Many business owners remain oblivious as to the purpose of the Protection of Personal Information (POPI) Act, 4 of 2013. If asked, these corporate bodies may admit to having a mere partially defined data protection plan in the workplace. Countless more business owners have yet to learn of the Act’s existence. A number of incidents in recent memory have highlighted data security as an ever-growing concern and reiterated the need for upgraded information control measures in the workplace. We will discuss a few of these below.
One of the largest data breaches recorded in South Africa to date has been traced to a Web server registered to the real estate company, Jigsaw Holdings. Sloppy security measures were identified as the cause for ease of access to the private records of more than 60 million South Africans. Information Regulator’s chairperson, Pansy Tlakula, admitted at the time that this breach has jeopardised the country’s credibility, given the fact that an Act had been drawn up in order to improve personal data security (yet at the time of the release of said statement, the Act was not yet in operation). In the absence of the operation of the POPI Act, the only option available to any individual who suffered damage due to the release of this data would have been to sue for damages under common law.
Early in April of 2018, Facebook CEO Mark Zuckerberg addressed a widespread Facebook data breach: an app called this is your digital life, built by Cambridge University academic Aleksandr Kogan, is estimated to have harvested the personal information of more than 87 million Facebook users.
This breach occurred as follows: the users paid a fee in order to take a personality test. These users consented to have the app collect their data. What they didn’t know was that the app could access the information of these users’ Facebook friends. The information harvested was subsequently sold to Cambridge Analytica.
According to a whistle-blower of the company, the information harvested was used to predict voting patterns.
South Africa’s Information Regulator had written to Facebook in order to establish the extent of the breach, and instructed that any affected South Africans be contacted by Facebook so that “proactive measures” could be taken to address the repercussions that followed said breach.
As an estimated 60 000 South African Facebook users who may have been affected by this breach, there is now increasing concern regarding access to personal information by means of online sources, especially by those conducting business via social media apps like Facebook. Small and large business owners alike are advised to bear in mind sections from Chapter 8 of the Electronic Communications and Transactions Act (ECTA).
Chapter 8 of ECTA applies to all personal information that has been obtained electronically. It expressly states that:
(1) A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law,
(2) A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.
(3) The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.
(4) The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject unless he or she is permitted or required to do so by law.
Businesses need to consider adopting new precautions to minimise data leaks. The transfer of data within organisations ought to be minimised. This may include banning the transfer of data from the company system onto an external device unless authorised by management to do so. Companies should implement automated security measures Employers should counsel employees to enable them to identify suspicious network activity, as well as encourage employees to minimise downloads, including downloads from social media sources.
About the author:
Meggan Watson is a Labour, Consumer Protection and POPI Legal Advisor at SEESA, Port Elizabeth, and has been working for the company since 2015.