Privacy and the Protection of Personal Information (PPI) Act has recently taken the spotlight in the South African legislative environment and will soon become a compliance headache for most organisations. For many organisations it is a compliance black hole, however some organisations have been aware of the bill for some time, others have even gone to the extent of defining personal information requirements and strategies.
So where do we start?
The starting point of dealing with the requirements for PPI must start with the organisation defining the type of information it receives, processes and distributes. This includes all types of information and data and can be in both manual and electronic formats. The information can also be internally generated (e.g. employee information) or externally generated (e.g. client information). In the realm of privacy, information such as personal details (e.g. name, surname, ID), biometric data, health data, gender and political persuasion all fall within the ambit of the Protection of Personal Information Act.
How our data is used and do we have the right to do so?
Once the type of information has been defined, the usage of the information must be clearly defined and authorised. This aspect deals with how information is going to be used and how will it be treated after use (stored, destroyed, returned). When the use of the information is clearly defined, it must then be communicated to the relevant parties to obtain their consent of use. Without this important step, any processing of any personal information could be considered illegal.
If we violated our policy, how would we know? And am I supposed to know?
The act also requires that any losses of personal information are disclosed to the regulator. This therefore implies that mechanisms to identify breaches of information are implemented as part of the organisations business i.e. Data leakage prevention activities.
Typically, the answer to this question and the execution of the privacy strategy relies on a set of business process controls which can be preventative or detective and operated in a manual or automated manner.
|Preventative: Controls that would prevent a risk from occurring
||Detective: Controls that would detect if a risk materialised
|Automated: Controls that do not require manual intervention
||Manual: Controls that are operated by an individuals or group of individuals
Ideally, the combination of these controls around personal information should primarily be automated and preventative with detective controls that would function in detecting a breach or loss. These controls are also distributed in nature and are found across the business process, the application system used to facilitate the business process and the underlying IT infrastructure that supports the application.
Organisations often find themselves asking questions on how to implement controls and ensuring the right mix of controls to safeguard personal information or alternatively, after implementing the controls, gaining assurance that the controls are operating effectively. In addition, the control landscape is further complicated by the numerous other compliance requirements and related controls that the business relies upon.
How are others effectively dealing with it?
(Click to enlarge)
Deloitte has specialists that deal with control landscapes end-to-end, from a business process level down to technical IT controls that need to be configured appropriately. We assist our clients in implementing these controls or providing assurance that their controls related to privacy are operating effectively.
For more information, contact Prashanth Naidoo on 071 674 9633 or email@example.com