The new Protection of Personal Information (POPI) Act is going to force government institutions to change their attitudes towards ICT security. Data privacy which is built upon solid ICT security practices will no longer be negotiable and South African citizens are going to become more hostile towards government organisations that do not treat personal data appropriately in terms of the eight principles of POPI.
The POPI Act; gazetted in November 2013 and currently waiting an effective date, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected. The Act also provides strict guidelines, among other things, on what data can be collected, how it can be used, and the requirement for it to be kept upto-date.
The private and public sectors have been plagued by dramatic security breaches in the past few months both in South Africa and abroad. Internationally, in the private sector the recent security incidents at retail company Target as well as at renowned e-commerce group eBay are only two examples.
And at home it’s been reported that the Sanral website (e-toll account management website) was hacked, the ANC Youth League’s website was defaced while both the City of Joburg and police websites and databases were also identified as not safe or even hacked. In the case of SAPS’ website hacking, 16 000 whistle blowers have had their private details exposed. These breaches have caused great concern and anxiety amongst company board members in the private sector and accounting authorities and accounting officers in the public sector.
The lesson learned is that none of these entities’ IT security practices were adequate or effective enough to prevent security incidents from occurring.