The Protection of Personal Information (POPI) Act will give businesses the opportunity to reinvent their enterprise data storage and management, says Hitachi Data Systems (HDS).
Speaking at the Hitachi Information Forum in Johannesburg last week Friday, HDS experts outlined the changing data storage and management environment, noting that big data and new legislation were forcing a fresh look at data storage and management.
Today, enterprises face more than just exponentially growing volumes of data to manage: they must also be in a position to identify the relevant data from a vast pool of ‘dark data’ in order to tap into the ‘treasure trove of data’ which businesses can use to innovate and stay ahead of the competition.
POPI to impact data management and storage
Cleo Becker, HDS Regional Counsel Sub-Saharan Africa, Middle East and Turkey, Israel, highlighted the impact of the Protection of Personal Information (POPI) Act on the data centre. “There are three key principles of POPI that are important for those working in the data centre environment,” she said.
• You need to be aware of provisions of the Act relating to purpose specification, security safeguards and data subject participation. These provisions state that anyone collecting, processing or storing personal information must make the data subject aware of the purposes for which it will be used and destroy it after this purpose has been achieved.
• You must ensure that adequate security safeguards are in place to maintain its integrity and confidentiality, and
• You must enable data subject participation in that if a person requests a deletion or change to the data, the business must find and permanently delete this data from every source.
“Importantly, businesses should also be aware of the fact that POPI differentiates between personal information and special personal information. Special personal information includes areas like medical history, race, religion and criminal records – these are subject to an even higher standard of security than just personal information.”
These provisions impact on the management and storage of data in a number of ways, she explained. As the majority of personal information held by enterprises relates to their customers and employees, businesses need to be aware of the legislation governing the management and storage of each type of data.
For example, the prescribed period of data retention in South Africa is three years. “POPI says you can’t keep the personal information for longer than needed to achieve the purpose for which it was collected or subsequently processed,” says Becker. “So, for employee information, you keep it for the lifetime of the employment relationship and at least for three years thereafter so that you can settle any employment or pay disputes. Customer information would be kept for the lifetime of the contract and at least three years after that to settle any disputes. After that, you need to securely delete it, destroy it or de-identify it in a way that it can no longer be reconstituted at a later date.
In South Africa, multiple bodies enforce conflicting data retention laws. SARS asks individuals to store tax information for up to five years, whereas FICA and RICA demand that you collect and retain personal customer information for a specified period of time. So it’s very important that you know the type of personal information you’re collecting the applicable retention legislation as specific laws will overrule the general retention period prescribed by the POPI.”
Storage itself is also an important element, said Becker. “The Electronic Communications and Transactions (ECT) Act is important when using electronic records for evidentiary purposes – for example, when you want to use certain emails in a dispute in the CCMA. You need to ensure that the data is saved in the same format in which it was created. When the court assesses the evidentiary weight of that data message, they are going to be looking at how it was maintained and stored.”
The changing data centre
Compliance will require changes in the data centre, Becker said. “You need to know what kind of personal information you’re storing. You need to conduct a risk assessment and be aware of all the internal and external risks. And once you’ve done that you need to put adequate security safeguards in place to protect against those risks, and constantly review them to ensure that they are enforced. You will then improve your data quality and that leads to a greater ROI on other work streams such as data analytics. It also reduces the risk of loss of the information and, ultimately, leads to greater customer loyalty and trust.”
Echoing this sentiment, Stuart Cheverton, Business Development Consultant – File and Content Solutions at HDS South Africa, said: “We have to look at managing our data a little differently. We have to cope with large amounts of data, we have to decide what is relevant and what isn’t. Compliance with legislation such as POPI will help us put these policies in place. Once we embark on this road, we will get to a point where we start reducing the volume of data we are storing and managing, which gives us the ability to more effectively extract valuable information from this data.”