Topics
|
 POPIA FAQ
POPIA FAQ
The POPI readiness questionnaire scores your readiness for POPI compliance and implementation. It is not an assessment (Personal Information Impact Assessment), but merely the first step in the process in POPI compliance.
It is important to perform your readiness survey because it determines your readiness for POPI implementation through 4 different modules; governance, people, procedure and technology. It will give you an overview of your POPI readiness.
No, it is not. It is valuable because it gives you an overall determination of your POPI readiness, but it in not compulsory in terms of the Act.
A Personal Information Impact Assessment (PIIA) is a process to help you identify and minimise the data protection risks from processing personal information.
Yes, according to the POPIA regulation 4(b) you are required do
Personal Information Impact Assessment (PIIA) for all processing of personal
information.
This is the party or person who takes responsibly for complying with and implementing any policies or procedures in terms of the function on behalf of the business.
Special personal information is
defined in terms of Section 26 of the Act. Special personal information
includes, a data subject's:
- Race
- Sex
- Pregnancy
- National, ethnic or social origin
- Colour
- Sexual orientation
- Physical or mental health, well-being or disability
- Religion, conscience, belief or culture
- Medical history
- Criminal history
- Biometric information
- Trade union membership
- Political persuasions
Sensitive personal information
is information that can identify the data subject. This can include information
such as the data subjects: ID numbers (Individuals) , Bank Account details
(Individuals or Juristic e.g. companies) and Tax Numbers (Individuals or
Juristic e.g. companies).
Access control is a security safeguard which is implemented to mitigate the risk of unauthorised persons accessing personal information in your business. It relates to the level of access that a user has to a company system and whether that access is needed to perform his or her duties. Access control should be granted taking into consideration the principle of minimality. A user should not have more access than what is required in their respective role.
The volume of information is relative and open to interpretation. It depends on your business, for instance, a bank would consider 10 000 records as minimal volume, where an estate agency would consider the same number as high volume.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). This is applicable in South African as it is possible that you keep personal information on EU citizens.
Segregation of Duties (SOD) is vital for sustainable risk management and applies to internal controls for a business. SOD is based on shared responsibilities of key processes that disperses the critical functions of that process to more than one person or department. Without SOD, fraud and error becomes a much greater risk for any business.
The lawfulness of processing personal information must be determined using all 8 pillars of lawful processing in terms of POPIA. The 8 pillars for lawfully processing personal information are:
a. Accountability b. Processing limitation c. Purpose specification d. Further processing limitation e. Information quality f. Openness g. Security safeguards h. Data subject participation
Personal information may not be processed without consent unless any one of the factual scenarios in section 11 of POPIA is applicable. If any of the factual scenarios is present, consent is not needed. The factual scenarios include if:
1. it is required to conclude or perform the contract; 2. the party processing the information (the responsible party) is required to do so ‘by law’; 3. the processing protects a legitimate interest of the consumer; 4. the processing is necessary for the performance of a ‘public law duty’; or 5. it is done in pursuit of the legitimate interests of the responsible party.
The pillar of openness is paramount. This pillar requires all responsible parties to document all data processing operations as required under extant of POPIA. Responsible parties must also suitably notify data subjects when collecting personal information. The notice should include purpose for information collection, the law authorising collection, intention to transfer information to any third party, details of the responsible party and whether providing the information is voluntary or mandatory.
The confidentiality, integrity and availability of data relates to measures that the IT department or relevant department must implement to ensure POPIA compliance. The security measures must ensure that data is processed confidentially, with integrity and must be available at the request of the data subject.
This is the risk that is
inherent to a specific function and sub process and is
measured before taking control measures into account.
If Personal Identifiable Information (PII) were to
be lost in that specific sub process it might have a Critical, High, Medium or
Low impact.
Where the volume of PII is low and the type of
personal information is not sensitive or special personal information the Inherent
risk might be low.
Where the volumes of the PII is high in a sub
process and there is sensitive and special personal information in that sub
process the Inherent Risk might be Critical.
Residual risk is the risk that remains after the control measures have
been taking into account.
If there
are no control measures in place the Residual Risk will be the same as the
Inherent Risk.
If there
are control measures in place it will reduce the Inherent Risk.
A critical indicator would show when
either inherent, residual, or behavioural risk is defined as Critical. This
means one of the risk indictors shows an issue with the information captured or
shows a potential problem with your processes and requires immediate focus.
If your Inherent risk is Critical, this means your company holds a high volume of
personal information some of which may relate to GDPR members or children.
Typically, there is nothing that can be done
to resolve this, but it may help to check retention periods of documents as
stated on retention policy as well as ensuring your residual risk is lower and
shows your control measures are sufficient.
If your residual risk is critical, this indicates a huge issue and immediately action is required to safeguard
the information in your possession by applying control measures.
If your behavioural risk is critical, this may mean you are not complying to seven pillars of lawful
processing. This should be investigated, and measures taken to ensure you take
these several measures into account in your company’s processes.
TBC
TBC
TBC
Control measures are an action and/or activities that are taken to prevent, eliminate or reduce the occurrence of a risk that you have identified.
These are the steps given on the Information Regulators website.
Download the Registration form you need HERE
TPN has recorded some training videos to help your
staff understand what POPI is and what it means for your company.
The link is sent to each staff member via email and you are able to track who has watched a link
directly in the POPI Portal.
·
Login to the POPI Portal on https://popia.tpn.co.za/Account/Login
·
On the left-hand navigation select "Training" 
·
Click “+Add" button
·
Select “Add Online Video” off the dropdown menu
·
Select one of the three videos available
·
Fill in details of your training and “Save”
·
Once done, Click “+Add” to invite the
staff would you like to send the video too
 · Click the Invite now and send your staff a
link via Video
If your staff are not showing on the list please add them
under “Staff”, found on the lefthand navigation – click here to see how
You will need to add staff to complete the following
actions:
·
Assign action items from your action plan;
·
Allocate departments in your impact assessment;
·
Add them to the minutes of meetings;
·
Record all training conducted;
·
Send them links to training videos.
·
Login to the POPI Portal,
·
Click “Staff” on the lefthand navigation,
·
Click “+Add”,
·
Complete the staff members details,
· Click “Save”
Processing of Personal Information must be performed with a specific purpose in mind of which the data subject must be aware. The retention, time periods and restriction of information must also be taken into consideration. Thus, data cannot be collected or processed for one specific and defined purposes and used for another without the data subjects knowledge thereof.
The principle of minimality mostly refers to access control or the actual processing of personal information. Personal information may only be used if the purpose for which it is used is adequate, relevant and not excessive. For access control a user should not have more access than what is required in their respective role.
Processing of personal information must be performed with a
specific purpose in mind of which the data subject must be aware. The
retention, time periods and restriction of information must also be taken into
consideration. Thus, data cannot be collected or processed for one specific and
defined purposes and used for another without the data subjects knowledge
thereof.
|