Monday, 31 August 2015

Overview of the Protection of Personal Information Act

Protection of Personal Information Act (POPI): how will it affect you?

We live in an ever-increasing digital world – of that there can be no doubt.  Many of us will not go one single day without checking e-mail, Facebook, Instagram, Twitter or some form of digital material. We are all leaving a digital footprint; and our personal information is often freely accessible with the click of a mouse and a few taps on a keyboard.
Mindful of the fact that personal information is often exploited for commercial gain (it is a vital business asset for purposes of marketing and advertising), or used by those with dubious intentions to commit fraud or send a plethora of unsolicited spam e-mail; the South African Government has recently signed the Protection of Personal Information Act (POPI) into law. 

POPI essentially seeks to set out conditions and reasonable standards for the collection, use, storage and dissemination of any form of personal information. An independent regulator will be established in the next few months and enforcement will be strictly monitored – the maximum penalty for misuse is 10 years in prison, or an administrative fine of up to 10 million Rand.

Although POPI was signed into law on 19 November 2013 (following a painfully slow process through parliament), it is not yet fully effective – only a small part of the legislation is currently in operation and the full Act will only be effective when President Jacob Zuma gives notice of this in the Government Gazette – most anticipate this start-date to be towards the end of 2015, and by no later than 2016.  Moreover, companies and individuals will have a further period of one-year to become fully compliant – so although panic is not required just yet, it is now time to consider what steps to take in order to be fully compliant.
First, the critical element to understand about POPI is the definition of personal information.  What is it? Simply, any information that has the ability to identify a living natural person, or to identify a juristic person (a company, for example).

It is quite a broad definition and can include, for example, any form of contact details (e-mail addresses, telephone numbers, physical or postal address information); demographic or personal information (race, age, sex, identity number, blood type); history of an individual (medical, financial, education, criminal, employment, memberships of associations or organisations), and the definition is wide enough to include personal opinions about a product or service or any form of personal correspondence.  The point is: it is very wide and extremely broad.

With the above in mind, POPI sets out eight conditions that a company or individual must comply with if they collect, use, link, store or share any type of personal information. Briefly, the conditions oblige a person or entity to only collect information with a specific purpose, store it safely, ensure the information is relevant and accurate, only collect what is required and allow the “subject” to inspect it – further, and importantly, personal information can only be collected if the individual has “opted-in”. In other words, the person must specifically agree to the information being collected (subject to an exception dealing with existing clients).

All of the above must be documented in a written policy, and all employees of a business that collects personal information must be aware of POPI, the company policy and how to go about the collection, storage and sharing of the information.

So, what can you do?  First, you must be familiar with POPI if you collect, process, store or share personal information.  You must have a policy and ensure your employees are trained.  You must further ensure your IT systems are adequate for purposes of the storage and retention of the data.  And you must ensure your collection of data, above-all, is compliant with POPI – failure to do so will result in hefty fines and even jail time.  This has meant a change in status quo for many corporate entities – banks, insurers, financial service providers etc. – however, many small to medium businesses are operating in blissful ignorance and continue to do what they have always done – if you are someone who is affected by POPI (most businesses will be), now is the time to think about compliance…


About the author: Lee Swales (LLB, LLM) is a law lecturer at the University of KwaZulu-Natal and a consultant to Swales Inc. He can be contacted on lee@swalesinc.com

Sunday, 23 August 2015

Information security: Ashley Madison legal action mounts...




By now, news of the Ashley Madison hack is widespread.  The online dating and social network service seeks to facilitate infidelity by targeting people who are married or in a committed relationship. The target line is "Life is short. Have an affair"

Depending on the source, it has been reported that between 32 and 39 million users' private information has been compromised; including names, e-mail addresses, credit card information, transaction history, user messages and internal e-mail messages belonging to the Ashley Madison parent company.

The hackers responsible, known as the Impact Team, stated in a recent interview that they will target "any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians..."

The data leak has lead to many red-faced CEO’s, bankers and government officials; extortion appears likely at some point...

While you may feel zero empathy or sympathy with those affected, the take-away point here must be that the internet is insecure (but permanent) - to think you are anonymous and your personal information is safe online is probably foolhardy. As CNN points out, everything is tracked and the internet is inherently insecure - no company can really guarantee privacy.

Many countries now have comprehensive data protection legislation, great!  However, this does nothing to protect data before the fact; and although it will encourage best practice in data security moving forward, many hackers are a step ahead of the game...

In Canada, the holding companies that own Ashley Madison (the website is based in Canada) have recently been served with a $578 million dollar class action based on the breach of personal information.  In the US, a class action seeking $5 million dollars for damages was also recently launched. 

In South Africa, the Protection of Personal Information Act (POPI) was recently signed into law – it primarily seeks to prevent the negligent disclosure of personal information. 

That being said, to date, POPI is not yet fully operational,  but once it is (which is imminent) it will place South Africans in a similar position to the US, Canada, New Zealand, UK et al in terms of data security legislation.  

Some 49 000 affected users are from South Africa according to a useful infographic on mybroadband’s website.  However, even if the Information Regulator created by POPI was established (this is still in progress) the Regulator may not be in a position to impose fines (or other corrective action) on entities that operate outside the borders of South Africa.  Further, a legal action in South Africa’s courts (against Ashley Madison) would probably also fail on the basis of a lack of jurisdiction.

By way of example, the Privacy Commissioner in New Zealand (similar to what South Africa’s Information Regulator will be) lists advice about what to do and who to complain to (for New Zealand citizens affected by the hack) here; but have said they are not sure they can do much more than investigate and doubt whether they have jurisdiction to take the matter further.

