The pending Protection of Personal Information legislation will require companies to do more than just secure their data - it will force them to extensively review their business policies and processes. Data privacy in terms of the South African legislati
From the point where personal information is collected, organisations will have to get a person’s permission to use his or her information. Historically, South African organisations collected data and used it liberally. “The PPI legislation will require that any terms or contract concluded must have a consent element built in,” says Dean Chivers, Director of Deloitte Legal. Information can only be used in terms of the permissions obtained and when information is no longer required for the purposes for which it was collected, it will have to be destroyed.
This and other requirements will mean that organisations which have so far not planned for the law will have to scramble to meet the deadlines imposed by the legislation, especially given that a sound PPI solution can take approximately three years to implement.
“Information will have to be secured regardless of whether it’s in ‘soft data’ form (electronic information) or ‘hard data’ form (documents) and the security requirements include control of access to information,” adds Chivers. In the case of information being sent across borders and to outsourced service providers, such recipients will need to meet the same security requirements.
Significant changes to systems to make them compliant with the demands of the PPI legislation will have to be accompanied by extensive training of staff across disciplines as new rules will apply to what were previously routine corporate functions.
Access to information within a company will have to be controlled on an ‘as needed basis’. This will dictate which of a company’s officers have access to what material. For example, HR data should only be accessed by a small number of employees, this being the HR team. “Policies controlling the use and storage of files within personal offices, access controls and the removal of data from company premises will also have to be written. Sanctions for contravention of legal provisions will therefore have to be included in a company’s HR disciplinary code,” says Chivers.
Processes will have to be built around the collection, processing, monitoring, distribution and ultimately destruction of all personal information held by an entity. The primary responsibility of safeguarding information will rest with the collector of the data. In this regard, the proposed legislation makes it clear that the safe-guarding cannot be outsourced. In markets like the EU where strong PPI laws already exist, major companies are using the services of independent auditing companies to certify compliance with destruction and other privacy requirements. Industries that are highly reliant on direct marketing or who process significant amounts of personal information will be the first to be impacted by PPI. Companies using marketing tools such as competitions to create data bases will have to operate differently.
Some South African companies, especially those with international links to countries with well-developed PPI legislation, are already working towards ensuring their future compliance. Some have made significant investments in establishing a ‘privacy office’ that will take control of meeting PPI requirements.
“The South African PPI legislation is sound legislation. It is modern and aligned with internationally accepted practice. It also meets the needs of a technological age in which information flows easily across the globe.
“The onus will be on South African companies to ensure that security across their operations is effective and can be introduced in the time stipulated,” concludes Chivers. If they can achieve this, they will be more competitive globally.