PoPIA in plain English

There are many crucial factors involved in the Protection of Personal Information Act (PoPIA). For compliance, it is imperative for transport operators to fully understand all these factors and how they play out in the real world.

PoPIA has been established to protect the personal information of entities as well as individuals. Since the commencement of this Act on July 1, 2020, local e-signature provider Impressions Signatures has made it its mission to freely provide relevant information regarding the Act to organisations through its PoPIA Campaign.

“There are serious penalties for non-compliance, and we want to ensure that organisations have the relevant tools to assist them in realigning operations, where needed, to comply with the Act. Especially in a time of global economic uncertainty, small businesses need support,” says Carrie Peter, solution owner at Impression Signatures.

Three of the crucial areas that must be discussed include de-identifying, information matching programmes, and filing systems.

DE-IDENTIFYING DATA

This refers to when data that could potentially identify someone, either on its own or in combination with
other data, is hidden or removed. Data is considered identifiable of a data subject if it reveals the subject’s identity directly; if it can be manipulated to identify them indirectly; or if it can be linked to other data that would, in turn, identify them.

“Essentially, the de-identifying of the data is a cornerstone of PoPIA. This Act is directly purposed to protect personal information. It is imperative, therefore, that organisations are aware of identifying data and that they take the necessary steps to make that data anonymous by hiding or removing it,” explains Peter.

When organisations are working with data that is essential to provide a necessary service or business operation, any identifying data that is not required must be de-identified – and the data set must be completely de-identified before it is shared. “An example of this is an online order. Initially the customer’s name and address may be required for delivery, but once the delivery has been made that identifying data is not required for stocktake records. The data should therefore be de-identified before sharing the stock numbers,” Peter continues.

INFORMATION MATCHING PROGRAMMES

Another key area of compliance relates to the use of an information matching programme. These programmes are designed to collect, compare, clean, and organise sets of information. A manual or digital match and comparison is run on two sets of information, including documents that hold personal information about 10 or more data subjects.

“When utilising these programmes, it is imperative that consent is obtained for any and all information utilised and stored by an organisation. This consent needed extends to older data sets that are stored within the organisation’s filing systems, and so on,” says Peter. “This means that organisations need to track down, match, clean, and sanitise their historical data sets to ensure that the data is consolidated and secured. Consent for new and historical data must be explicitly secured for each piece of data, for the exact reason for which that data is required.”

FILING SYSTEMS

The third crucial area to be addressed is that of filing systems: any set of personal data records stored by an organisation. These records may be manually stored in a filing cabinet, or digitally stored, centralised, decentralised, or dispersed on a functional or geographical basis.

This data can be accessed with specific search criteria, such as an alphabetical search. For compliance, these records must be safely secured to avoid them being lost, stolen, or misused. This can be achieved by restricting access to digital storage or using a lockable filing cabinet. Access to these records should only be granted to those who have obtained the necessary consent from the data subject(s).

“All three of these areas are crucial when it comes to compliance to PoPIA. Once understood, compliance in these areas is easily managed,” notes Peter.

There is, however, another crucial area in the path to PoPIA compliance:

SECURING PoPIA DATA PROTECTION AGREEMENTS

Many businesses have been struggling with the logistics involved in getting legally signed PoPIA data protection agreements back from clients. This puts organisations at exceptional risk and can result in a number of serious consequences.

“This is a dire challenge that companies are facing at present,” explains Steven Moriarty, sales manager at Impression Signatures.

According to Moriarty, it is imperative that businesses not only receive these PoPIA client data protection agreements back timeously, but that the agreements are also executed in a legally sound manner (even when signed electronically) and in the right format. “Due to the highly confidential quality of the information being provided, it is essential that the most secure and reliable solutions are being utilised throughout the entire process,” he says.

He adds that response-handling, management, and reporting have proven consistently difficult for many businesses: “Up until now the onus has been on the business, but here the response from the client becomes vital. Organisations need the necessary support to ensure that they receive a timeous response and that these responses are effectively managed and reported, as well as being implemented into secure progress dashboards and insightful reporting.”

With the help of advanced technology, such as the offering from Impression Signatures, these processes become seamless and automated, allowing for a quick, efficient, and struggle-free experience. “Putting the right processes and solutions in place ensures data protection agreements can easily be dispatched to all clients to be signed electronically and automatically returned with responsive handling,” says Moriarty. “This makes the process easy, efficient, and remarkably secure.”