Académique Documents
Professionnel Documents
Culture Documents
HomeStart here
Magazine
Events
INTERACT
Library
Shop
Advertise
CONTACT US
News
edge
Strategy / Sustainability
The Protection of Personal Information Act (PoPI Act) is making a significant impact on
businesses as they continue to scramble to ensure they are compliant with regulations.
Essentially, the purpose of the PoPI Act is to provide parameters for South African
businesses for the collection, processing, storing and sharing of any personal information
supplied to them, holding them accountable for any loss or abuse of any information they
possess.
PoPI mandates the following eight conditions for the lawful handling and processing of
information:
1. Accountability companies receiving information are now accountable for the manner
in which the information is handled, processed and disseminated; Client consent is
required before any Personal information is shared
2. Processing limitations - Personal information may only be processed in a fair and lawful
manner and only with the consent of the data subject;
3. Purpose specification - Personal information may only be processed for specific,
explicitly defined and legitimate reasons;
4. Further processing limitations - Personal information may not be processed for a
secondary purpose unless that processing is compatible with the original purpose;
5. Information dissemination and quality Information needs to be accurate and well
maintained, and only accessed or used by those who, by law, require access to the
information.
6. Openness - The person whose information is being collected must be aware that the
company is collecting such personal information, and why;
7. Security standards - Personal information must be kept secure against the risk of loss,
unauthorised access, interference, modification, destruction and disclosure;
8. Data subject participation - People may request information as to where their personal
information is held, as well as be involved in the correction and/or deletion of any
personal information held about them.
Under the PoPI Act, any person who gives out personal details now has a right to be
informed about where their information is stored, what it is being used for and even how
many copies a business has of any supplied documents. This ensures companies are held
accountable for the manner in which they handle personal information, and companies
need to have information at their fingertips, while offering their clients full transparency
into their information, at any time. This is an arduous task for any paper-based insurance
company still using legacy storage systems and data silos.
Data driven insurance companies rely heavily on data warehouses and marts for the
storage, access and dissemination of information received. These warehouses and marts
need to ensure that the data they store is contained in a lawful manner and that they are
mindful of the processing limitations of PoPI. To comply with PoPI Insurance companies
need to gear up and start preparing for the additional administration which they will be
expected to do. Highlights of the requirements are:
Written agreements required with service providers to confirm compliance to POPI Act;
The need to be open to system inspections by clients, as well as being prepared to
provide data maps confirming storage and backup locations, and access management
and tracking;
The need to be able to show service providers landscape and back-end solutions to
verify that they are secured according POPI act requirements;
To ensure any cross-border data transfers comply accordingly, including mail and
mobile synchronisation;
To secure/encrypt all relevant transmissions;
The alignment of data retention policies between service providers and their clients;
That solutions include sufficient protection by design which are also ensured in delivery.
In order to comply with PoPIs condition, insurance organisations need to have a measure
of control over who accesses and uses the personal information they receive from their
clients, and for what purposes the information is to be used. Using Cloud technology,
insurance companies can safely store information in a centralised location, while
enabling automation and, because various departments can easily and quickly access
what they need without being able to tamper with the information unless expressly
permitted, processes also become faster and the whole customer experience is
enhanced.
Cyber security needs to be a priority of all insurance companies who are looking to
automate and centralise their data, particularly when they make use of cloud technology.
It is imperative that companies invest heavily in this from the outset and do not add it as
an afterthought. Regulatory bodies may impose fines of up to Ten Million Rand for
violation of the PoPI Act, which can be followed up by more fines and even imprisonment,
depending on the severity of the violation, so it is in a companys best interests to be
proactive with regards to security rather than reactive.
While it is certain that hackers are continually looking for ways to get inside
organisations, its no secret that most security breaches in companies are caused by
insider activity misuse, accidental, disgruntled employees or people being paid by
criminal elements. These miscreants recognise that the easiest way of accessing
information is to get hold of legitimate passwords. The methods they use to do this range
from straightforward spying to social engineering, and often target privileged users.
Quite often, the ultimate target for hackers is not the company data itself, but for
example customer records which can contain personal information, credit card details or
healthcare records. Insurers, who handle incredibly sensitive information, should
investigate implementing security measures across all layers of their network and data
management systems, and not just look at firewalls. Effective cyber security should
include ways multiple ways across all layers to manage identity to minimise breaches.
There are a number of emerging technologies that can help insurers to remain compliant
with the PoPI Act, and at the same time protect themselves against cyber threats, while
also providing a multitude of other benefits. Disruptive technologies such information
sharing and storing applications, the Cloud (although already a fairly entrenched
technology) and data mining tools such as social media analytics, all make for aiding
compliance while speeding up processing and improving the customer experience
through automation. It is vital, however, that these technologies be implemented
properly and with security at the top of mind to avoid them becoming the reason for non-
compliance.
The POPI Act is going to revolutionise how organisations manage personal information
and data. Although complying with the legislation is most certainly going to affect a
businesss bottom line, these costs will be significantly less compared to the fines
potentially placed on transgressors.
By relying on service providers who can lend their expertise and knowledge to the
recommendation and implementation of any new technology, insurance companies can
evade the potentially disastrous and expensive pitfalls of poor installation, unsuitable
technology, inferior cyber security systems and a data management system that doesnt
comply with the PoPI Act.
Jaqueline Van Eeden is the Financial Service Business Development Executive and Gavin
Holme is the Country Head at Wipro Limited.
Member Log In
Username
Password
Remember Me
Log in
Create an account
com_users user.login aW5kZXgucGhw 1
General
About
Contact us
HR Future
What people say
Services
Coaching
Corporate videos
Training
Get Involved
Advertise
Become a member
Events
Initiatives
Email Subscription
E-mail
Subscribe
159 formAcymailing38