Many business owners remain oblivious as to the purpose of the Protection of Personal Information (POPI) Act. If asked, these corporate bodies may admit to have a mere partially defined data protection plan in the workplace. Countless more business owners have yet to learn of the POPI Act’s existence. Recent events have highlighted data security as an ever growing concern and reiterated the need for upgraded information control measures in the workplace.
The largest data breach to be recorded in South Africa to date has been traced to a web server registered to the real estate company, Jigsaw Holdings. Sloppy security measures were identified as the cause for ease of access to the private records of more than 60 million South Africans. The Information Regulator’s chairperson, Pansy Tlakula, admitted that this breach has jeopardised the country’s credibility, given the fact that an Act has been drawn up in order to improve personal data security, yet this Act remains inoperative. In the absence of the operation of the POPI Act, the only option available to any individual who suffers damage due to the release of this data would have to sue for damages under common law.
The Facebook data breach in context
Earlier this month, Facebook CEO Mark Zuckerberg addressed a widespread Facebook data breach. An app called thisisyourdigitallife, built by Cambridge University academic Aleksandr Kogan, is estimated to have harvested the personal information of more than 87 million Facebook users.
This breach occurred as follows: the users paid a fee in order to take a personality test. These users consented to have the app collect their data. What they didn’t know was that the app could access the information of these users’ Facebook friends. The information harvested was subsequently sold to Cambridge Analytica.
According to a whistle-blower of the company, the information harvested was used to predict voting patterns.
South Africa’s Information Regulator has written to Facebook in order to establish the extent of the breach, and instructed that affected South Africans be contacted by Facebook so that “pro-active measures” could be taken to address the repercussions that follow the breach.
As there are an estimated 60 000 South African Facebook users who may have been affected by this breach, there is now increasing concern regarding access to personal information by means of online sources, especially by those conducting business via social media apps like Facebook. Small and large business owners alike are advised to bear in mind sections from Chapter 8 of the Electronic Communications and Transactions Act (ECTA).
The ECTA and data breaches
Chapter 8 of ECTA applies to all personal information that has been obtained electronically. It expressly states that:
- the data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.
- A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.
- The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.
- The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.
How can businesses protect themselves?
Businesses need to consider adopting new precautions to minimise data leaks. The transfer of data within organisations ought to be minimised. This may include banning the transfer of data from the company system onto an external device unless authorised by management to do so. Companies should implement automated security measures. Employers should counsel employees to enable them to identify suspicious network activity, as well as encourage employees to minimise downloads, including downloads from social media sources.
ABOUT THE AUTHOR:
Meggan Watson is a SEESA Labour, Consumer Protection and POPI Legal Advisor at our Port Elizabeth office. Prior to joining SEESA in 2015, she completed her Articles of Clerkship in Bloemfontein.