The recent Facebook Cambridge Analytica crisis saw many corporates across Africa relook policies regarding their sensitive information and online presence. According to the one global EY survey, 58% of customers are concerned about the amount of personal and private data organisations have about them. With so many data breach incidents, it is essential that corporates ensure they have the right measures to protect sensitive information against malicious agents. Organisations also have to define what sensitive uniquely means for their business and they need to build tangible solutions.
Corporates also need to accurately segregate between its sensitive and non-sensitive data to outline a strict process for handling important information. This data can be classified into public, private and restricted, and security measures can be enacted accordingly.
Preeta Bhagattjee, Director of Cliffe Dekker Hofmeyr’s Technology and Sourcing practice spoke to IT News Africa about the role of the Protection of Personal Information Act (POPIA) in protecting information of corporates in South Africa, why it is important for corporates to be mindful of their social media presence as well as why it is important for corporates to implement policies =relating to employee social media activity.
Regarding the recent news of Facebook’s Cambridge Analytica crisis, Bhagattjee says that Facebook’s terms and conditions when it comes to privacy, stipulate that a considerable amount of information that a Facebook user uploads to Facebook is categorised by Facebook as being part of a user’s “Public Profile”.
She further states that Facebook’s terms and conditions in relation to privacy are essentially categorised into four main groups that relate to: the types of information Facebook collects; the way in which Facebook uses the information which it collects; how the relevant information is shared; and how Facebook users can manage or delete their information.
According to Bhagattjee, the POPIA will have wide-ranging consequences both for responsible parties and data subjects once it comes into full effect.
1. What role does the Protection of Personal Information Act 4 of 2013 (“POPIA”) have in protecting information of South Africans?
Data protection laws, in general, are designed to allow for the free flow of information and is not intended to prevent the use of personal information (particularly for commercial purposes) but rather its aim is to regulate the use of such personal information by third parties (i.e. responsible parties under POPIA) and to hold such parties accountable for what they do with such personal information and to, in turn, offer adequate protection to data subjects in circumstances where the responsible parties use such personal information beyond the purpose for which the data subject allowed that party to.
The principal object of POPIA is for the State to fulfil its constitutional obligation to give effect to the right to privacy enshrined in Section 14 of the Constitution of the Republic of South Africa, 1996. It is against this that POPIA provides extensive protections to South African data subjects in relation to their personal information. POPIA achieves this by essentially placing specific obligations on responsible parties (those persons who are effectively in control of the personal information of South African data subjects) when it comes to the processing of personal information. In this regard, such obligations are essentially contained in Chapter 3 of POPIA, which contains eight conditions for the lawful processing of personal information which a responsible party must comply with in order for the processing of personal information by such party to be done lawfully.
2. How can corporates ensure that their data is protected online?
This can be achieved via appropriate online terms and conditions, privacy policies and intellectual property protections. Companies with a website or e-commerce platform should manage their risk and access to and use of their data and company information by regulating this in the online terms and conditions that website users or online customers are required to sign up to or to which they are automatically bound (should they access or use the relevant online services etc.). Appropriate intellectual property protections should also be implemented, such as identifying company trademarks correctly, placing appropriate copyright notices on content. Relevant licence terms (regulating use, reuse, distribution etc) should also be included in the terms and conditions or as separate agreements, depending on the information, data, service or product which the company sells via its online presence or allows third parties access to.
3. What steps can the South African Information Regulator take to tackle investigations around breaches such as this one?
The Information Regulator is the government body tasked with oversight of POPIA (as well as the Promotion of Access to Information Act 2 of 2000). The Information Regulator is provided with extensive enforcement powers under Chapter 10 of POPIA (specifically under Sections 73—99).
Under POPIA, the Information Regulator may either (i) receive a complaint from any person (in terms of Section 74); or (ii) on its own initiative, conduct an assessment as to whether an instance of processing of personal information (such as the Cambridge Analytica data breach scandal) complies with the provisions of the Act (in terms of Section 89).
Upon the receipt of a complaint, the Information Regulator may perform a number of actions such as conduct a pre-investigation, conduct a full investigation, or refer the complaint to the Enforcement Committee for consideration of or the issuing of a finding in respect of the complaint.
Should the Information Regulator conduct an assessment on its own initiative, it may issue an information notice in terms of Section 90 requiring a responsible party to furnish the Information Regulator with a report concerning its processing activities.
4. Why should there be policies to monitor employee social media activities?
One of the greatest risks that social media poses to corporations is the fact that the extensive usage of social media in the workplace has resulted in an increase in the exposure of confidential information belonging to companies. This risk may result in potential reputational damage; competitors taking advantage of the leaked confidential information (such as leaked trade secrets); and a loss of clients to whom the exposed confidential information relates. This could also extent to potential clients who may be concerned that their confidential information may also be exposed in the same manner. This is the reason for companies adopting social media policies which apply to their employees. I clarify that the aim of a social media policy is not to monitor employee social media activities but rather to regulate employees’ posting and sharing of information about or relating to, or which may have a negative impact on, the company/employer.
5. Whose responsibility is it to safeguard information online?
The responsibility to safeguard personal information will depend upon the context (i.e. whether or not the information relates to the corporation’s business or not). Essentially, the responsibility to safeguard information that pertains to an employee within the context of the corporation’s business or employee’s employment (such as the employee’s employment history, medical records, banking details, etc) should remain with the employer (corporation). However, the employer cannot bear the responsibility to safeguard information that the employee willingly uploads to websites in his or her personal capacity (such as where the employee uploads personal information to Facebook and other social networking sites) – in such circumstances the employee (an as individual) will need to ensure that he or she safeguards his or her own personal information.
6. With so many apps available that require personal information, how can one ensure that they do not share too much?
The internet, and social media sites, in particular are based on the facilitation of the sharing of information and it would, therefore, be advisable that users do not share any information which they would not want the world to be able to access.