Securing Personal Information in Iine with POPIA Condition 7

There is often a perception that the purpose and scope of information and cyber security is purely to keep external hackers away from an organisation’s systems and information. While this an essential part of the subject, it is also essential that the management of people and processes relating to the security of information is conducted as internal risks to information also exist in organisations.

The Protection of Personal Information Act of 2013 (POPIA or the POPIA Act) requires all organisation, both Responsible Parties and Operators, to comply with Condition 7: Security Safeguards, in particular sections 19, 20 and 21.

In practical terms this means that they should implement and maintain appropriate organisational and technical measures for securing personal information. POPIA also requires that organisations consider generally accepted practices for Information Security when implementing appropriate and reasonable measures. Several security standards and frameworks exist but these can be too complex for small to medium sized organisations to adopt.

2. UK Cyber Essentials Framework

The recommended measures provided below are based on the UK Cyber Essentials Framework found in the UK ICO SME Toolkit. This provides practical guidance for implementing and managing information security in small to medium sized organisations. The scheme is based on 20 sub-categories described below:

2.1. Risk management

Your organisation should ensure that information security risks are assessed and appropriately managed. These should include a strong focus on risks to personal information in terms of POPIA requirements.

2.2. Information security policy

Your organisation should implement an information security policy that covers all aspects of information security within your organisation. Sub-policies should also be implemented, Annexure A provides a recommended list of information security policies

2.3. Information security responsibility

Your organisation should identify a person or department and assign day-to-day responsibility for information security. Annexure B contains a sample appointment letter for an Information Security Officer.

2.4. Outsourcing / Operators

Your organisation should establish written agreements with third party service providers who process personal information that include appropriate information security clauses and obligations. POPIA regards these as Operators and includes a legal requirement for the establishing and monitoring of written agreements with these parties.

You should also establish protocols to allow periodic security reviews of the security arrangements in place to provide assurances of compliance to contracts/agreements.

Section 3 below provides guidance for establishing practical organisational and technical measures

Incident management

Personal information security breaches may arise from a theft, an attack on your systems, the unauthorised use of personal information by a member of staff, or from accidental loss or equipment failure. However a breach occurs, it is important that you deal with it effectively and learn lessons from it.

If the breach (also know a security compromise) involves personal information, you should report it to the Information Regulator using FORM-SCN1-Security-Compromises-Notification as soon possible. This is available on the Information Regulator’s website at https://inforegulator.org.za/ under POPIA/Forms.

2.6. Education and awareness

Your organisation should brief all staff on their security responsibilities, including the appropriate use of business systems and ICT equipment.

You should also train your staff to recognise common threats such as phishing emails and malware infection, and how to recognise and report personal information security breaches.

You should ensure staff are trained on or shortly after appointment with updates at regular intervals thereafter or when required.

2.7. Secure areas

Your organisation should establish entry controls to restrict access to premises and equipment on a need-to-know basis. Your organisation prevents unauthorised physical access, damage and interference to personal data.

You should lock away paper records and mobile computing devices when not in use.

Implementing a ‘clear desk’ policy and introducing compliance checking mechanisms within your organisation will be a valuable measure for information security in the workplace.

2.8. Secure storage

Your organisation should establish secure storage arrangements to protect records and equipment to prevents loss, damage, theft or compromise of personal data.

2.9. Secure disposal

My organisation has established a process to securely dispose of records and equipment when no longer required. This should include paper records and electronic records.

It is important to ensure that electronic data stored on devices such has PCs and laptops is removed using techniques such as formatting the drive or using an external service provider for the destruction. It is also important to ensure that paper records are destroyed using a fine cut shredder or by using a reputable shredding service provider.

Home and mobile working procedures.

Your organisation should establish a home and mobile working policy. You should also ensure the security of mobile working and the use of mobile computing devices.

2.11. Secure configuration

The default installation of ICT equipment can include vulnerabilities such as unnecessary guest or administrative accounts, default passwords that are well known to attackers, and pre-installed but unnecessary software. These vulnerabilities can provide attackers with opportunities to gain unauthorised access to personal information held in business systems. Your organisation should, therefore, establish a process to configure new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.

2.12. Removable media

Your organisation should establish controls to manage the use of removable media. These should prevent unauthorised disclosure, modification, removal or destruction of personal data stored on media.

2.13. User access controls

Your organisation should establish a process to assign user accounts to authorised individuals, and to manage user accounts effectively to provide the minimum access to information. You should limit access to personal data held in information systems.

2.14. System password security

Your organisation should enforce regular password changes as well as the user of strong passwords. You should also limit the number of failed login attempts. Usernames and passwords are valuable to hackers and should be managed effectively.

