During the past few weeks we discussed each of the 8 principles, and we investigated what they mean to your firm.
The essence of the law is the compliance to the 8 principles. Though the requirements for each principle are unique, from a practical perspective, implementing proper controls and best practices, the same implementation can answer to the requirements of more than one condition. In this final article in the series we will recap the components required for an efficient and successful implementation.
Complying with PoPI will require at least the following elements:
- A Personal Information Record Register
- Retrievable Audit trails of actions
- An Information Security Management System
Information Record Register
In essence, PoPI requires organisations to practice proper Information Security Management. No organisation can manage information, if it does not know what information it possess, and where that information resides. The Information Record Register is at the core of managing information. It is the single point of reference for finding information about the personal information records. At any point a data subject can request the organisation to provide details on the information it possesses. The data subject can further request for proof of information destruction, and again, if you do not know what information you have and where it is, you will struggle answering to these requests. More so, it remains your responsibility to notify the regulator when you lost records, when example a laptop was lost or stolen. If you do not know what information resided on the laptop, how will you know what to notify the regulator of? Again, your information record register should address this.
Section 99 of the bill reads as follows:
99. (1) A data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of any provision of this Act as referred to in section 73, whether or not there is intent or negligence on the part of the responsible party.
The responsible party can face a claim if there is any reason to believe information leaked. It is up to the responsible party to disprove these claims. In addition the regulator can also at any stage launch an investigation should there be reason to believe that information leaked. Your business processes used for working with information should therefor generate the evidence required to argue these claims. More so, this evidence must be easily retrievable when it is required – you would not want to spend valuable billable time on looking for pieces of paper!
Information Security Management System
Condition 7 of the bill refers to Security Safeguards. The component that will probably require the most work in your organisation is the “organisation measures”. In short this means you most probably have to change the way you work with information. It means you will have to implement a host of processes to ensure information is handled in a responsible way. Keep in mind, it will be YOUR responsibility to prove that you’ve done what is possible to keep information secure. The concept of an Information Security Management System might be foreign, but in the same way that all organisations have a financial management system, your information security management is also just a set of rules and “ways of doing” when it comes to handling information. Information Security Management Systems are well defined through international standards such as ISO 27000.
Keyphase invites organisations to contact us with regards to these requirements. We specialise in information security management, and we have products specially aimed at the legal and conveyancing sectors. We would also like to thank those of you who followed this series, and please feel free to contact us directly, should you require more information.