Clauses 18, 19, 20 and 21 of the Bill set out the specific requirements of this principle in some detail. In terms of the Bill the obligation to maintain the security of personal information is made up of the following elements:
- the organisation’s responsibility to implement security measures to safeguard personal information held by the organisation
- the organisation’s responsibility in respect of personal information that is processed by third parties on behalf of the organisation
- the organisation’s responsibility to notify stakeholders if personal information has been compromised in any way.
We will look at each of these elements individually.
Duty to implement security measures
There is a general duty on an organisation to secure the integrity of the personal information under its control. This means that the organisation must ensure that personal information is protected against the risk of unauthorised access, modification or loss. The Bill attempts to remain technologically neutral by not prescribing the specific security measures that must be implemented to ensure compliance. Instead an organisation is required to consider the various information security standards, practices, procedures and codes that are generally or specifically applicable to it in order to determine what security measures would be best suited to the particular organisation. Common internationally recognised standards and/or practices that could be adopted include the ISO 27000 series (Information Security Management Standards), CoBIT (Control Objectives for Information Technology), ITIL (Information Technology Infrastructure Library) and PCI-DSS (Payment Card Industry Data Security Standard). Additionally, organisations are encouraged to take into account the local regulatory requirements for effective information management as contained in the Electronic Communications and Transactions Act and the relevant IT governance sections of King III.
In terms of the Bill, an organisation must conduct regular risk assessments to identify and manage all reasonably foreseeable internal and external risks to personal information under its control. The purpose of this is to assist the organisation to implement the most effective security safeguards in response to the identified threats. Regular assessments are also required to ensure that the safeguards continue to be relevant and continue to respond effectively to the threats identified by the organisation. If they are found to be ineffective, the organisation must ensure that the security safeguards are continually updated to cater for new risks or threats faced by the organisation.
Organisations must remember that the identification of threats must not be limited to the technology risks associated with the processing of personal information. Instead, in order to be effective, it is recommended that these risk assessments be broad enough to cover other internal and external risk factors such as people, physical security, other regulatory compliance requirements and third party processors.
Duty in respect of third party processors
One of the biggest practical challenges for an organisation in attempting to comply with the Bill is likely to arise from the requirements relating to external parties that process personal information on behalf of the organisation. The fact that an organisation’s personal information may at any point be processed on its behalf by a third party does not absolve the organisation of its obligations as the party responsible for compliance with the Bill. Examples of third party processors include call centres, outsourced payroll administrators, marketing database companies, recruitment agencies, psychometric assessment centres, document management warehouses, external consultants etc.
An organisation must consider the following key obligations in respect of its third party processors:
- The third party may not process personal information on behalf of the organisation without the knowledge and authorisation of the organisation.
- The organisation must ensure that the third party implements the security measures required in terms of Principle 7.
- There must be a written contract in place between the organisation and the third party which requires the third party to maintain the confidentiality and integrity of personal information processed on behalf of the organisation.
- If the third party is located outside of South Africa, the organisation must ensure that the third party complies with any foreign laws relating to personal information applicable to the third party.
As a first step, it is suggested that an organisation begins to identify which of its third party relationships are likely to be impacted by the Bill. Thereafter it would be wise for the organisation to initiate a third party contractual management review to ensure that the requisite contracts are in place, have been formally signed off and contain adequate provisions for protecting the confidentiality and security of personal information. While this may prove to be time consuming, it is not an insurmountable task.
On the other hand, the requirements in the Bill that the organisation must ensure
compliance by third parties are more problematic. It is not clear what the drafters meant by “ensure” in this context. Many have argued that it is overly onerous to require an organisation to “audit” every single third party processor to ensure that they have the correct security measures in place. This will be particularly burdensome to larger organisations who currently deal with thousands of third party processors. Much will depend on how strictly the Regulator and the courts will choose to interpret this requirement in the future. In the meantime, it is suggested that reviewing, updating and aligning an organisation’s current third party contractual arrangements will go a long way towards ensuring adequate and effective compliance with the requirements of Principle 7. Duty to notify of security compromises
In the event that personal information has been compromised, or if there a reasonable belief that a compromise has occurred, the organisation (or a third party processing personal information on behalf of the organisation) must notify affected parties of the compromise. Clause 21 of the Bill sets out the nature, contents and manner of the notification as follows.
- Who must be notified?
- The Regulator (to be established)
- The affected individuals whose information may have been compromised.
- When must the notification take place?
- “As soon as reasonably possible” after the compromise has been discovered.
- Once again, the Bill does not define what would constitute “reasonableness” in this context. However, it does make provision for the notification to be delayed in order to further the interests of law enforcement or to enable the organisation to properly determine the scope of the compromise before making it public.
- How must the notification be done?
- In writing
- Mailed to the individual’s last known physical/postal address
- E-mailed to the individual’s last known e-mail address
- Prominently displayed on the organisation’s website
- Published in the news media
- As required by the Regulator.
- What must the notification contain?
- Enough information to allow affected individuals to take protective measures against further loss/damage arising from the compromise.
- The identification of any unauthorised party that may have access to the compromised information.
It is likely that future guidance relating to the form and content of the notification will be provided through the publication of Regulations after the Bill has been enacted. In the meantime, organisations may want to update their current incident management processes to include the notification requirements contained in the Bill as far as reasonably possible. Conclusion
Many organisations believe that their current information security environments are sufficiently mature to meet the requirements of Principle 7. However, it is likely that the biggest challenge for an organisation arising from this principle will revolve around the effective management of its non-technologically based security risks. Thus, when designing an information security risk assessment it will be prudent for an organisation to widen its scope beyond the technology risks associated with information processing and focus on other threats such as physical security, people management and third party relationships.
Applying Principle 7 to your organisation
Below are a few questions that can assist in determining how ready your organisation is to begin dealing with the implications of Principle 7:
- Does your organisation’s risk management strategy include risks related to the processing of personal information?
- Does your organisation have an information security policy? If yes, does the policy make specific reference to personal information?
- Does your organisation classify personal information based on sensitivity?
- Does your organisation have strong identification and authentication controls to limit access to personal information?
- Does your organisation back up personal information on a regular basis?
- Does your organisation limit the number and categories of employees who have access to personal information? How? For example, security clearance, segregation of duties etc?
- Does your organisation periodically review the effectiveness of its security controls in relation to personal information? If yes, how often are the reviews conducted/security controls upgraded?
- Does your organisation conduct periodic information security training and awareness programmes? If yes, how often?
- Does your organisation have processes for maintaining confidentiality, for example, confidentiality agreements, shredding of documents, special disposal mechanisms etc?
- Does your organisation enter into agreements with third parties who process personal information on behalf of the organisation (for example, recruitment agencies, psychometric assessment centres, payroll administration, document management warehouses etc)? If yes, do these agreements address issues relating to information security safeguards, confidentiality, legal compliance and jurisdiction of laws?
- How does your organisation ensure the reliability of third parties before allowing them to process personal information?
- Does your organisation have an incident management strategy for dealing with information security breaches? If yes, does the strategy deal with critical incidents arising specifically from personal information breaches?
- Does your organisation’s incident management strategy include notification procedures to individuals whose personal information may have been compromised?
- What is the manner of notification used by your organisation in the event of personal information breaches?
- Does your organisation’s notification contain details of the security breach, including the actual information that was compromised, the identity of the person responsible for the breach and any measures that the individual concerned may take to protect her/himself from any further consequences arising from the breach?