Due to the Covid-19 pandemic, remote working, also referred to as smart working, has become the new norm for many employees and may remain the norm for as long as Covid-19 is part of our lives and possibly beyond. Working from home or other locations allows for enhanced employee flexibility and efficiency so long as a readily available internet connection and network facilities are available. Despite the advantages associated with smart working, connecting to home or third-party networks which do not necessarily have the same network safeguards as those put in place by companies on their internal networks may pose a compliance risk to those companies.
On 1 July 2020 a large portion of the Protection of Personal Information Act No. 4 of 2013 (“POPI”) came into effect (“Effective Sections”) together with the applicable deadline for compliance as will be expanded on later in this article. The Effective sections place certain duties on, inter alia, employers who fall under POPI’s definition of a responsible party to ensure the security, integrity and confidentiality of personal information.
Duties of Responsible Parties:
POPI defines a responsible party as a public or private body or any other person which alone or with others, determines the purpose and means for processing of personal information (“Responsible Party”). An employer may therefore fall under the definition of a Responsible Party if that employer determines the purpose and means for processing personal information.
Section 19 of POPI (Security Measures on Integrity and Confidentiality of Personal Information), one of the sections of POPI that is now in effect, requires that Responsible Parties must secure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable technical and organisational measures to prevent the following infringements to data subjects’ personal information from occurring:
- loss, damage or unauthorised destruction of personal information; and
- unlawful access to or processing of personal information,
collectively the (“Personal Information Infringements”).
To prevent the above Personal Information Infringements from occurring, section 19 of POPI requires Responsible Parties to –
- identify all reasonably internal and external risks to personal information in its possession or under its control (“Internal and External Risks”);
- establish and maintain safeguards against the identified Internal and External Risks (“Safeguards”);
- regularly verify that Safeguards are effectively implemented; and
- ensure Safeguards are continually updated in response to new risks or flaws in previously implemented Safeguards.
In addition, Responsible Parties are required in terms of section 19 of POPI to have due regard to generally accepted security practices and procedures which may be applicable to Responsible Parties due to general and/or industry specific rules and regulations.
It is important to note that in the event Responsible Parties engage a person to process personal information for those Responsible Parties in terms of a contract or mandate, without coming under the direct authority thereof (“Operator”), the Operator will also be subject to section 19 of POPI.
Deadline for Compliance:
Section 114 of POPI (Transitional Arrangements) provides for, inter alia, the time allowed for all processing of personal information to become compliant with POPI, namely 1 (one) year. All Responsible Persons must therefore be compliant with section 19 of POPI by 1 July 2021.
Entities who have embraced smart working are encouraged to review their information technology policies, ensure all Internal and External Risks have been identified and all necessary Safeguards together with the required processes to regularly assess the Internal and External Risks and Safeguards have been put in place. This must occur by no later than 1 July 2021 to ensure compliance with POPI and to prevent any potential risks which such entities may face. In addition, entities are encouraged to review their insurance policies to ensure the appropriate cover is in place for any identified Internal and External Risks.
The deadline of 1 July 2021 is fast approaching and VDMA suggests complying with POPI sooner rather than later to avoid penalties or fines due to late or non-compliance. VDMA’s team of experts are available to assist your business with all of your POPI compliance needs, including reviewing, updating and implementing appropriate information technology policies and procedures.
Published: 06 August 2020