“I’m the owner of a small advisory firm. A few days ago, one of my employees left his laptop in the car during the weekend and it was stolen out of his car. I now hear that the IT guys forgot to have encryption activated on his laptop. With client information on the laptop I’m worried about whether I could be in breach of POPIA. Am I?”
Data security has become an essential consideration for just about every business, small or large. With a constantly increasing amount of personal and sensitive client data being captured and maintained by businesses, it has become an imperative for all businesses to have the necessary data security frameworks in place.
To help regulate such frameworks, the Protection of Personal Information Act 4 of 2013 (“POPIA”) has been promulgated. Although not fully in operation yet, it already plays a vital guiding role for businesses should they collect, store, use and/or destroy personal information of clients.
POPIA also provides for the rights and remedies of persons whose rights have been infringed in terms of POPIA and therefore obliges parties dealing with personal information to take care in handling such information and protect the public against the incorrect and unauthorised access and use of their personal information. This means that any personal information your business processes or stores must be adequately protected, irrespective of whether such storage is in digital or in hardcopy format. This is to prevent that data is misused by third parties for fraud, identity theft, abusive marketing practices or other unauthorised purposes.
Accordingly, the obligation on businesses to ensure the security and integrity of personal information is one of the most important principles for the lawful processing of data in terms of POPI, since security failures and breaches have the potential for data subjects to suffer significant harm. POPIA requires that for data security businesses must implement appropriate and reasonable technical and organisational measures to prevent the loss of, damage to, unauthorised destruction of, unlawful access to or the unlawful processing of personal information.
This is quite a mouthful. What it boils down to is, a business must take into account generally accepted data security practices and procedures that can be put in place including such practices as may be required by or be standard for the industry in which it operates. This means that there is not a standard set of data security rules that can be selected, but rather that the appropriate data security measures will have to be designed and implemented in accordance with the nature and practices of each business, the type of personal information they process and the potential harm that may emanate from a potential security breach. Additionally, any specific industry practices or standards relevant to the business should also be taken into account in establishing an appropriate data security framework.
A few examples of physical and technical data security measures that can be employed include CCTV cameras, security systems, safes, anti-virus software, access control, file and server encryption, firewall software, password policies, secure file destruction protocols etc. Here the advice of technical specialists will be important to help guide you in the necessary security measures to be employed by your business.
The reality through is, that despite all measures that can be employed by a business a breach of data security can still occur. It is therefore important that a business must have a data security policy which includes an incident response plan detailing how the business and employees should deal with a potential data security breach. This is vital to address the breach and ensure that the impact is mitigated and managed and potentially affected parties informed timeously of the breach.
POPIA also requires that a business, in the event that its data security is compromised and unauthorised access to personal information ensues to notify the Information Regulator of the breach as soon as reasonably possible after discovery of the breach. POPIA also requires that the affected data subject (unless their identity cannot be established) must be notified of such data security breach where there is reason to believe that the personal information of the data subject has been accessed or acquired by any unauthorised person. This notice must contain sufficient information for the data subject to adequately protect themselves against any potential consequences of the compromise in data security.
To answer your question, once POPIA comes into effect the theft of the laptop with personal information thereon could amount to a breach of POPIA given that your business would have to have the necessary data security procedures and practices in place. In addition, POPIA would require you to disclose the potential breach to the Information Regulator as well as to all potentially affected data subjects. Additionally, the breach should have been dealt with in accordance with the incident response plan of the business to help mitigate the risks of a data security breach.
As should be clear from the above, data security should not be taken lightly and a business, small or large, should ensure that it has the necessary framework in place and that employees are aware and trained in the data security requirements of the business. Given that this is a specialised field, it may be advisable to consult with data security specialists to help guide you in establishing the correct framework and policies and ensure that your business is fully compliant with POPIA.