Kathy Gibson reports from Reimagine 2015 – as the cloud becomes more pervasive, companies and individuals are growing concerned about how much of their personal data is held in the cloud; and whether it’s secure.
Privacy has different connotations for different people but is, broadly speaking, the right to be let along, or freedom from interference or intrusion. Information privacy is the right to have some control over how your personal information is collected and used.
In South Africa, privacy is dealt with in common law and section 14 of the Bill of Rights which deals with a person’s right to privacy and various pieces of legislation have arisen from this.
As the technology gets more sophisticated and invasive the use of data has the potential to infringe on our right to privacy. Fortunately, South African law has moved quite quickly to meet the needs.
The Protection of Personal Information (POPI) Act is based on the OECD, which has developed commercial principles on which many policies have been based. This means that our local legislation is very much in line with what other countries in the world are doing.
So how does POPI impact companies and individuals with particular relation to the cloud?
There are eight conditions within the act, says Lucy Philips, co-founder of Concilium Technology, pointing out that companies need to ensure they need to have permission to have the data in the first place.
The question is no longer whether information can be obtained, but rather whether it should be obtained, how it is obtained; where it is stored; and how it should be used.
One of the first conditions is accountability – if you hold information, you are accountable for it. Even if it is held by a third party, you are still responsible for it. This means you need to have an agreement with the service provider that sets out the obligations that the act imposes on you, and places them on the service provider.
The next condition is the purpose specification, and it has to be with the express consent of the data subject and must be collected directly from the data subject.
There are exceptions to this condition, however: if the data is in the public domain deliberately by the data subject; if the ends of justice or national security are threatened; if the subject gave consent to another source and agreed that it could be passed on; and if there is any criminal activity.
A further condition relates to further processing. Personal information can only be used for the purpose it was originally obtained. So companies must identify the purpose for which information is processes up front.
The next condition is that the information must be of high quality: it needs to be up to date, accurate and not misleading.
Openness is another condition. The data subject must know that you have the data, how you got it, what you are planning to do with it and what other organisations have access to it. To make sure this condition is met companies need processes, policies and corporate governance to look after the data and ensure it is safe. In a large organisation this also means ensuing all computers ae protected, especially if the users are dealing with sensitive data.
Staff training is also important. And there should be someone charged with looking after data security, including ensuring the cloud service provider does what they need to do.
“Following on from that, organisations need to ensure that their data is secure. A safe way to assess if you are using the correct cloud service provider is to ensure it emanates from a country with a Safe Harbour agreement – so the US – or from the EU. The legislation in these countries is similar to South Africa’s.”
The last condition is data subject participation. This means data subjects are able to request, free of charge, if the company holds personal information, and they can request a deletion or correction of the information. The law requires that information is kept for a certain period, generally between five and 30 years, after which it needs to be safely disposed of.
There are also rules that prevent the transfer of data into and out of South Africa, Philips says. POPI allows the transfer of personal data out of the country as long as it is to a region that has legislation protecting information; there need to be binding corporate rules in the organisation; and a binding agreement with the South African company and entity outside the country. These agreements must uphold POPI principles.
Philips outlines some practical steps that companies should take to ensure POPI compliance:
* Appoint a person charged with safeguarding personal information;
* Identify what personal information is in your company holds;
* Identify any potential risks to the information;
* Establish internal and external policies and processes;
* Verify the effectiveness of those policies and processes regularly; and
* Ensure our agreement with service providers caters for the requirements in POPI.
“POPI isn’t as scary as a lot of organisations thought it would be. The best advice I would offer is to have a good agreement in place; and that you have set up good processes and policies,” Philips says.