So­cial Me­dia & Defama­tion - Part 3

Tourism Tattler - - CONTENTS -

We've all heard the say­ing: ‘The fu­ture is bright or it is just the lights of an on­com­ing train?' Like­wise, with all the alarmist com­ments about POPI (The Pro­tec­tion of Per­sonal In­for­ma­tion Act, Act 4 of 2013) be­ing bandied about of late, I ask my­self: are they alarms bells or has Xmas come early?

Let's be hon­est, POPI has ef­fec­tively been around for 8 years (The Bill was is­sued in 2009) so why these sud­den noises of Ar­maged­don? What makes it even more perplexing is that not much has changed in terms of con­tent over this pe­riod dur­ing which a myr­iad of ar­ti­cles have been writ­ten and work­shops con­ducted.

So let's get to the point: the reg­u­la­tions were is­sued for com­ment re­cently and based on the con­tent, I be­lieve it is cause for cel­e­bra­tion rather than alarm – in fact in terms of POPI Xmas has come early! The rea­son for this ob­ser­va­tion is that the reg­u­la­tions spell out the du­ties of the In­for­ma­tion Of­fi­cer (‘IO' - Re­ferred to in the ‘early days' as the In­for­ma­tion Pro­tec­tion Of­fi­cer) to be ap­pointed by each en­tity that is sub­ject to POPI. The bot­tom line is that the ap­pointee must en­sure com­pli­ance with POPI by the en­tity.

Clearly, that is eas­ier said than done: as the say­ing goes ‘Do­ing the right things is easy – the chal­lenge is to know what the right thing is!' Like­wise ap­point­ing an IO is easy but the ques­tion is: who is the right per­son? More about that at the end of this ar­ti­cle and first I will look at the du­ties as­cribed to the IO (The num­bers in brack­ets are the sec­tions in POPI). ‘Com­pli­ance frame­work’ – this would be the broad can­vass in­cor­po­rat­ing how the en­tity will meet the 8 con­di­tions pre­scribed by POPI namely ac­count­abil­ity (1): one of which is the ap­point­ment of the IO; process lim­i­ta­tion (2&4); pur­pose spec­i­fi­ca­tion (3); in­for­ma­tion qual­ity (5); open­ness (6); se­cu­rity safe­guards (7) and data sub­ject (i.e. the per­son to whom the per­sonal in­for­ma­tion [‘PI'] per­tains) and in ad­di­tion the is­sues of di­rect mar­ket­ing and Spam (69 – 71).

‘Ad­e­quate mea­sures’ – this would en­tail a busi­ness plan ad­dress­ing the com­pli­ance strat­egy (‘law­ful pro­cess­ing') as well as the brand is­sue i.e. how to deal with any trans­gres­sions given the se­ri­ous na­ture of, es­pe­cially se­cu­rity breaches –

‘Global hos­pi­tal­ity firm Hil­ton has been or­dered to pay a $700,000 penalty for fail­ing to dis­close two sep­a­rate pay­ment card data breaches promptly enough.' (Trav­elMole Satur­day ,Oc­to­ber 04 2017).

‘A re­cent study by Wolf­pack In­for­ma­tion Risk found South Africa's an­nual loss re­sult­ing from cy­ber­crime in three sec­tors to be R2.65 bil­lion.' (Polity Septem­ber 16, 2014) .

More than 3.6 bil­lion data records have been ex­posed since 2013. 2015: 58% is ‘ma­li­cious out­siders' & of this 53% is iden­tity theft. (Busi­ness Trav­eler April 2016)

‘Pre­lim­i­nary As­sess­ment’ – once ap­pointed, the IO will have to carry out a de­tailed as­sess­ment ad­dress­ing in­ter alia what is the na­ture and fre­quency of PI han­dled by the en­tity; em­ploy­ees and third par­ties in­volved; how long is such in­for­ma­tion tra­di­tion­ally stored and shared with third par­ties; cur­rent lev­els of IT (In­for­ma­tion Tech­nol­ogy) se­cu­rity and whether di­rect mar­ket­ing is done and how; cross bor­der busi­ness; statutes per­tain­ing to the en­tity that pre­scribes terms for in­for­ma­tion re­ten­tion (and there­fore ex­cep­tions) – es­sen­tially what will have to be car­ried out is some form of ‘GAP Anal­y­sis'

