The Protection of Personal Information (“PPI”) Law provides for various legal requirements that are relatively cumbersome on organisations. The conditions in the PPI law provide for 8 key principles that need to be adhered in all aspects of your information life cycle. Although upon first reading these conditions one would presume that these may be simple conditions to adhere to, the reality is that the practicality of operationalizing these requirements is not as easy as one may assume.
The role of PET’s (Privacy Enhancing Technologies) cannot be overstated when looking at how the PPI law will affect your IT organisation as well as you personally.
What are privacy enhancing technologies?
Technology can assist companies’ compliance with the principles that protect individuals’ (their clients) privacy and can go even further in empowering individuals, giving them the ability to access and control information that is stored about them. These individuals can then decide how and when it will be disclosed to and used by third parties. This obviously pertains to personal information that is kept in electronic format and we must remember that the PPI law applies to personal information in soft / hard copy format.
The best protection for individuals is to ensure that their personal information is only collected where it is necessary, relevant and not excessive in nature. Traditionally privacy enhancing technologies (PETs) have been limited to ‘pseudonymisation tools’. These fancy sounding tools are software and systems that allow individuals to withhold their true identity from those operating electronic systems or providing services through them, and only reveal it when absolutely necessary.
These technologies help to minimise the information collected about individuals and include anonymous web browsers, specialist email services, and digital cash.
There is a strong view that there needs to be a wider approach to privacy enhancing technologies; and this could include:
- encrypted biometric access systems that allow the use of a fingerprint to authenticate an individual’s identity, but do not retain the actual fingerprint;
- secure online access for individuals to their own personal data to check its accuracy and make amendments;
- “sticky” or “omnipresent” electronic privacy policies that are attached to the information itself preventing it being used in any way that is not compatible with that policy.
What are the high-level goals of PETs
With the rollout of the PPI law; PETs are there to assist users to take one or more of the following actions related to their personal data sent to, and used by, online service providers, merchants or other users:
- increase control over their personal data sent to, and used by, online service providers and merchants (or other online users)
- data minimisation: minimise the personal data collected and used by service providers and merchants
- choose the degree of anonymity (e.g. by using pseudonyms, anonymisers or anonymous data credentials)
- achieve informed consent about giving their personal data to online service providers and merchants
- data tracking: allow users to log, archive and look up past transfers of their personal data, including what data has been transferred, when, to whom and under what conditions
- facilitate the use of their legal rights of data inspection, correction and deletion
Who is responsible?
The onus is on organisations to allow access to their users to enable them to track and examine what personal information has been stored and utilised for different activities.
From an organisations point of view; this fundamentally changes the way in which the systems are designed. No longer can the access to personal information be taken for granted; now the rights of an individual, as pertaining to their personal information, needs to be inherently contained in the thinking; planning and design of systems.
In other words; a system designer should start from the position of trying to protect individuals’ privacy by creating or implementing PETs. To that end they should be asking some of the following questions:
- Do I need to collect any personal data at all?
- If so, what is the minimum needed?
- Who will have access to which data?
- How can accesses be controlled to allow only those which are for the purposes stated when the data was collected, and then only by those employees and processes that have an essential need?
- Can individuals make total or partial use of the system anonymously?
- How can I help individuals to exercise their rights securely?
As POPI comes in to law in South Africa; this will not be a theoretical discussion; but rather one with a very definite application date. As it stands as soon as The POPI Act is signed into Law; there will be a 1 year grace period within which organisations need to comply.