How to implement POPI policies and what areas it must deal with in your business.
As the Protection of Personal Information Act 4 of 2013 (POPI) was signed into law on 19 November 2013 with certain Sections becoming operational and with the Information Regulator Pansy Tlakula’s appointment in December 2016 it has become vital for businesses to get their affairs in order to ensure compliance with the strict provisions of this legislation.
As part of their POPI compliance, businesses must ensure that it complies with the Acts’ 8 conditions for lawful processing of personal information of both individuals and juristic entities. This should be done in a manner that is transparent and takes into account:
1. What type of personal information the business is processing and for what purpose.
2. Why and how the personal information is being processed.
3. If the personal information is being shared, who is it being shared with and what type of protection is being afforded regarding the shared information.
A crucial part of a business’s ‘best practice’ in ensuring compliance with the POPI Act and the above conditions is to ensure that it adopts good POPI policies, procedures and practices.
It is important to understand that these policies are not merely internal employee policies governing how the business processes the personal information of its employees, but policies which brings forth procedures and practices which regulates the way employees, including operators (a third party who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party) processes personal information, with the aim of protecting it.
Non-compliance with the POPI Act by failing to operate on good protection of personal information policies, practices and procedures could see businesses fined by the Information Regulator (up to R10 million) and even the handing down of jail sentences to the head of the company or nominated Information Officer(s). Therefore, these policies should be actively implemented by the business and if it has existing policies and procedures in place, it should formulate a plan to integrate the POPI policies with existing policies. Any attempt to simply fill the formality by having the policies on file is not enough.
The POPI policies should be drafted to deal with specific areas such as:
1. Appropriate access to business internet resources and the acceptable use thereof.
2. Appropriate use of business email resources.
3. How to deal with ‘remote access’, laptop and other mobile storage devices.
4. Security and monitoring of data access and data transferring, user accounts and encryption.
5. Physical security to premises and access to business property.
6. Sufficient anti-virus software and procedures in place.
7. Retention periods of personal information.
8. De-identification of paper and data personal information.
9. Risk Management.
10. A Disaster recovery policy which deals with an active response to information breach incidents.
The above is not an exhaustive list – every business must identify its key risk areas and implement the appropriate policies in terms of POPI.
In the process of formulating, drafting or even revising its POPI policies business must ensure that these policies:
• Are short and to the point.
• Take into account the business’s own identified risks and needs.
• Written in plain and understandable language.
• Drafted in such a way that it is compatible with the organisation’s structure and therefore more likely to be accepted and complied with.
• Reasonable and appropriate.
• Consistent and clear on what is permitted and what is not permitted and the consequences of non-compliance.
• Identifies the key role players involved in ensuring the successful implementation of each policy.
• Kept up to date.
The business must ensure that the key role players involved in the implementation of certain policies and procedures are made fully aware of their roles and responsibilities and what are expected of them. It is also important for the business to train all of its employees on compliance with the POPI Act and to make them aware of the consequences of non-compliance (disciplinary action up to and including termination) so they may be in a position to better understand their roles and responsibilities stated in the policies and therefore able to create a culture of compliance within the business.
ABOUT THE AUTHOR
Marike Brand obtained her LLB from the University of Stellenbosch and thereafter practised for 3 years as an admitted attorney in commercial civil litigation. She is a SEESA Consumer Protection & POPI Legal Advisor at the Cape Town office.