Frequently Asked Questions

Topics

Tenant FAQ
Landlord FAQ
Legal
Help
Manual
StaffSure FAQ
POPIA Definitions
POPIA FAQ
Residential Leasepack
Commercial Leasepack
Sales Pack
HR Pack
Data FAQ
eSign
Schools

Ask TPN

Enter the reference code to access the TPN wiki article directly:

POPIA FAQ

What is a Readiness Questionnaire?

The POPI readiness questionnaire scores your readiness for POPI compliance and implementation. It is not an assessment (Personal Information Impact Assessment), but merely the first step in the process in POPI compliance.

Why do I need to do a Readiness Survey?

It is important to perform your readiness survey because it determines your readiness for POPI implementation through 4 different modules; governance, people, procedure and technology. It will give you an overview of your POPI readiness.

Is it compulsory to do a Readiness Survey?

No, it is not. It is valuable because it gives you an overall determination of your POPI readiness, but it in not compulsory in terms of the Act.

What is PIIA?

A Personal Information Impact Assessment (PIIA) is a process to help you identify and minimise the data protection risks from processing personal information.

Do I have to do a Personal Information Impact Assessment (PIIA) to be POPIA compliant?

Yes, according to the POPIA regulation 4(b) you are required do Personal Information Impact Assessment (PIIA) for all processing of personal information.

What is an accountable person?

This is the party or person who takes responsibly for complying with and implementing any policies or procedures in terms of the function on behalf of the business.

What is Special Personal Information?

Special personal information is defined in terms of Section 26 of the Act. Special personal information includes, a data subject's:

Race
Sex
Pregnancy
National, ethnic or social origin
Colour
Sexual orientation
Physical or mental health, well-being or disability
Religion, conscience, belief or culture
Medical history
Criminal history
Biometric information
Trade union membership
Political persuasions

What is sensitive personal information?

Sensitive personal information is information that can identify the data subject. This can include information such as the data subjects: ID numbers (Individuals) , Bank Account details (Individuals or Juristic e.g. companies) and Tax Numbers (Individuals or Juristic e.g. companies).

What is access control?

Access control is a security safeguard which is implemented to mitigate the risk of unauthorised persons accessing personal information in your business. It relates to the level of access that a user has to a company system and whether that access is needed to perform his or her duties. Access control should be granted taking into consideration the principle of minimality. A user should not have more access than what is required in their respective role.

How do you decide what volumes of information you process?

The volume of information is relative and open to interpretation. It depends on your business, for instance, a bank would consider 10 000 records as minimal volume, where an estate agency would consider the same number as high volume.

Why do I need to worry about GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). This is applicable in South African as it is possible that you keep personal information on EU citizens.

What is segregation of duties?

Segregation of Duties (SOD) is vital for sustainable risk management and applies to internal controls for a business. SOD is based on shared responsibilities of key processes that disperses the critical functions of that process to more than one person or department. Without SOD, fraud and error becomes a much greater risk for any business.

What is the lawful processing of information?

The lawfulness of processing personal information must be determined using all 8 pillars of lawful processing in terms of POPIA. The 8 pillars for lawfully processing personal information are:

a. Accountability

b. Processing limitation

c. Purpose specification

d. Further processing limitation

e. Information quality

f. Openness

g. Security safeguards

h. Data subject participation

How do you know if you need consent from clients and if it is mandatory?

Personal information may not be processed without consent unless any one of the factual scenarios in section 11 of POPIA is applicable. If any of the factual scenarios is present, consent is not needed. The factual scenarios include if:

1. it is required to conclude or perform the contract;

2. the party processing the information (the responsible party) is required to do so ‘by law’;

3. the processing protects a legitimate interest of the consumer;

4. the processing is necessary for the performance of a ‘public law duty’; or

5. it is done in pursuit of the legitimate interests of the responsible party.

When should you notify a data subject that you are collecting information and how do you known it complies with POPI?

The pillar of openness is paramount. This pillar requires all responsible parties to document all data processing operations as required under extant of POPIA. Responsible parties must also suitably notify data subjects when collecting personal information. The notice should include purpose for information collection, the law authorising collection, intention to transfer information to any third party, details of the responsible party and whether providing the information is voluntary or mandatory.

What is confidentiality, integrity and availability of PI?

The confidentiality, integrity and availability of data relates to measures that the IT department or relevant department must implement to ensure POPIA compliance. The security measures must ensure that data is processed confidentially, with integrity and must be available at the request of the data subject.

