With Patrick Ryan, Managing Director and Roelien Howell, Principal Consultant from Mobius Consulting.
POPIA: The Protection of Personal Information Act
The Protection of Personal Information Act (POPIA) aims to enforce protection of personal information by creating the lawful conditions for how this information must be managed. POPIA is closely related to the European General Data Protection Regulation (GDPR), making it a globally relevant aspect of information security which is applied locally.
Below are the Conditions for the Lawful Processing of Information:
Companies have been waiting in anticipation for the proclamation of the POPI act, and the Information Regulator has stated with confidence that the act will come into effect in 2020.
Taking Accountability for Data Protection when Working Remotely
Companies generally make provisions to control the flow of sensitive or personal information within office networks and physical spaces, but once employees work from home, it becomes more difficult to ensure that sensitive information remains protected. Maintaining corporate information privacy compliance in a home-based office comes with its own set of challenges.
“There is value in re-interpreting the POPI act for the home or remote working environment because, as the world changes, the workforce needs to adapt with it,” says Patrick Ryan, Managing Director of Mobius Consulting. “Whether at home or in the office, certain habits must roll over between workspaces in order to maintain corporate privacy compliance.”
One of the conditions of POPIA is accountability, requiring companies to ensure that all of the principles of the POPIA are followed. Many corporations are working comply with POPIA, however, in a home or remote working environment, the employee is responsible for ensuring that they do not (intentionally or not) violate any of the provisions that are stipulated in company policies that set expected behaviour for information protection and security.
It is essential that client and customer data is protected and security safeguards are in place.
“On a practical level, from a working-from-home privacy perspective, security safeguarding can be as simple as having a secure space to store notebooks and papers that contain sensitive information,” says Roelien. “Create a secure working environment where you can lock away valuable assets including any laptops or devices that may contain information that needs to be protected. Even leaving a CV of a prospective employee lying around where it may be accessed by an individual not authorised, could be considered a breach of POPIA.”
Key considerations for the protection of information:
- Certain departments process higher volumes of personal information and
- are at higher risk for a breach of legislative requirements. For example HR, legal, and marketing
- Take note that some data can be considered as special personal information, increasing the duty of care to protect this information, for example, reports/results of staff members who are infected with HIV or COVID-19 as well as health reports and mental health assessments.
- Companies have also had to extend their internal application networks to accommodate for remote working, this creates further responsibility on the employee to ensure that the application risk is managed as well.
All individuals are encouraged to take responsibility for corporate privacy when working from home offices, during these special times.
Learn more about Mobius Consulting’s Information Privacy services.