The Protection of Personal Information bill, soon to be enacted, will define the conditions under which personal information is lawfully processed. As the business of lawyers involves working with personal information, sometimes on a daily basis, it is obvious that PoPI will have a definite impact on how law firms operate.
The 8 Conditions listed in Chapter 3 are as follows:
Further processing limitation
Data subject participation.
In this week’s article we look at Condition 5, Information Quality. This condition is one of the broader conditions in the bill and simply states that the responsible party should ensure that the information collected or processed is accurate. In regard to the quality and completeness of the data, the responsible party should still collect and process information within the boundaries of the purpose specification. For the full condition as per the bill, click this link. http://keyphase.co.za/popibill_condition5
So what is involved in implement this condition? The first step is to confirm that there are controls in place to ensure that those conditions relating to purpose specification (condition 3 and condition 4) are complied with. This will identify the correct information which you need to collect. Once collected, the next step is to implement controls which will ensure that the information is validated, ensuring the information quality. You will further require a business process to flag when this information must be checked for validity including updates to the information. Typically this would be if information is only at some time after it was collected.
Data quality plays a major role during the data collection process, as it is at this point that data quality issues can be encountered and also corrected. Good collection practice will reduce the reliance on corrective controls. It should be noted that data collection is not always a manual process. In some cases data is received through electronic or automated means (e.g. banks sending information via their own mechanisms). The law firm will need to implement a business process to enable the correction of personal information once errors are detected. This will include providing feedback to the organization which provided the information.
Another key component is the law firm’s information security policy. The policy must contain clauses relating to the quality of information. It will also assign the responsibility of ensuring data quality to those employees within the firm who collect the information. In addition, it should cater for data that is collected via automated means. Some person in the firm must be responsible for testing new automated mechanisms to confirm that data quality issues are not introduced by the automated system.
Though this condition in the bill comprises only a few lines, the implementation of this should be carefully considered as data quality can be impacted at any point where a change to the data record is effected – from where it is collected initially and anywhere where it is exchanged from one system or department to another.