The Information Regulator has been working hard on draft Protection of Personal Information (PoPI) Act regulations that will soon be tabled in parliament. The PoPI Act stipulates how companies may collect, handle, store and discard information, with heavy penalties for those that fail to comply.
PoPI can only commence once the Information Regulator is operational and once the commencement date of the Act is announced, organisations will have 12 months to comply with the Act.
Xperien CEO Wale Arewa says the PoPI commencement date could be before the end of the year. “Although the newly appointed team cannot commit to a definite date, they certainly seem to be hard at work conceptualising and thinking through the type of organisation they want to establish.”
The Information Regulator has indicated that it would be undertaking a benchmarking exercise to look at other data protection laws in other countries. The team also stressed that they wanted to be transparent and accessible and welcomed engagement with industry sectors and other stakeholders.
Furthermore, the Deputy Minister of Justice Honourable John Jeffries warned that with the POPIA commencement date looming, both public and private bodies should prepare to comply and that there was no reason to delay compliance efforts.
Arewa says the newly appointed team is tasked with ensuring that personal information is protected and that the free flow of information is promoted. “There is already a perception that this team is the PoPI Regulator, but they are not. Their mission is to ensure that both the constitutionally guaranteed right of access to information and the right to privacy are equally protected and enjoyed.”
The team has taken a strategic decision to use the expertise they have to their disposal to do the groundwork required to establish the Regulator and to use consultants where this is absolutely necessary. This will give them the opportunity to learn every aspect of POPIA, which by all accounts, is a complex piece of legislation.
Since taking office, the team established the governance structure of the Regulator. Section 49 of PoPI Act mandates the Regulator to establish one or more Committees for the proper performance of its functions. These Committees may consist of members of the Regulator or other members which the Regulator may appoint.
“They have established a number of committees and took into consideration the experience and expertise of members to designate the chairpersons of each committee. In due course, it may appoint external members to these Committees and it will do so in consultation with the Minister of Finance as envisaged in section 47(7) of PoPI Act,” says Arewa.
Most organisations have very little or no idea when it comes to the protection of personal information when disposing of redundant IT assets. By retiring technology assets wisely, businesses can offset the cost of a secure IT asset disposition programme.
He says understanding what information to protect is vital. “Once you know where this information resides, you can put a plan in place to secure it. Data encryption will help control what data leaves the organisation and also ensure that data is not accessible.”
When it comes to data leakage, employees are probably one of the weakest links in any organisation. Confidential information is often mistakenly sent to wrong email recipients and as a result, the company could be legally liable.
Arewa warns that if there is a breach, the financial implications can possibly cripple an organisation. “If found guilty, companies will face potential civil claims, fines and reputational damage.”
“The Act enforces companies to introduce strict measures and guidelines that will safeguard the processing, usage and handling of sensitive information. It places a strict onus on businesses when it comes to handling personal information about their clients, staff and customers,” he concludes.
Company executives responsible for IT asset management need to understand the principles of IT Asset Disposal (ITAD) and they need to consider regulatory compliance and the protection of company information at end of IT life cycle. IT disposal has legislative requirements, compliance to PoPI.