TECH REVIVAL, because of the role it fulfils as collator and custodian of sensitive personal information which includes, information relating to identity, race, gender, age, identifying number, e-mail address, telephone number etc. has a legal and moral responsibility to its clients to ensure that all the staff of TECH REVIVAL:
obtain and process personal information fairly; and
keep it only for a specified and explicit lawful purpose; and
process it only in ways compatible with the purposes for which it was given initially; and
keep personal data safe, confidential and secure; and
keep data accurate, complete and up-to-date; and
retain it for a period no longer than is necessary for the specified purpose; and
provide a copy of a clients’ personal information to that client, on request.
The introduction of the Protection of Personal Information Act (“POPIA”) further strengthens the need to ensure confidentiality of personal information. The POPIA is an important legal reform, creating a regime of consumer protection that has become essential in the information age. It is data protection legislation intended to protect the personal information of individuals held by third-parties. The legislation centers on a set of “information protection principles” which flesh out a general and higher-level requirement that personal information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject.
Three important concepts are defined in the Act namely:
‘data subject’ means, according to the definitions in Section 1, the person to whom personal information relates. While the data subject is the principal right-holder under the POPIA, the principal duty-bearer is termed the “responsible party”, defined as “the public or private body or any other entity which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.
“personal information” means information about a person’s race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language, education, medical information, financial information, criminal or employment history, an identifying number, e-mail address, physical address, telephone number, blood type, biometric information, personal opinions, views or preferences of a person; correspondence of a private or confidential nature; and the name of the person if it appears with other personal information relating to the person.
“process” meaning collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation, use, dissemination, distribution, merging, linking, blocking, degradation, erasure or destruction of information.
POPIA requires that an Information Protection Officer be appointed. , an employee within the company will assume the duties of the Information Protection Officer for the company where the responsibilities are defined in the Act as:
each responsible party must ensure that there are, within that body, one or more information protection officers whose responsibilities include –
Information protection principles contained in POPIA can be summarised as follows:
It is therefore essential that all TECH REVIVAL employees working with the personal information of all clients must be educated on the principles of POPIA and how to
- deal with requests by any person regarding enquiries regarding “data subject”. The golden rule should be not to disclose any information to any person if you are not convinced it is correct to do so. In such an instance, the request should be forwarded to the Information Protection Officer.
- Security measures regarding the protection of employee information must be reviewed in order to ensure the safe keeping of information
The purpose of this Policy is to provide guidelines to assist employees to ensure that PI in their possession is kept safe and secure and that TECH REVIVAL therefore meets all legal responsibilities.
This section of the Policy sets out guidelines in a number of specific areas where particular attention should be paid in order to help protect the confidentiality of PI held by the company.
Passwords used to access PC’s, applications and databases should be of sufficient strength to deter password cracking or guessing attacks. A password should include numbers, symbols, upper and lowercase letters. If possible, password length should be around 12 to 14 characters but at the very minimum of 8 characters. Passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates must be avoided. The Protection Information Officer is responsible to ensure that passwords are changed on a regular basis and that an audit trail is received which highlights non-compliance.
Contractors, temporary staff, consultants and external service providers employed by TECH REVIVAL should be subject to strict procedures with regard to accessing PI. This must be by way of a formal contract which includes the necessary confidentiality clauses and ensures that such parties will undertake and adhere to similar requirements as set out in this Policy to ensure the confidentiality of PI.
Procedures should be put in place in relation to disposal of client files (both paper and electronic) containing PI. Paper with PI must be shredded and the Protection Information Officer must ensure that adequate shredders are available. Further, procedures should also be put in place in relation to the secure disposal of computer equipment (especially storage media) at end-of-life.
The following guidelines should be followed with regard to PI data held on paper files: –
All staff members of TECH REVIVAL are required to take extreme care when using email in particular:
Standard unencrypted email should never be used to transmit any PI. Staff members that have to use e-mail to transfer such data must ensure that PI is encrypted either through file encryption, the use of a secure e-mail facility which will encrypt the data (including any attachments) being sent or at the very least, robust passwords. The default option should always be to utilise the strongest encryption methods available. Employees should ensure that e-mails contained PI is sent only to the intended recipient.
