa.

The 12-month grace pe­riod to com­ply with the PoPI Act has ex­pired, and the leg­is­la­tion is be­ing ap­plied in the pub­lic and pri­vate sec­tors.

The pur­pose of the Act is to en­sure that all in­sti­tu­tions con­duct them­selves in a re­spon­si­ble man­ner when col­lect­ing, pro­cess­ing, stor­ing and shar­ing another per­son’s or en­tity’s pri­vate in­for­ma­tion. It does this by hold­ing in­sti­tu­tions ac­count­able if they abuse or com­pro­mise per­sonal in­for­ma­tion, ac­cord­ing to busi­ness man­age­ment plat­form workpool.co.

The leg­is­la­tion re­gards your per­sonal in­for ma­tion as “pre­cious goods”, and grants you cer­tain rights of pro­tec­tion and the abil­ity to con­trol:

• When and how you share your per­sonal in­for­ma­tion;

• The type and ex­tent of the in­for­ma­tion you share;

• How your data is used (and to be no­ti­fied if or when the data is com­pro­mised);

• How and where your in­for­ma­tion is stored; and

• Who can ac­cess your in­for­ma­tion.

You also have the right to have your per­sonal data de­stroyed.

“In­for­ma­tion” in this con­text is any in­for­ma­tion re­lated to a data sub­ject that can be used di­rectly or in­di­rectly to iden­tify that per­son, ac­cord­ing to Red­stor, an in­ter­na­tional data man­age­ment and se­cu­rity spe­cial­ist firm.

How­ever, some per­sonal in­for­ma­tion on its own does not nec­es­sar­ily al­low a third party to con­firm or in­fer some­one’s iden­tity to the ex­tent that this in­for­ma­tion can be used for other pur­poses. The com­bi­na­tion of some­one’s name and phone num­ber and/or email ad­dress, for ex­am­ple, is far more sig­nif­i­cant than a name or phone num­ber on its own. As such, the Act de­fines a “unique iden­ti­fier” as data that “uniquely iden­ti­fies that data sub­ject in re­la­tion to that re­spon­si­ble party”.

Danie Marais, the founder and di­rec­tor of data-man­age­ment plat­form Red­stor, says the law not only cov­ers peo­ple, but also “data sub­jects”, or any le­gal en­tity that has the right to have its in­for­ma­tion pro­tected.

The PoPI Act is not unique to South African law. Many coun­tries have sim­i­lar leg­is­la­tion to pro­tect the per­sonal in­for­ma­tion of data sub­jects. This leg­is­la­tion in­cludes rules and reg­u­la­tions that gov­ern the in­ter na­tional trans­fer and shar­ing of data.

The con­sen­sus seems to be that, apart from the un­re­al­is­tic im­ple­men­ta­tion pe­riod of one year and some prac­ti­cal im­ple­men­ta­tion chal­lenges, the PoPI Act is well thought out and bor­rows from the “best of ” sim­i­lar for­eign laws, learn­ing from their mis­takes and short­com­ings.

Marais says there are sim­i­lar­i­ties be­tween PoPI and the Euro­pean Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR).

The GDPR was im­ple­mented by the Euro­pean Par­lia­ment in April last year, and will take full ef­fect af­ter a two-year tran­si­tion pe­riod that ends on May 25, 2018.

The GDPR re­quires or­gan­i­sa­tions to en­sure that they have taken steps min­imise the risk of data be­ing leaked.

“In much the same way that the GDPR has es­tab­lished a frame­work for how or­gan­i­sa­tions need to take tech­ni­cal and or­gan­i­sa­tional mea­sures to pro­tect data, PoPI has been im­ple­mented to do pre­cisely the same.

“From a South African per­spec­tive, amid on­go­ing cy­ber threats, the leg­is­la­tion forces or­gan­i­sa­tions and busi­nesses to take re­spon­si­bil­ity for the way they han­dle data, and this speaks to ac­count­abil­ity, which is ab­so­lutely es­sen­tial in to­day’s mar­ket,” Marais says.

Workpool.co says we live in an in­for­ma­tion age, and this places a re­spon­si­bil­ity on each of us to take care of and pro­tect our in­for­ma­tion. Do not ac­cuse some­one else of shar­ing or com­pro­mis­ing your per­sonal in­for­ma­tion when you pub­lish the same in­for­ma­tion on pub­lic ser­vices such as Face­book, LinkedIn and Google+.

Tech­nol­ogy makes it easy to ac­cess, col­lect and process high vol­umes of data at high speeds. This in­for­ma­tion can be sold or used for other pur­poses. Data-pro­tec­tion laws pro­tect your right to pri­vacy and pre­vent your in­for­ma­tion from be­ing abused.

sizwe.dlamini@inl.co.za

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.