Protection of Personal Information Act

This post takes a look at South Africa's Protection of Personal Information Act from the perspective of a software architect. It is not a slog through a thicket of legalese, or a route march through ISO/IEC 27001, but a high-level tour of those sections of the Act that you should think about if your job is to build or enhance systems involving personal information, especially in the context of hybrid cloud deployments.

So what is the POPI Act all about?

The South African Constitution includes the right to privacy, and that right extends to the right to control access to your personal information. The Protection of Personal Information Act, fondly known as the POPI Act, or POPIA, gives effect to that right, and brings us in line with similar international regulations, such as the European General Data Protection Regulation (GDPR) or the UK's Data Protection Act.

So POPIA is not about cybersecurity, disaster recovery, data sovereignty, promotion of access to information, or national security.

It is about providing a legal basis for your right to privacy and protection of personal information by:

1. defining the rights you have as a data subject, and what redress you have if your personal information is abused.

2. laying out the conditions that you must meet if you store or process personal information, as well as penalties if you do not protect the personal information in your care.

What is Personal Information?

The Act defines personal information to mean information "relating to an identifiable, living, natural person," which includes data such as:

• information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth;
• information relating to education or the medical, financial, criminal or employment history;
• any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment;
• biometric information;
• correspondence that is implicitly or explicitly of a private or confidential nature.

So the Act is not just about enforcing the protection of data that is vulnerable to cyber attacks: it gives legal protection to all information that is personal, private and confidential.

Data Subjects

If your personal information is processed in South Africa you have the right as the "data subject" to have your personal information processed in accordance with the conditions of the Act. In particular, Section 5 "Rights of Data Subjects" ensures that you have the right to:

• know that information is being gathered about you and to request access to personal information held about you;
• know that security has been compromised and that your personal information has been accessed by an unauthorised person;
• request the correction, destruction or deletion of your personal information;
• object to the processing of your personal information for purposes of direct marketing; and
• institute civil proceedings regarding interference with the protection of your personal information.

When I first heard about the POPI Act, I thought it was going to be a tedious shopping list of legal and technical obligations for the processors of personal data, so I was pleasantly surprised to see the extent to which it foregrounds your rights as a data subject, giving you a legal right to be an active participant in the management of your own personal information.

Responsible Parties

Chapter 3 of the Act is where COOs and CIOs must sit up and pay attention, because breaches of the conditions for processing personal information could lead to financial penalties, or even imprisonment.

You are deemed to be the "responsible party" if your organisation is domiciled in South Africa and you control the "why" and the "how" of the processing of personal information, even if the processing is outsourced to another person or company.

The Act spells out nine conditions for processing personal information, most of which are of a legal nature, but from a systems design perspective, these are worth noting:

Retention and restriction of records

Personal information must not be retained any longer than is necessary, after which it must be deleted.

This has implications for records management, as well as backup strategies. You now have an obligation to take active steps to delete or destroy data instead of leaving it to expire on some ageing tape cartridge in a safe somewhere. You will probably also need a shredder.

Data subject participation

Responsible parties must respond to queries from data subjects about any personal information that they may hold, and to delete it or correct it on request.

Business analysts must factor the participation of data subjects into information lifecycles. Citizens are no longer passive subjects of data collection.

Notification to data subject when collecting personal information

You must now notify data subjects when you collect personal information.

Furthermore, you must notify the data subject if you intend to transfer the information to a third country or international organisation, as well as the level of protection wherever it is stored.

Security measures on integrity and confidentiality of personal information

The POPI Act now makes it a legal obligation to secure the integrity and confidentiality of the personal information under your control. It includes penalties of fines or imprisonment if you are convicted of breaching the conditions.

So more pressure on CIOs and systems administrators to get backups and security sorted out, especially because you have to notify everybody affected by the breach if security is compromised, as well as the Information Regulator, and that will be awkward.

The Act makes it clear that you remain responsible for security safeguards to protect the personal information that you have have collected even if you use a hosted cloud service.

Shared responsibility

Since you can't outsource responsibility for the confidentiality of your user's personal information, if you do use a hosted cloud service provider you have an obligation to understand where the role of the cloud service provider begins and ends when it comes to security.

Cloud service providers all subscribe to a Shared Responsibility Model that carefully draws a line in the sand to ensure that you are always responsible for the security of your own data.

They will manage the security of the infrastructure according to their Service Level Agreements, but you remain responsible for encrypting data in transit and at rest, for managing your security keys, for enforcing identity and access management, and for backing up your data.

AWS, Azure, Google, and all the other hyperscalers are not going to do that for you.

Note that the Act does not oblige you to store personal information in data centres on South African soil, but you must notify data subjects if you intend to transfer the information to a third party who is in a foreign country. And that third party must be subject to legislation or regulations that provide a substantially similar level of protection.

Further information

The implications of POPIA for information management and records management are wide-ranging, so please don't hesitate to fire off a message to us if you want to know more about cloud service governance or the implications of the Act from a technical perspective.

Obligatory disclaimer: This post only considered some of the technology-related implications of POPIA, so please consult someone with an actual degree in law if you need anything that resembles real legal advice.

Credits

The feature image is licensed by the Electronic Frontier Foundation under the Creative Commons Attribution License.