POPIA Security Safeguards Requirements
The POPI Act/POPIA as well as most privacy and data protection laws include requirements for protecting the personal information under the control of organisations. These requirements are not prescriptive or detailed which raises the question of: What is Security and what safeguards are required?
Security safeguards are not only an essential part of privacy and data protection compliance, they are also an essential capability in all organisations today. This raises the question, what are security safeguards in terms of POPIA?
POPIA requires all originations to protect the personal information under its control to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
- The loss of, damage to or unauthorised destruction of personal information; and
- The unlawful access to or processing of personal information
This raises a further question: what are appropriate, reasonable technical and organisational measures? POPIA requires organisations to identify all reasonably foreseeable risks to personal information and to establish measures to reduce and manage the identified risks.
POPIA further requires organisations to give due regard to generally accepted information security practices and procedures.
In considering the above, organisations should give consideration to the following in order to address the requirements listed above:
- A personal information risk assessment should be conducted;
- A suitable generally accepted information security practice i.e. one which is based on standards and frameworks for information security and cyber security should be identified.
Organisations should conduct an assessment of the current of personal information security using an assessment tool for the preferred standard or framework. IACT-Africa offers assessment tools and services for the following:
- UK UK ICO SME Security Assessment (suitable for small to medium sized organisations);
- NIST Cybersecurity Framework Assessment (suitabe for medium to large organisations);
- ISO 27001 and 27002 (suitable for organsiations who need to demonstrate their commitment to information security practcies to stakeholders).
Personal information Risk Management
Condition 7 in POPIA requires organisations to do the following:
Section 19: The Responsible Party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information
In order to give effect to subsection (1), the responsible party must take reasonable measures to—
(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
(b) establish and maintain appropriate safeguards against the risks
identified;
(c) regularly verify that the safeguards are effectively implemented;
and
(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.