Author Archives: Gerald

  • 0

No government ‘exceptions’ on personal data

Tags :

Category : Personal Data

Cape Town – The Protection of Personal Information Act (Popi) should apply to all organisations, irrespective of whether they be government agencies, a security firm has asserted.

Popi was promulgated in 2013 in response to the rampant practice of companies collecting and trading personal information, but the act is intended to limit this behaviour.

The act specifies that personal information must be processed lawfully and “in a reasonable manner that does not infringe on the privacy of the data subject”.

This means that in theory, one government department, home affairs for example should not – under the law – be allowed to share information with agencies like the Metro Police or Sars.

“The law applies to all parties accessing private information as far as we understand. We are not aware of special circumstances being extended to government or their associations,” Andrew Kirkland, regional director for Trustwave Africa told News24.


Trustwave is a security company that specialises in helping organisation fight cybercrime by, among other things, conducting ethical intrusions and monitoring to ensure data fidelity.

Popi places the burden of showing that personal data has been carefully managed with the company or organisation that collects it.

However, while the act does not specifically exempt government departments, it makes an exception as regards the sharing of personal information where it relates to criminal activity.

Specifically, the act describes that the law does not apply to activity “which involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities”.

In practice, it is expected that the appointment of a regulator as envisioned in the act will adjudicate on matters where people feel that their personal data has been misused.

The act also specifies that organisations that flout the law will be subject to financial penalties, but it is up to the regulator to make a determination on the extent of these.

However, the regulator has not yet been appointed, potentially leaving citizens in legal limbo as far as their personal information protection is concerned.

Trustwave said that given the importance of personal information and the legal implications for companies that store the individuals’ data, the appointment of a regulator and discussions on the implementation of Popi was key.


“If the data relates to private individuals based in SA then the law would apply no matter where the data sits. We are not yet sure what this will look like yet and are eager to discuss these and others with the regulator once appointed,” said Kirkland.

It is expected that once the act is fully implemented South Africans will enjoy a level of protection of personal information, but access may still constitute a barrier to legal remedies even though the regulator is empowered to act independently.

Kirkland said that despite all the legal protections, it is important that all citizens protect their personal data.

“We all have a responsibility to protect private information.”

  • 0

Data security tips

Cape Town – The Protection of Personal Information Act (Popi) demands that companies take precautions as regards the handling of personal information.

The Act indicates that firms may face significant liability in the event of data loss or if information is shared with third parties without explicit consent of the “data subject” – you.

However, given that a regulator has not yet been appointed, the full implementation of the law is lacking, giving companies some breathing space to become compliant.

Doros Hadjizenonos, sales manager for Check Point South Africa has compiled five tips for companies to manage their data to ensure compliance with the law.

Check Point software offers security protection that it intended to assist businesses in becoming compliant with the legal regimen

Here are the five tips:

1. Know where the data is

Knowing what information you need to protect is the most important step. Once you know where this information resides, you can put a plan in place to secure it.

2. Encrypt the data and control what data leaves the organisation

Encryption ensures that data will not be accessible should it end up in the wrong hands. Employees are one of the weakest links in an organisation when it comes to data leakage. They may accidentally send confidential information to a friend who has the same first name as their line manager, for example.

This could result in the leakage of personal information; as a result, the company could be liable to the law for any fines or imprisonment.

3. Ensure mobile devices are secure

As employees become more mobile, organisations need to take measures to ensure that any information classified as personal, according to Popi, is protected – even on mobile devices, including smartphones, tablets and laptops.

These days, it’s easy to buy a mobile exploit, which takes advantage of code vulnerabilities to gain access to, and control over, a device and the data that resides on it, if it is not protected adequately.

It is important that every business that has adopted a mobile workforce strategy has a security policy to effectively secure the data on these devices.

4. Focus on the advantages of compliance

Complying with Popi gives businesses a competitive advantage. Customers are more likely to do business with compliant organisations as they know their data will be safe.

An even bigger advantage is that compliance opens doors to doing business with EU organisations. Europe is strict when it comes to data protection – businesses may not deal with countries that do not have some kind of data protection act in place.

5. Consider a new approach to security

At the enforcement layer, businesses implement policies to protect data, while the control layer involves creating the policy, and the management layer oversees the entire process and provides visibility of protected data.

