Frequently Asked Questions

Topics

Commercial Leasepack
Data FAQ
Downloads
eSign
FICA
Help
HR Pack
Landlord FAQ
Legal
Legal & Disclosures
Manual
PAIA
POPIA Definitions
POPIA FAQ
Rental Acts
Residential Leasepack
Sales Pack
Schools
Staff Screening Portal
StaffSure FAQ
Tenant FAQ

Ask TPN

Enter the reference code to access the TPN wiki article directly:

POPIA Definitions

Inherent Risk

This is the risk that is inherent to a specific function and sub process and is measured before taking control measures into account.

If Personal Identifiable Information (PII) were to be lost in that specific sub process it might have a Critical, High, Medium or Low impact.

Where the volume of PII is low and the type of personal information is not sensitive or special personal information the Inherent risk might be low.

Where the volumes of the PII is high in a sub process and there is sensitive and special personal information in that sub process the Inherent Risk might be Critical.

Residual Risk

The residual risk is the risk that remains after the control measures have been taking into account.

If there are no control measures in place the Residual Risk will be the same as the Inherent Risk. If there are adequate control measures in place it will reduce the Inherent Risk.

Access Management

Access management is the umbrella term for tools and technologies controlling user access to critical information within a company.

Access Management aims to grant authorised users the right to use a service, while preventing access to non-authorised users.

GDPR

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).

Governance

Governance refers to a strategy for managing an organisation's overall direction and management. This function is normally governed by various committees or boards. Their activities include oversight, strategic planning, decision-making and financial planning.

Information Officer and Deputy Information Officer

POPIA designates the head of the business as the Information Officer. Depending on the type of business, the Information Officer will be the sole trader, a partner in a partnership or CEO (or equivalent) in a company or CC. The head of the business can delegate their responsibilities as Information Officer to any other duly authorised person. It is important to note that whoever “determines the purpose of and means for processing personal information” remains ultimately responsible for ensuring that the processing of personal information is done in a lawful manner. The Information Officer may also appoint (in writing) as many Deputy Information Officers as necessary.

Logical controls

Logical controls mean the authentication and authorisation of users to a company system or program. Logical access controls use advanced password programs and advanced biometric security features. These features identify the employee. The system then determines whether the employee has appropriate authorization to access data.

Minimality

Personal information may only be processed, if the purpose for which it is processed is:

Adequate
Relevant
Not excessive

Physical controls

Physical controls means the restriction of access to a physical space within the company. This type of access control limits access to rooms or buildings and may include server rooms. In addition, physical access control keeps track of who is coming and going in high risk areas.

PIIA

A Personal Information Impact Assessment (PIIA) is a process to help you identify and minimise the data protection risks from processing personal information.

POPI

POPI is the colloquial term used for the Protection of Personal Information Act 4 of 2013, as well as any Regulations thereto.

POPIA

POPIA means the Protection of Personal Information Act 4 of 2013, as amended from time to time.

Reasonable

The term reasonable relates back to the common law principle of the reasonable man. A reasonable man or reasonableness relates to what a hypothetical person who exercises average care, skill and judgement would consider justifiability correct.

Retention Period

Retention periods are different for any data that a company collects.

It is vital that a Retention and Destruction Policy and Procedure be implemented in your business to document these periods.