More than one year after the Protection of Personal Information Act (POPI) was enacted, the public sector has yet to take steps towards ensuring compliance.
According to public sector advisors at Grant Thornton, the public sector is falling dangerously behind the private sector in preparing for POPI.
“Despite an official commencement date for the legislation which is still to be finalised and announced, new research by Grant Thornton indicates that unlike the public sector, the private sector has taken substantial steps towards becoming compliant,” says Michiel Jonker, Director: IT Advisory at Grant Thornton Johannesburg.
Data extracted from the International Business Report (IBR) conducted in South Africa for the first quarter of 2015, indicates that as much as 90% of South African privately held businesses are aware of the POPI legislation. The surveys, conducted among 100 South African private businesses, also indicate that 63% of businesses are already taking appropriate steps towards complying with the legislation.
“We in the industry just do not see the same level of urgency from the public sector institutions. In our view this is serious as it could take a few years to attain full compliance,” Jonker continues. “The risks to information loss as well as increased penalties become increasingly likely.”
The POPI Act, which was signed into law by President Jacob Zuma on November 26 2013, regulates how anyone who processes personal information must handle, keep and secure that information. It carries strict and substantial penalties for contravention including prison terms and fines of up to R10-million.
“Several government departments are in possession of vast banks of personal information – from ID numbers, to addresses, marital status and even gun ownership details. They are therefore incredibly vulnerable to information theft and have to take drastic steps to ensure compliance with the POPI Act,” said Jonker.
Jonker believes that the delayed announcement of the official commencement date is just one of the reasons for the Public Sector’s lack of action. In addition, the fact that POPI provides for an additional grace year from the commencement date to comply with its requirements, is also causing this ‘wait and see’ attitude.
“It is simply not treated as a priority at this stage. Municipalities collect and hold substantial personal information of their residents but do not have the capacity and resources to ensure POPI compliance. Most are dealing with major service delivery issues and financial performance priorities and understandably are paying little attention to this requirement of managing personal information,” warns Jonker.
He added that this lack of progress presented opportunities to criminal syndicates to target municipal and other government databases and electronic communication. The losses could include exposure of confidential data, addresses, ID numbers, contact information as well as cellphone and GPS tracking data.
On Tuesday 26 May 2015, The New York Times reported that criminals in the USA used stolen data to gain access to past tax returns of more than 100,000 people through an application on the Internal Revenue Service’s website (the IRS). By using personal identification numbers, birth dates, street addresses, the criminals completed a multistep authentication process and requested the tax returns and other filings. Information from those forms was used to file fraudulent returns and unfortunately the IRS sent nearly $50 million in refunds before it detected the scheme.
“The sooner public sector institutions start with the process of compliance with this legislation the better,” Jonker said. “This time-consuming process starts with a comprehensive gap assessment across the entire IT and information storage infrastructure. Once the gaps have been identified then a strategy can be put in place to ensure that the organisation complies with the legislation.”
Jonker said despite the obvious challenges, public sector institutions, in support of the POPI legislation and with the right capacitation, could ensure compliance in due course.
Welcoming, though, is that the Auditor General’s consolidated general report on national and provincial audit outcomes indicated a slight improvement in the status of information technology and controls for the financial year 2013/2014 compared to 2012/2013. These controls are crucial for POPI compliance.