Back to South Africa; POPI primarily seeks to prevent the negligent disclosure of personal information.  Companies will have a one year grace period to fully comply and will be required to demonstrate compliance with documented policies and procedures – these documents must demonstrate compliance with eight key principles contained within POPI.  The core message of POPI is reasonable use, storage and dissemination of personal information – and ensuring information is accurate.

Therefore, even if a data breach occurs in South Africa by virtue of hacking, if a company can show it has taken all reasonable steps (according to current, industry best practice) it may well be immune from fines or further action.  The key here is that the company takes reasonable steps – not every possible step.  Clearly, these steps and internal procedures must be in a written (or electronic) document and all employees must be aware of the policy and how to use (and not use) personal information.  The time is therefore now if your company does not yet have a data security (POPI) policy and/or procedure.

Finally, and in my view, and based on the limited information available in the media, it appears that Ashley Madison did not take all reasonable precautions – particularly in light of the fact that some users paid a fee ($20) for a “full delete” of their personal information and yet this information is still contained within the data that was posted online. 

Further, in a reported interview with the hackers, it was claimed that security on the website was “bad”, and that "nobody was watching" and there was "no security”.

From a layman’s perspective, this does not appear to be reasonable conduct by the owners of the website. That said, the affected users of the hack must establish and allege an actual or certainly impending threat of injury before the case will proceed to quantify the loss suffered – for more information on the US legal position, see here. [PDF]

Sunday, 16 August 2015

Cyber Bullying - advice for parents and teens


With increasing numbers of child suicide reported as a result of cyber bullying, it is more important than ever before for parents to give their internet active children some common-sense advice.
The overriding message should be:  when using social media, your conduct should be no different to how you would behave at school, home, the movies, at a shopping mall or any other situation in the off-line or real world.

Simply because you are behind a computer screen and not face-to-face does not mean you are anonymous.  It does not mean there are no consequences for deviant or socially unacceptable behavior. And it certainly does not mean one should lose all common sense and logic that would apply in a normal “in real life” situation.  Many children know the perils associated with talking to strangers, understand basic etiquette regarding social interaction and privacy, but somehow think that living in a digital world means this all falls away – it doesn’t!

Consider this basic analogy; would you allow a random stranger to come into your home and look at your family albums? Would you allow strangers to look at you naked?  No is probably the answer.  Your social media interaction should be no different.

First, some basic tips regarding being a “digital citizen” (someone who uses technology responsibly and appropriately):

  • Do not interact with people online that you do not know.  Do not accept “friend requests” or exchange messages on social platforms with people that you would not do this with in real life.
  • The internet is permanent.  The message you send can be saved; the “snapchat” selfie that you think disappears after a few seconds can be copied; the tweet or direct message you send is never temporary.  Once you hit send the communication is out there for good – often there is no taking it back.
  • The internet is not anonymous. Sophisticated tools in the tracing space are commonplace; tracing a perpetrator is relatively simple.    
  • Simply because you are online does not mean that there are no consequences. Many push the boundaries online and behave like “trolls”.  Just because you are behind a computer or phone screen does not mean real life rules do not apply.
  • Think about your future.  Everyone is starting to leave a digital footprint. If you leave a mess, future employers may not want the baggage and you could jeopardize your career.

In South Africa, there is specific legislation that has recently been passed to deal squarely with online bullying.  Further, the SAPS website has a dedicated page to the issue and prosecution and prevention is something that is easily attained.
So, if you are being bullied online, what steps to take?  Below are some tips taken from various websites dealing with the issue:

  • Don’t respond.  The bully wants the reaction – this is often why they are engaging in this behaviour in the first place. A response gives the bully power over you. Do not empower the bully!
  • Don’t retaliate. Don’t become a bully. Retaliation turns you into the bully and reinforces the original bully’s behaviour.  Avoid the perpetual cycle of aggression and bullying.
  • Save the evidence. Usually, messages can be permanently stored.  Know how to take a screen shot. Keep and save any and all types of these messages.  Remember, if things escalate its always easier to prevent and prosecute with evidence – so even if you think its minor, it’s probably worth keeping in case matters turn ugly.
  • Talk to a trusted adult.  You need someone to talk to about this.  Ideally, a parent. If that is not possible then a trusted family member, school teacher, counsellor, older sibling or trusted family friend.  Bottom line – talk to an adult you trust immediately.  Sometimes, these issues can even be reported anonymously both online and in the real world.
  • Report the issue to the social media platform and block the bully.  Whatever form the harassment is coming in (Facebook, WhatsApp, Snapchat, Mxit, Twitter etc.) use the preferences or privacy tools to block the person.  Also, report the person to the social media platform – there is often an easy to follow link or tool to do this – it may well constitute a breach of the terms of use and in addition to personally blocking the bully, you may block them for everyone else too.   Ask a parent or adult for help here.
  • Be a good person - behave civilly.  Even if you don’t like the person, treat them in a dignified and civil manner.
  • Don’t be a bully. Think for a moment before bullying.  Not only will you face criminal penalties (perhaps jail) you may be sued civilly (damages). Also, revenge is never the answer – holding a grudge only makes YOU more angry.
  • Protect your privacy. NEVER share your password or leave your device unattended.
  • Spend less time online – limit your time on social media.  Active kids are less likely to be bullied.

Contact us on info@swalesinc.com / 031 5620125, for more information on our Internet Safety and Cyber Bullying Workshops (for parents and teens).