Daily Archives: January 19, 2015

  • 0

Popi to change the way SA firms handle your data

Tags :

Category : Popi

Cape Town – Personal data has become a must-have commodity and a new Act seeks to limit just how much personal data companies may share or retain.

The scenario is a common one that many South Africans experience: You get a call at the most inappropriate time; the caller knows your name and proceeds to try and sell you something.

When asked about where your details were obtained, the answers are often vague at best – usually citing some database of a company – one that you usually can’t check while you’re on the phone.

One of the responses to this kind of invasion has been the Protection of Personal Information Act, signed into law after several delays as industry players negotiated what constituted personal information.

Generally the act seeks to protect privacy as guaranteed in the South African Constitution, and the law notes that “the right to privacy includes the right to the protection against the unlawful collection, retention, dissemination and use of personal information” in its preamble.

Loyalty programmes

One of the most common ways that companies have been collecting personal data is by way of loyalty programmes, but the law prescribes that a clear distinction should be made on how this information should be secured.

“What Popi is aiming to achieve is for companies to classify their data and determine those elements that would fall into the Popi category. They would then need to go through the process of protecting or securing that data to meet this regulation,” Andrew Kirkland, regional director for Trustwave Africa told News24.

Trustwave is a security company that specialises in helping organisation fight cybercrime by, among other things, conducting ethical intrusions and monitoring to ensure data fidelity.

The act prohibits the collection of information for the purposes of resale or trade, and also instructs those with access to personal data to ensure that the subject is aware thereof.

“Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party,” the law says.

This would, for example, prohibit so-called raffles that record personal data which is then sold to third parties who can call or e-mail people with “special offers” or insurance products.

However, while different company departments may share data, the law takes a dim view on sharing data between subsidiaries.


“If by divisions you mean subsidiaries then this may be more of a challenge since I would expect that you would still need to get permission to use this information from the customer. I suspect the regulator will have to make a call on this if it’s not that clear,” Kirkland explained.

However, the regulator has not yet been appointed in terms of the legislation and it is therefore unclear how companies that flout the law will be penalised.

The act requires that personal data be deleted once the objective has been achieved and if statistical information of the data is required, the subjects must be informed and their consent requested.

Kirkland said that the appointment of a regulator to manage the compliance is key to ensuring that Popi pay more than lip service to the protection of personal information in SA.

“We are waiting for the regulator to be appointed to get a better understanding of this [company accountability]. Non-compliance will at some point be penalised but to what extent can only be speculated at this point.”

  • 0

Your personal data

Category : Personal Data

Cape Town – It’s a case of individual responsibility with regard to protecting your personal data despite the Protection of Personal Information Act (Popi) because it only has force with companies operating in South Africa.

Popi was promulgated in 2013 after several delays and is meant to regulate how companies can collect, retain and disseminate personal information.

However, the global internet environment renders geographic borders null and void as many South Africans willingly hand their personal data over to international companies not bound by South African law.

“If you are a company operating in South Africa – either locally owned or internationally owned – you’d have to abide by the local laws which are associated with local data,” Andrew Kirkland, regional director for Trustwave Africa told News24.

Trustwave is a security company that specialises in helping organisation fight cybercrime by, among other things, conducting ethical intrusions and monitoring to ensure data fidelity.

Specific consent

The law specifies that specific consent must be obtained if companies would like to collect and process personal data.

“Personal information may only be processed if, given the purpose or which it is processed, it is adequate, relevant and not excessive,” says the act.

The lines become blurred when one introduces popular social networking platforms like Facebook, which operate under US law, but have a worldwide audience.

Data uploaded to the giant company’s servers are not subject to Popi, and though Facebook promises privacy, it is not an absolute.

The company warns that some data uploaded may become public domain, meaning that it can be disseminated without specific user consent.

“Because Pages are public, information you share with a Page is public information. This means, for example, that if you post a comment on a Page, that comment may be used by the Page owner off Facebook, and anyone can see it,” Facebook says in its terms and conditions.

Facebook also says that liking a company page on the network is public information and liking a corporate page may mean that content the company creates on its Facebook page may give it access to personal information.


“Because this content comes directly from the Page owner, that Page may be able to collect information about you, just like any website,” said Facebook.

Also, personal data of South Africans on Facebook may be given to US authorities. The social network revealed on Monday that between 9 000 and 12 000 demands for information were made in the year ended June 2013.

Microsoft and Yahoo also had to hand over personal data relating to 15 000 and 30 000 accounts respectively.

However, the act specifies that personal data may not be transferred to international parties unless specific permission has been obtained.

“A responsible party in the Republic may not transfer personal information about a data subject to a third party who is in a foreign country…” the law says, adding that it is subject to a range of provisions and consent by the affected party.

