If you read none of the others, read this. The Protection of Personal Information bill, soon to be enacted, will define the conditions under which personal information is lawfully processed. As the business of lawyers involves working with personal information on a daily basis the impact is obvious.
The 8 Conditions listed in Chapter 3 are as follows:
Further processing limitation
Data subject participation
The focus point this week is on Security Safeguards. As the title of this article reads, this is the one point no firm can get away from, it’s the one condition you cannot “make disappear” through specific clauses in the consent form received from the data subject. The condition as per the law states:
“19. (1) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—“
Read the full text of this condition here: http://keyphase.co.za/popibill_condition7
Let’s dissect this for a moment. The first consideration is the “technical measures”. Contrary to popular belief, this is actually the easier part to comply with. What this means, is information as it exists in your firm, needs to be protected using technical means. Most of these are in all probability are already in place. These measures are to the likes of;
- Antivirus or Anti Phishing software
- Firewalls on your network infrastructure
- Unique and strong passwords on all computers
- Disk encryption for hard drives
Most of these terms you might have heard of from your IT Department or outsourced IT company, with the possible exception of Disk Encryption. Disk Encryption is nothing other than storing information on a computer or hard drive in a format that is not readable by someone without the computer password. Should a computer get stolen, the information on the computer is useless. Disk encryption is particularly important when using portable hard drives or CDs or DVDs for backups. Backups typically contain all the information in the organization. CDs, DVDs or a portable hard drive is small enough for anyone to carry out of an office. It goes without saying that should the information on there not be encrypted, it will result in a gross violation of the law, and in all probability be seen as negligent.
The concept of avoiding negligence is what links the technical to the “organizational measures” as stated in the law. Many law firms use outsourced IT companies. In principle a good practice as it allows the firm access to expensive skills without the burden of employment. However, ask yourself, how much do you really know what they do? Should your organization be challenged under the law and even if you can hold your IT Service Provider accountable, it will still not rid you of your own responsibilities and accountability under the law. Ultimately you are still the responsible party. The law also states that the responsibility rests with the “Responsible Party” to prove or disprove the claims made against them. It is therefore imperative that the law firm must be able to prove that they have implemented “reasonable organizational measures”. The good news is that it is not that difficult to do. The organizational measures can be summarized as a set of business processes that the firm follows to ensure the Confidentiality, Integrity and Availability of information is protected at all times. A simple example of such a business process is Access Management. This process in its basic form will mean someone requiring access to the network, or the office through a key or tag, will formally request access. This request is then approved, and the rights are given as per the request. The requestor then formally accepts the responsibility, according to the policy, that goes with the access rights granted. To “close the loop”, a responsible person then checks on a regular basis that the access rights as specified on the system coincides with the access request. Throughout this process evidence must be created to prove that the process was followed, and that the participant accepted accountability for each of the steps in the process. The same principles apply for a host of other management areas.
Guidelines for managing information security has been documented in international standards. The ISO 27000 family of standards were specifically written for Information Security Management. The ISO 27002 specifically is a best practice guide on how to implement information security standards. A guideline issued by the Law Society of South Africa also suggests using this standard as a general approach to information security management.
Implementing an Information Security Management System need not be seen as burden. It is an opportunity to improve the way your business operates.
Contributed by Keyphase Technologies.