Data protection is about policy creation. Businesses should know what data can leave the organisation and what data must be encrypted.

  • 0

SA firms dragging their heels on Popi

Johannesburg – The implementation phase of the Protection of Personal Information Act is around the corner, but the majority of South African enterprises have not yet made an effort to comply with the legislation.

The act, also known as Popi, seeks to place restrictions on how companies handle personal data and guarantees the public the right to opt in to be contacted for specific marketing or promotional purposes.

However, research by a security firm has found that the majority of organisations are taking a wait-and-see approach.

According to Trustwave, at least 51% of South African companies have not made a significant effort to comply with the legislation.

While part of the reason may lie in the fact that a regulator has not been appointed yet, it is expected that a regulator will be appointed before the end of 2014, after which firms will have no more than 12 months to reach full compliance or face penalties.


For comparison, in the UK which has similar legislation, it has taken more than a decade for some companies to comply with the law.

But Popi is unlike other legislation. It is focused on getting consumers to hold organisations liable for how personal data is gathered, stored and used.

“It’s a bottom up approach and that’s why you have a regulator,” data protection specialist Francis Cronje told Fin24. “The regulator’s main role is public awareness.”

Andrew Kirkland of Trustwave makes his point on Popi compliance. (Duncan Alfreds, Fin24)

He said that South Africans were not as vigilant regarding their personal data to prevent criminals from accessing it.

As an example, Cronje cited people throwing away medicine labels which often contain personal information and even bills or bank statements with financial information.

“There are a lot of syndicates that pay those people to harvest personal information and that’s how you get a lot of credit card fraud and ID theft,” he said.

Some unscrupulous organisations also make it a business model to harvest personal data and sell it on to companies not even based in SA.

Disgruntled workers

“There’s a lot of data theft going around. Sometimes you might get this e-mail from a complete stranger in America offering you a database in South Africa, leaving you wondering: ‘How did they get it?'” Cronje said.

Some operators have been known to advertise for general jobs on classified websites as a way to collect vast amounts of personal data as people applied for employment.

Cronje also listed some disgruntled workers that might leave a company with a database of customer personal and financial information.

It is imperative that organisations ensure that there are systems in place that prevents personal data leaking out through the direct actions, incompetence or malevolence of employees.

“There’s no excuse for that,” Cronje stated emphatically.

According to the Trustwave report, 38% of companies said that they had organisational measures in place to prevent the loss of unauthorised data.

However, Trustwave said that even if South African companies had experienced a data breach, it is unlikely that they would make it public.

Lax attitude

“In South Africa, no. Nobody’s going out there to publically announce that they had a data breach. That would be quite catastrophic for them. However, I do agree with Francis that there is a responsibility with that company to go through that process to notify you – not 32 days later,” Andrew Kirkland, Trustwave regional director for Africa told Fin24.

Sony waited 32 days to publically announce that it had experienced a data breach on its PlayStation Network and the company has agreed to pay $15m is a settlement.

Many South African companies also have a lax attitude regarding personal data when contracting third party marketers.

“If you engage with a direct marketer, make sure at least, that you’ve conducted your due diligence,” said Cronje.

He added that for both private and public enterprises, the theft of personal data in SA was a huge problem that Popi would address if companies made compliance a priority.

“It costs this country in excess of R3bn per annum in ID theft just from a governmental perspective. Imagine what it costs business.”

Watch this video to see how Popi will affect you.

  • 0

Five wireless trends affecting SA in 2015

Privacy and security will become top of mind

Globally, the Sony Pictures hack in late 2014 sent shock-waves across the globe.

Closer to home, Wapa has said that the Protection of Personal Information (Popi) Act will begin to affect South African businesses in 2015.

Popi plans to bring SA up-to-date with global data protection laws and boost citizens’ constitutional right to privacy.

Popi further provides guidelines on what data can be obtained from organisations and how that data can be used.

“There is no better time to design and build systems that have security and consumer privacy as core tenets rather than afterthoughts,” said Wapa.

“This is especially relevant to public internet access points such as Wi-Fi hotspots, where a combination of poor security, multiple devices, and consumers on the go could lead to some unfortunate consequences,” added Wapa.

July 2019
« Jan