How does COVID-19 impact on privacy?
The COVID-19 impact on privacy is starting to be felt with contact tracing and managing physical access to offices, stores and restuarants based on health information. This is what the Information Regulator has to say ... Media Statement: COVID-19 Guidance Note, 03 Apr 2020 The Information Regulator (Regulator) has issued a Guidance Note on the processing ( e.g. collection, receipt, usage) of personal information of data subjects ( owner’s of personal information) in [...]
Prior Authorisation: what is it, when must you apply, and what are the penalties
Quick Guide There was a grace period on Section 58(2) which ended on 1 Feb 2022. This grace period allowed you to continue processing while your application for prior authorisation was in progress. From now on, you will have to suspend processing while you wait for your authorisation decision under threat of penalty (see below for details).REF: Notice in terms of the commencement date of section 58(2), 18 June [...]
Big news for POPI
The presidency has announced that most sections of the POPI Act will commence on 1 July 2020. This long awaited announcement means that the 1 year grace period to achieve compliance will start on 1 July and that organisations will need to achieve compliance by 1 July 2021. The Act does make provision for extending the grace period, but there is no indication that it will be extended at this [...]
Regulator publishes regulations
The Information Regulator has published Regulations for the POPI Act. These can be downloaded from the justice.gov.za/inforeg website.
POPI is not about jail time and fines
A lot has been made of the maximum penalties in POPI. How exposed are business owners really to long jail terms and large fines? The often quoted R10m and / or 10 years imprisonment provision is a maximum penalty and only applies if you: hinder, obstruct or unlawfully influence the Regulator POPI s100 fail to comply with an Enforcement Notice POPI s103(1) give false evidence POPI s104(2) seriously or persistently, unlawfully process account numbers where [...]
Responsible party or operator?
Am I an 'operator' or 'responsible party' under POPI? It’s important to know whether you are regarded as an 'operator' or 'responsible party' under POPI. Both have certain obligations but the responsible party has a much broader responsibility. To determine if you are an operator, you can ask yourself whether you: Process the data solely in the interest of and on behalf of another, do so only according to their instructions, but without coming [...]
Protecting privacy and social media
#ProtectingPrivacy An interesting thing happened on Twitter last night. DA leader Mmusi Maimane tweeted a list of candidates from the opposing party. The list contained name, surname, ID number and other details. Someone responded by publicly tweeting a screenshot of the Maimane's tweet - including the list - asking 'Can we sue Mmusi for posting people's names and ID numbers on social media? ...This can't be right!' Another person quoted that tweet - again including the list - and asserted [...]
Retention of records
Retain only as long as necessary POPI requires that 'records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected..." Section 14(1) Practically this may be one of the most difficult provisions to comply with as it requires a very clear picture of all purposes for which a piece of information is kept and a thorough understanding of business processes. [...]
You’ve lost some data, now what?
Likelihood of regulatory enforcement When looking at enforcement of privacy legislation in Europe it appears that there is a low level enforcement. 1 For example, the UK Information Commissioner's Office reports only 84 enforcement actions during the whole of 2014. 2 It remains to be seen how active the South African Information Regulator will be in enforcing our own Protection of Personal Information Act (4 of 2013). Breach conundrum Given the probable low [...]
P@sswords
Weak passwords Imagine a vault encased in thick steel walls, inside a building with a state of the art alarm system with guards and dogs patrolling the 4m high electrified perimeter fence. Now imagine that a master key capable of opening the gate, front door and vault can be bought for R10 at the local hardware store. This is what happens when you choose a password like: P@ssword123 How does it happen? Google 'password list' [...]
The role of the Information Officer
How to register your Information Officer Quick FAQ #1: Your organisation, charity, school, club, etc does have an Information Officer under POPIA, and your IO does need to be registered. Quick FAQ #2: Your organisation, charity, school, club, etc does have to comply with both PAIA and POPIA. The Information Regulator has provided guidelines and instructions here: REGISTRATION: https://inforegulator.org.za/information-officers/ PAIA: https://inforegulator.org.za/paia-guidelines/ The instructions on how to register your IO are [...]
Who cares about privacy?
Is privacy dead? Scott McNealy, co-founder of Sun Microsystems famously said "You have zero privacy. Get over it." This raises some interesting questions: Are we at a stage where people have just gotten over it? Do your customers care about privacy? What about younger people and the 'millennials'? Nothing to hide When asked, most of us would say that we have 'nothing to hide' generally meaning that we're not engaged in anything illegal or unsavory. [...]
Public wifi
Like any radio signal, wifi can be received by anyone within range. So, what's to stop a third party from parking outside your house and watching you surf the net, do your banking etc? The answer is encryption. Home and work networks are usually encrypted so that any eavesdroppers would only receive an unintelligible jumble of characters. Unlike your home or office wifi, most public wifi networks are not encrypted. If you browse to a [...]
Increasing customer trust
Customers will largely decide if you are trustworthy based on your behavior. Below are some guidelines: No surprises Do not unilaterally re-purpose customer information, thereby surprising the customer when the information pops up in a different context. Do not allow their information to leak to third parties. Do not lose their information and then ask them to supply the same information again. Don't collect their personal information from third parties without their consent. Be open [...]
Reputation and brand
The majority of CEO's place a high value on maintaining their organizations' reputation and brand. Below are some ways that these critical business assets may be affected by a data breach: Direct financial loss While news of a high profile personal information breach tends to have an immediate negative effect on share price (for instance, the recent breach of US based Target stores saw the CEO resign and the share price fall by 10%), [...]
USB Flash Drives
Whether you call them 'memory sticks', 'flash drives', 'flash disks' or 'thumb drives', these USB devices are inexpensive, tiny and make it super easy to transfer data between computers. Unfortunately the convenience comes with risk. Information loss / theft Probability: very high Their size make them easy to carry but it also makes them easy to lose. While the device may be cheap, losing the data it contains could be very costly. In [...]