2.15. Antivirus and Malware protection

Computers can be infected with malware (for example, viruses, worms, Trojans, spyware) via email attachments, websites and removable media. This can result in the loss or corruption of personal information. Your organisation should:

install antivirus, malware protection and file encryption software to regularly scan your computer network in order to detect and prevent threats and vulnerabilities;
Make sure the software is kept up-to-date; and
Educate users about common threats.

2.16. Back up and restoration

Your organisation should establish a process to routinely back-up electronic information, including personal information, to help restore information in the event of disaster. Data stored in cloud services should also be backed up to a separate cloud service. You should also test the restoration of backups regularly to check the effectiveness of the back-up process.

2.17. Monitoring

Your organisation should establish a process to log and monitor user and system activity to identify and help prevent data breaches. Your organisation should record events and generate evidence. Monitoring should also include intrusion attempts through cloud services and operators; they should be instructed to provide regular reports to you.

2.18. Patch management

Your organisation should establish a process to ensure that software is kept up-to-date and the latest security patches are applied. This will help to prevent the exploitation of technical vulnerabilities.

2.19. Boundary firewalls

Your organisation should establish boundary firewalls to protect computers from external attack and exploitation. Firewalls should aim to ensure the protection of personal data in networks.

3. Practical Measures based on the UK Cyber Essentials Framework

Practical organisational and technical measures found in the UK Cyber Essentials Framework described above are provided below. The implementation and maintenance of these will satisfy the requirements contained on POPIA Condition 7: Security Safeguards. They will also represent a coherent but simple information security management system.

3.1. Organisational Measures

Organisational Measures should include the UK Cyber Essentials Framework listed below as a minimum:

The appointment of an Information Security officer or manager to manage the security of information. This is normally a company-wide role.
Identification of reasonably foreseeable risks to personal information.
Ensuring that identified risks are managed effectively.
Implementation of an Information Secuiry Policy which covers the management of information security.
Implementation of sub-policies for guiding employees in their responsibilities for information security. Annexure A provides a recommended list of information security policies.
The management of access rights to systems involved ensuring a ‘least privilege’ principle is implemented. This means that a user or user profile should only have access to the specific data, resources and applications needed to complete a required task.
Employee training covering the basics of information security, highlighting the importance and responsibility for ensuring the confidentiality of information, especially of personal information.
Obtaining an undertaking from all employees to the protection of company information, including personal information.
Establishment and management of operator contracts including cloud service providers if appropriate.
Conduct an annual review of your organisation’s security posture, consider using the services of an external service provider to conduct the assessment.

3.2. Technical Measures

Technical Measures should include the following as a minimum:

Implementing a perimeter firewall.
Ensuring strong passwords on all devices involved in the service being provided.
Implementing and maintaining endpoint security technology including antivirus, antimalware, anti-ransomware and data encryption on all front-end and back-end devices.
Ensure that the security measures listed above are effective and that they address the identified risks in the risk assessment described in 2.1.
Monitoring attempted intrusions into the environment which may result in a compromise or breach of personal information. This should include services provided by operators
Establish a process to routinely back-up electronic information, including personal information and cloud service information. You should also test the restoration of backups regularly to check the effectiveness of the back-up process.
If your organisation uses Microsoft 365, it is important to ensure that your O365 system is secure as Microsoft will not accept responsibility for the loss or compromise of your data without such measures being in place. Annexure C provides a list of questions to help you assess this.

Annexure A. Recommended list of information security policies

Information Security Policy (overarching policy)
Clean Desk Policy
Acceptable Use Policy
Access Control Policy
Information Security Incident Management Policy
Information Technology Equipment Disposal Policy
Personal Information Backup Policy
POPIA Staff Notice & Consent Form template
POPIA Employee compliance commitment undertaking

Annexure B: Sample appointment letter for an Information Security Officer.

A separate document has been provided.

Annexure C: Microsoft 365 Security Checklist

Are Office 365 Backups taken?
Is Multi-Factor Authentication in use?
Are App Passwords in use e.g. SharePoint?
Is File Encryption in use in the Cloud?
Is Malware and Ransomware protection ins use in the Cloud?
Is Encryption for data in transit in use e.g. SSL/TLS?
Is Microsoft Online Exchange Protection (OEP) or similar solution is use?
Are Automated intruder alerts raised e.g. failed login in use?
Is real-time threat detection in use?
Are Data Loss Prevention Processes/solutions in place?
Are Role Based Access Control (RBAC) policies and practices in place?
External Support company in use?

Author: John Cato

Version: 1.0

Date: 4 December 2024

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.