The recent proliferation of digital hacking and other associated forms of cybercrime has exponentially increased the need for the development of substantial and comprehensive data protection mechanisms in South Africa. The majority of modern South Africans conduct a plethora of personal and business transactions online which in-turn results in the continuous processing and storage of their sensitive and personal information by entities responsible for the processing of such information.
In response to the increased need for secure data protection the Protection of Personal Information Act (“POPI”) sets out the basic security safeguards required for the reasonable protection of personal information.
The importance of suitable security safeguards is emphasised through the inclusion of “Security Safeguards” as one of the 8 essential conditions prescribed by POPI for the responsible processing of personal information. The extent of the data protection requirements are set out at sections 19 to 22 of the Act.
Importantly, these sections require that a responsible party, meaning an entity which determines the purpose of and means for the processing of personal information, must always times maintain sufficient security measures to ensure that the integrity and confidentiality of personal information held and/or processed by it is protected. The responsible party must prevent the loss of, damage to, or unauthorised access to such personal information.
In giving effect to these requirements POPI, at section 19, requires the responsible party to ensure the presence of suitable measures to:
- Identify all reasonably foreseeable internal and external risks to personal information held by the entity;
- Establish and maintain appropriate safeguards against the risks identified above;
- Regularly review these measures to ensure that they are implemented effectively; and
- Ensure that these safeguards are consistently reviewed and updated where necessary to keep up to date with the ever-evolving risks associated with the storage and processing of personal information.
Not only does POPI place these requirements on the shoulders of the responsible party but, through the operation of section 20, also requires similar compliance by entities who have been instructed or authorised by a responsible party to process information on their behalf. These “operators”, as they are known under the Act, may only process personal information with the knowledge or authorisation of the responsible party and must treat such personal information as confidential. The responsible party remains responsible for the conduct of the operator in its treatment of the personal information. Section 21 of POPI requires that the responsible party, by way of a written agreement with the operator, ensures that the security measures implemented by the operator are sufficient and in-line with the requirements of section 19 mentioned above.
Finally, the security safeguards contained in POPI further require that a responsible party must, as soon as reasonably possible, notify certain parties, chiefly the Information Regulator, which is a body created by POPI to be specifically responsible for monitoring and enforcing compliance with the Act, and the affected individual, once it suspects that personal information has been accessed or acquired by an unauthorised entity. This notification must be provided to the Regulator and the data subject in writing and must contain sufficient information to allow the data subject to take sufficient protective measures.
The duty borne by a responsible party to adequately ensure the safety and integrity of personal information held and processed by it is a burdensome one. The gravity of this responsibility is further emphasised by the provisions of section 22(6) of the Act which gives the Information Regulator the power to order a responsible party to publicise the fact of a compromise to the integrity or confidentiality of personal information where such information had been unlawfully accessed or acquired. The Regulator will exercise this power where it believes that the publication may protect the data subject affected by a failure of the responsible party’s security safeguards.