There could be serious operational, financial and legal implications for businesses that actively outsource a large proportion of their operations to third party service providers, particularly some critical business activities once the new Protection of Personal Information Act (POPI) comes into effect. These concerns will affect the outsource service providers too.
“Organisations need to keep in mind that they are entirely accountable, in terms of POPI, for the protection of individuals’ and legal entities’ personal information which has been collected by them and transferred to third parties for processing and/or storage – regardless of whether this information is in electronic or hard copy form,” says Michiel Jonker, director: IT Advisory at Grant Thornton Johannesburg.
A recent Grant Thornton International Business Report (IBR) survey regarding Outsourcing in 2014, reveals that, of the 48% of South African businesses who admit to outsourcing their business processes, a surprising 73% stated that it is their IT functions which are outsourced to a third party service provider.
The POPI Act, which was gazetted in November last year, and which is currently awaiting an effective date, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected. The new Act also provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
Jonker laments that sadly we’ve now entered an era where the mere promise – in the form of a service level agreement (SLA) by a service organisation to protect the privacy of individuals’ information – will no longer be enough, especially when critical services are outsourced to a service organisation or where sensitive data is in the possession of the third party.
“Ensuring that a service provider’s privacy practices and controls are appropriate is the responsibility of the client,” says Jonker. “Every organisation will be responsible for ensuring that a clause is included in the SLA for either the right to audit the service organisation’s privacy practices and controls every year or to receive an audit report annually from an independent audit firm, acting on instruction of the service organisation, expressing an audit opinion on the state of the third party’s privacy controls.”
Naturally, the auditing of privacy practices for clients will generate a great deal of additional administration for the service providers’ employees in order to complete a multitude of privacy audits. Service organisations will also not be able to deal at an operational level with a wide range of different auditors, all appointed by different clients to audit exactly the same privacy controls, year after year.
Jonker advises that the best option is for the service providing organisation to have an independent professional services firm to issue one report – a service organisation control (SOC) report – which can be distributed annually to all clients.
“Service providing organisations will have to ensure that they negotiate the audited SOC report on privacy during SLA negotiations, in order to avoid too many auditors appointed by different clients auditing the same controls,” continues Jonker.
Service organisations’ auditors have already been auditing internal controls specifically relating to financial reporting purposes for many years (e.g. the SAS 70 report that has recently been replaced by SSAE16 in the USA and Canada or the ISAE3402 report which is the international equivalent for this).
However, under other standards such as AT101 in USA and Canada reports can be issued on principles not relevant to financial reporting, such as controls required that relate to security, availability, confidentiality, processing integrity and privacy principles.
Jonker stresses that POPI’s seventh condition requires businesses to enforce proper “security safeguards” to protect personal information and to enforce data integrity and confidentiality.
Condition Seven also outlines safeguards to be implemented in order to prevent loss of, damage to or unauthorised destruction of personal information, which therefore deals with proper data backup and restoration as well as disaster recovery and business continuity practices to prevent the loss of personal information.
“International best practices regarding the protection of data, either in electronic or any other form, and specifically personal information, must be considered,” he continues. Examples of international best practices include COBIT, ISO and Trust Services*.
The privacy principle of Trust Services deals with 10 privacy principles, namely – management; notice; choice and consent; collection; use; retention and disposal; access, disclosure to third parties; security for privacy; quality and monitoring; and enforcement.
“It is clear that the security and processing integrity principles of Trust Services are part and parcel of the privacy principle which is also addressed by POPI,” says Jonker. “International best practices refer to the availability of IT systems and data as an essential part of security.”
It is anticipated that audit firms in South Africa may be able to report under the International Standard ISAE 3000 on POPI compliance, with the option to make use of Trust Services’ five principles (i.e. security, availability, confidentiality, processing integrity and privacy) as a guideline to assess POPI compliance.
“Many service organisations will be looking for a solution to put their clients’ POPI fears at rest and an SOC report on privacy is the highest assurance an organisation can obtain, from its third parties, on privacy while continuing to exercise accountability in terms of POPI,” Jonker says. “It will be considered as an even higher level of due care exercised by the company than just a mere SLA.”
As always, though, these SOC reports could be fairly expensive and service organisations will have to calculate how best to absorb these additional costs.
“But with so many South African businesses not ready for POPI yet, it is going to be a long and bumpy road towards achieving an unqualified report. Organisations will have to bear in mind that any task is certainly achievable and if the requirements are carefully broken down into an adequate number of smaller milestones, POPI compliance can be achieved effectively,” Jonker concludes.