‘ PAIA (Pro­mo­tion of Ac­cess to In­for­ma­tion Act, Act 2 of 2002') man­ual' – as we are/should all be aware this is a per­va­sive re­quire­ment (ap­pli­ca­ble to all en­ti­ties) but the good news is that in prepar­ing this doc­u­ment, many of the POPI re­quire­ments are met si­mul­ta­ne­ously – over and above the PAIA re­quire­ments, the man­ual must now ad­dress the fol­low­ing POPI as­pects: pur­pose of pro­cess­ing; cat­e­gories of data sub­jects, in­for­ma­tion and re­cip­i­ents thereof; trans­bor­der ow of PI and in­for­ma­tion se­cu­rity. ‘Trans­bor­der in­for­ma­tion flow’ (20 & 21) – if PI is ex­changed or shared across in­ter­na­tional bor­ders POPI con­tains very spe­cific com­pli­ance pa­ram­e­ters and one of the du­ties of the IO will be to ear­mark and ring-fence these and in the process to re­view all agree­ments with such trans­bor­der third par­ties as well as the pri­vacy leg­is­la­tion ap­pli­ca­ble in the coun­try where the third party is lo­cated.

‘Se­cu­rity mea­sures’ – these per­tain mainly, but not only, to IT (See ‘Ad­e­quate Mea­sures' above). Very ap­par­ently mun­dane is­sues such as em­ploy­ment con­tracts, cell phones on the premises, per­sonal lap­tops and so­cial me­dia (and the terms and con­di­tions ap­pli­ca­ble to these) will all need to be ad­dressed and one would imag­ine this will re­quire an in­depth re­view of re­lated poli­cies or lack thereof in each en­tity.

‘In­ter­nal mea­sures’ – this has been ad­dressed to a large ex­tent above (See ‘Com­pli­ance frame­work') but here it ad­dresses the ac­cess to or re­quest for PI.

‘Aware­ness ses­sions’ – sim­i­lar to the du­ties of the CPA (‘Act 68 of 2008') Con­sumer, Goods & Ser­vices Om­buds­man (‘CGSO') i.e. ‘En­sure that the rel­e­vant staff and agents in their busi­ness have ad­e­quate knowl­edge of the CPA and the Reg­u­la­tions is­sued there­un­der, in­clud­ing the Code and their own in­ter­nal com­plaints-han­dling pro­ce­dure.'

The ap­point­ment and qual­i­fi­ca­tions of the IO – as men­tioned above the chal­lenge is to find and ap­point the right per­son! POPI de­fines the IO (in the case of a pri­vate as op­posed to a pub­lic body) as ‘the head of the pri­vate body as con­tem­plated in sec­tion 1 of PAIA' i.e. • a nat­u­ral per­son: that per­son or any per­son duly au­tho­rised by that nat­u­ral per­son; • a part­ner­ship: any part­ner or duly au­tho­rised per­son; and • a ju­ris­tic per­son: the chief ex­ec­u­tive of­fi­cer, equiv­a­lent, act­ing of­fi­cer or duly au­tho­rised of­fi­cer.

POPI makes pro­vi­sion for the ap­point­ment of deputies (‘… a num­ber … as is nec­es­sary to per­form the du­ties and re­spon­si­bil­i­ties..') of the IO. There are no terms of ref­er­ence as such but clearly, the fol­low­ing would be ad­vis­able if not pre­req­ui­sites: • An in-depth knowl­edge of POPI, PAIA and the CPA; • Fa­mil­iar­ity with cor­po­rate gov­er­nance, the var­i­ous re­ports of the King Com­mis­sion and in­ter­na­tional trends; • Train­ing as a lawyer or ac­coun­tant.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.