Due to the fact that a large amount of work performed at the premises of clients, the TECH REVIVAL staff should be able to access servers and databases remotely. This brings its own challenges in relation to data security which TECH REVIVAL must address. With regard to PI, the following guidelines should be adhered to:
In the first instance, all PI held electronically should be stored centrally on the server. Data that is accessible by remote access should not be copied to employee’s PC’s or to portable storage devices, such as laptops, memory sticks and external hard drives that may be stolen or lost.
TECH REVIVAL must ensure that only known machines configured appropriately to the Company’s standards (for example with up-to-date anti-virus and anti-spyware software and full encryption), are allowed to remotely access centrally held PI. Authorization for remote access must be furnished by the Protection Information Officer. The strongest encryption methods available should be used to encrypt data on these machines.
LAPTOPS AND OTHER MOBILE STORAGE DEVICES
(Including USB memory sticks and external hard drives)
The use of laptops, USB memory sticks and other portable or removable storage devices has increased substantially in the last number of years. Likewise, the use of mobile phones to access and send e-mails has also increased. These devices are useful business tools however they are highly susceptible to loss or theft and often contain inferior security protection. Concomitantly, to protect the content held on these devices, the following recommendations should be followed:
All portable devices should be password-protected to prevent unauthorized use of the device and access to PI held on the device. In the case of mobile phones, both a PIN and login password should be used. Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device.
PI should not be stored on portable devices. In cases where this is unavoidable, all devices containing this type of data must be encrypted and password protected. With regard to laptops, full disk encryption must be employed regardless of the type of data stored.
Portable devices should never be left in an unattended vehicle. Further, a policy must be introduced and strictly adhered to that if a member of staff is going out after work and the laptop will have to be kept in the car, then the laptop must be locked in a secure place in the TECH REVIVAL’s office overnight.
DATA TRANSFERS OF PERSONAL INFORMATION
Data Transfers are a daily business requirement when transferring PI. Such transfers should take place only where absolutely necessary and employing the most secure channel available. To support this, all TECH REVIVAL staff must adhere to the following:
The acknowledgement procedures on receipt of the PI.
The length of time the information will be retained by the third party;
Confirmation from the third party that the security, confidentiality and storage of the PI will be handled to the same level of controls that TECH REVIVAL would apply to that category of information. Confirmation is also required clearly identifying the point at which the third party will take over responsibility for protecting the data.
REQUEST FOR ACCESS TO PERSONAL INFORMATION
Section 22 of the POPIA states that a data subject may request a responsible party to confirm that they are holding PI about the data subject and may obtain a description of that information and details about who has had access to it. Where such a request is received, the matter must be referred to the Information Protection Officer who will ensure that the correct procedures are adopted.
Section 23 of the POPIA, provides for a right to request correction of personal information held by a responsible party if it is inaccurate, incomplete, misleading, out of date, and obtained unlawfully, irrelevant or excessive. Where such a request is received, the matter must be referred to the Information Protection Officer who will ensure that the correct procedures are adopted.
APPROPRIATE ACCESS AND AUDIT TRAIL MONITORING
TECH REVIVAL have an obligation to keep information safe and secure and have appropriate measures in place to prevent unauthorized access to, or alteration, disclosure or destruction of, the PI and against their accidental loss or destruction. It is imperative therefore, that TECH REVIVAL have security in place to ensure that only those staff members with a business need to access particular PI are allowed to access the data. In addition to this general requirement, the following guidelines should be adopted:
In order to capture instances of inappropriate access (whether internal or external), addition, deletion and editing of data, audit trails should be used.
For the first time, South Africans will have their constitutional right to the privacy of their PI enforced. POPIA will bring South Africa in line with international data protection laws and at the same time, will protect PI collected and processed by public and private organisations.
PI privacy presents a growing challenge and TECH REVIVAL must adapt and comply with complex international laws on how they handle such information. POPIA requires TECH REVIVAL to establish appropriate policies and procedures to protect the various forms of data that are part of their business operations.
It is almost impossible to anticipate all eventualities and possibilities but strict adherence to this Policy together with heightened awareness of all TECH REVIVAL staff will ensure that the company not only complies with the relevant legislation but ultimately, safeguards the PI entrusted to it by TECH REVIVAL’s clients.