Some high-level best practices when it comes to securing, storing and accessing data:
- Physical security, (PC’s locked to fixture/locked computer room)
- Network security controls
- Password controls
- Virus & Malware protection
- Software updates
- Disaster recovery & back-up policy
Applying a practical approach in meeting compliance and mitigating risk:
- Reading, identifying and scanning for areas of Risk
- This further involved understanding the POPIA act which is freely accessible HERE
- This pertains to the roles and responsibilities mandated by law
- In not complying what the implications, liabilities and processes would be
- Identify the different types of personal information your organisation processes, how this is stored and what data you actually require. From this investigation, create a list that shows the key information required and how your process complies with Chapter 3 of the Act.
- This investigation will be the basis of how you approach compliance as well as, in implementing procedures, protocols and codes of conduct in handing the data subjects personal information.
- Identify any internal or external risks: staff risks, gaps in training and access to the premises
- Identify each person’s role and how they use personal information in their day-to-day activities
- Training should be regularly conducted
- An information officer needs to be appointed in alignment with the Act
- How is personal information stored, recorded or accessed on the premises. This also looks at biometric access, CCTV and password protocols.
- Assessing, creating and implementing of the risk gap analysis, protocols, procedures, training and other requirements to mitigate the unauthorised use or access to personal information
- Consider how information is destroyed if physical or digital
- Review and update all forms in order to comply with POPIA which will take into account:
- Only asking for relevant information
- That is collected for a specific purpose
- Explicitly drawing attention to its lawful purpose in relation to the purpose of your organisations business
- Update and add in disclaimers that mention what parts of the personal information will be used, for a period of time and with which third-parties information will be shared with and why
- Check your Opt-In clauses and also include the option to Opt-Out or unsubscribe from your correspondence or marketing notices
- Accommodate data subjects when it comes to the right to request records, destruction thereof and inform data subjects when their information is shared with other processors or third-parties
- Accessing information for data subjects should be free of charge and within reasonable timeframes
- The way data is collected, stored and destroyed needs to be considers i.e. cross-shredding machines or paper documents computer cleaners, formatters and shredders for virtual data
- A great source is Metrofile or the National Association of Information Destruction in order to consider protocols and best practices around document destruction
- Data storage should be reviewed with systems in place to consider outdated and duplicate information. Having a data clean-up schedule along with review team should assist with monitoring the quality of data.
- Understanding how third parties fit into the risk assessment and how this can be mitigated
- How does the use of a third-party service provider impact and comply with the Act?
- Are there any risks presented with this outsourced third-party service?
- If we receive referrals from third party sources, that contain personal information of data subject do we make sure that the data subject is aware of from who the organisation received the information and for what purpose?
- Keep in mind the above, be cognisant of the fact that the responsible party has the full responsibility even if a third-party provider is negligent in complying with the Act while processing the information in a legally complaint manner