More than one year after the Protection of Personal Information Act (POPI) was enacted the public sector has yet to take steps towards ensuring compliance and it is falling dangerously behind the private sector in preparing for this important legislation.
Despite an official commencement date for the legislation which is still to be finalised and announced, new research by Grant Thornton indicates that unlike the public sector, the private sector has taken substantial steps towards becoming compliant.
Why it’s so important
We in the industry just do not see the same level of urgency from the public sector institutions. In our view this is serious as it could take a few years to attain full compliance. The risks to information loss as well as increased penalties become increasingly likely.
The POPI Act, which was signed into law by President Jacob Zuma on November 26 2013, regulates how anyone who processes personal information must handle, keep and secure that information. It carries strict and substantial penalties for contravention including prison terms and fines of up to R10 million.
Several government departments are in possession of vast banks of personal information – from ID numbers, to addresses, marital status and even gun ownership details. They are therefore incredibly vulnerable to information theft and have to take drastic steps to ensure compliance with the POPI Act.
On Tuesday 26 May 2015, The New York Times reported that criminals in the USA used stolen data to gain access to past tax returns of more than 100 000 people through an application on the Internal Revenue Service’s website (the IRS).
By using personal identification numbers, birth dates, street addresses, the criminals completed a multistep authentication process and requested the tax returns and other filings. Information from those forms was used to file fraudulent returns, and unfortunately the IRS sent nearly $50 million in refunds before it detected the scheme.
4 Steps to get up to speed with POPI
1. Treat it as a priority
The delayed announcement of the official commencement date is just one of the reasons for the Public Sector’s lack of action. In addition, the fact that POPI provides for an additional grace year from the commencement date to comply with its requirements, is also causing this ‘wait and see’ attitude.Municipalities collect and hold substantial personal information of their residents but do not have the capacity and resources to ensure POPI compliance. Most are dealing with major service delivery issues and financial performance priorities and understandably are paying little attention to this requirement of managing personal information.
2. Realise the seriousness
This lack of progress in protecting information presented opportunities to criminal syndicates to target municipal and other government databases and electronic communication. The losses could include exposure of confidential data, addresses, ID numbers which could be used by criminal syndicates and identity thieves. In worse case scenarios cellphone and GPS tracking data of government officials could be accessed putting their lives at risk as has been the case in other countries.
3. Start the compliance process now
The sooner public sector institutions start with the process of compliance with this legislation the better. This time-consuming process starts with a comprehensive gap assessment across the entire IT and information storage infrastructure. Once the gaps have been identified then a strategy can be put in place to ensure that the organisation complies with the legislation.
4. Take a lesson from the private sector
Data extracted from the International Business Report (IBR) conducted in South Africa for the first quarter of 2015, indicates that as much as 90% of South African privately held businesses are aware of the POPI legislation. The surveys, conducted among 100 South African private businesses, also indicate that 63% of businesses are already taking appropriate steps towards complying with the legislation.
Despite the obvious challenges, public sector institutions, in support of the POPI legislation and with the right capacitation, could ensure compliance in due course. Welcoming, though, is that the Auditor General’s consolidated general report on national and provincial audit outcomes indicated a slight improvement in the status of information technology and controls for the financial year 2013/2014 compared to 2012/2013. These controls are crucial for POPI compliance.