These matters indicate that the appointment of a regulator is critical to ensure that the prescriptions of the act, as well as remedies, can be applied for companies who may flout the law.

“We are waiting for the regulator to be appointed to get a better understanding of this [company accountability]. Non-compliance will at some point be penalised but to what extent can only be speculated at this point,” said Kirkland.

  • 0

No government ‘exceptions’ on personal data

Tags :

Category : Personal Data

Cape Town – The Protection of Personal Information Act (Popi) should apply to all organisations, irrespective of whether they be government agencies, a security firm has asserted.

Popi was promulgated in 2013 in response to the rampant practice of companies collecting and trading personal information, but the act is intended to limit this behaviour.

The act specifies that personal information must be processed lawfully and “in a reasonable manner that does not infringe on the privacy of the data subject”.

This means that in theory, one government department, home affairs for example should not – under the law – be allowed to share information with agencies like the Metro Police or Sars.

“The law applies to all parties accessing private information as far as we understand. We are not aware of special circumstances being extended to government or their associations,” Andrew Kirkland, regional director for Trustwave Africa told News24.


Trustwave is a security company that specialises in helping organisation fight cybercrime by, among other things, conducting ethical intrusions and monitoring to ensure data fidelity.

Popi places the burden of showing that personal data has been carefully managed with the company or organisation that collects it.

However, while the act does not specifically exempt government departments, it makes an exception as regards the sharing of personal information where it relates to criminal activity.

Specifically, the act describes that the law does not apply to activity “which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities”.

In practice, it is expected that the appointment of a regulator as envisioned in the act will adjudicate on matters where people feel that their personal data has been misused.

The act also specifies that organisations that flout the law will be subject to financial penalties, but it is up to the regulator to make a determination on the extent of these.

However, the regulator has not yet been appointed, potentially leaving citizens in legal limbo as far as their personal information protection is concerned.

Trustwave said that given the importance of personal information and the legal implications for companies that store the individuals’ data, the appointment of a regulator and discussions on the implementation of Popi was key.


“If the data relates to private individuals based in SA then the law would apply no matter where the data sits. We are not yet sure what this will look like yet and are eager to discuss these and others with the regulator once appointed,” said Kirkland.

It is expected that once the act is fully implemented South Africans will enjoy a level of protection of personal information, but access may still constitute a barrier to legal remedies even though the regulator is empowered to act independently.

Kirkland said that despite all the legal protections, it is important that all citizens protect their personal data.

“We all have a responsibility to protect private information.”

  • 0

Data security tips

Cape Town – The Protection of Personal Information Act (Popi) demands that companies take precautions as regards the handling of personal information.

The Act indicates that firms may face significant liability in the event of data loss or if information is shared with third parties without explicit consent of the “data subject” – you.

However, given that a regulator has not yet been appointed, the full implementation of the law is lacking, giving companies some breathing space to become compliant.

Doros Hadjizenonos, sales manager for Check Point South Africa has compiled five tips for companies to manage their data to ensure compliance with the law.

Check Point software offers security protection that it intended to assist businesses in becoming compliant with the legal regimen

Here are the five tips:

1. Know where the data is

Knowing what information you need to protect is the most important step. Once you know where this information resides, you can put a plan in place to secure it.

2. Encrypt the data and control what data leaves the organisation

Encryption ensures that data will not be accessible should it end up in the wrong hands. Employees are one of the weakest links in an organisation when it comes to data leakage. They may accidentally send confidential information to a friend who has the same first name as their line manager, for example.

This could result in the leakage of personal information; as a result, the company could be liable to the law for any fines or imprisonment.

3. Ensure mobile devices are secure

As employees become more mobile, organisations need to take measures to ensure that any information classified as personal, according to Popi, is protected – even on mobile devices, including smartphones, tablets and laptops.

These days, it’s easy to buy a mobile exploit, which takes advantage of code vulnerabilities to gain access to, and control over, a device and the data that resides on it, if it is not protected adequately.

It is important that every business that has adopted a mobile workforce strategy has a security policy to effectively secure the data on these devices.

4. Focus on the advantages of compliance

Complying with Popi gives businesses a competitive advantage. Customers are more likely to do business with compliant organisations as they know their data will be safe.

An even bigger advantage is that compliance opens doors to doing business with EU organisations. Europe is strict when it comes to data protection – businesses may not deal with countries that do not have some kind of data protection act in place.

5. Consider a new approach to security

At the enforcement layer, businesses implement policies to protect data, while the control layer involves creating the policy, and the management layer oversees the entire process and provides visibility of protected data.

Data protection is about policy creation. Businesses should know what data can leave the organisation and what data must be encrypted.

January 2015
« Oct