What is inherent risk?

This is the risk that is inherent to a specific function and sub process and is measured before taking control measures into account.

If Personal Identifiable Information (PII) were to be lost in that specific sub process it might have a Critical, High, Medium or Low impact.

Where the volume of PII is low and the type of personal information is not sensitive or special personal information is not processed the Inherent risk might be low.

Where the volumes of the PII is high in a sub process and there is sensitive and special personal information are processed in that sub process the Inherent Risk might be Critical.

What is residual risk?

The residual risk is the risk that remains after the control measures have been taking into account.

If there are no control measures in place the Residual Risk will be the same as the Inherent Risk.

The more control measures that are in place the higher the impact on the residual risk that remains. There might be a High Inherent Risk but because of the control measures the Residual risk is Medium.

The Residual risk is the one that an organisation can control by adding control measures. The Residual Risk should always be at an acceptable level for an organisation. If it is to high more control measures should be added.

What do critical indicators mean?

A critical indicator would show when either inherent, residual, or behavioural risk is defined as Critical. This means one of the risk indictors shows an issue with the information captured or shows a potential problem with your processes and requires immediate focus.

If your Inherent risk is Critical, this means your company holds a high volume of personal information some of which may relate to GDPR members or children.

Typically, there is nothing that can be done to resolve this, but it may help to check retention periods of documents as stated on retention policy as well as ensuring your residual risk is lower and shows your control measures are sufficient.

If your residual risk is critical, this indicates a huge issue and immediately action is required to safeguard the information in your possession by applying control measures.

If your behavioural risk is critical, this may mean you are not complying to seven pillars of lawful processing. This should be investigated, and measures taken to ensure you take these several measures into account in your company’s processes.

What does high risk mean?

TBC

What does low risk mean?

TBC

What does medium risk mean?

TBC

What is a control measure?

Control measures are an action and/or activities that are taken to prevent, eliminate or reduce the occurrence of a risk that you have identified.

How do I register an Information Officer?

These are the steps given on the Information Regulators website.

Download the Registration form you need HERE

How I send out the TPN POPI Training video to my staff?

TPN has recorded some training videos to help your staff understand what POPI is and what it means for your company.

The link is sent to each staff member via email and you are able to track who has watched a link directly in the POPI Portal.

·        Login to the POPI Portal on https://popia.tpn.co.za/Account/Login

·        On the left-hand navigation select "Training"

·        Click “+Add" button

· Select “Add Online Video” off the dropdown menu

· Select one of the three videos available

· Fill in details of your training and “Save”

· Once done, Click “+Add” to invite the staff would you like to send the video too

· Click the Invite now and send your staff a link via Video

If your staff are not showing on the list please add them under “Staff”, found on the lefthand navigation – click here to see how

Why do I need to add my staff to the POPI Portal?

You will need to add staff to complete the following actions:

· Assign action items from your action plan;

· Allocate departments in your impact assessment;

· Add them to the minutes of meetings;

· Record all training conducted;

· Send them links to training videos.

How do I add a Staff member to the POPI POrtal?

·        Login to the POPI Portal,
·        Click “Staff” on the lefthand navigation,
·        Click “+Add”,
·        Complete the staff members details,

· Click “Save”

Do I need my clients and tenants to sign a document regarding Information Privacy, to comply with POPIA?

The TPN Lease Pack and Sales Pack make provision for POPIA in the Mandates and in the Lease agreements. Signing additional documents or policies is not required.

If you are signing an agreement with a new vendor or supplier you would need to check the documentation carefully to ensure POPIA is adequately covered.

If you are unsure, ask for the new Vendor/ Supplier to sign the Information Privacy Policy that is published on the TPN POPI Portal.

How do you explicitly define the purpose you use information for?

Processing of Personal Information must be performed with a specific purpose in mind of which the data subject must be aware.

The retention, time periods and restriction of information must also be taken into consideration. Thus, data cannot be collected or processed for one specific and defined purposes and used for another purpose without the data subjects consent.

What is the Principle of Minimality?

The principle of minimality mostly refers to access control or the actual processing of personal information. Personal information may only be used if the purpose for which it is used is adequate, relevant and not excessive. For access control a user should not have more access than what is required in their respective role.

What is a Specific and defined purpose?

Processing of personal information must be performed with a specific purpose in mind of which the data subject must be aware.

The retention, time periods and restriction of information must also be taken into consideration.

Thus, data cannot be collected or processed for one specific and defined purposes and used for another purpose without the data subjects consent.