Hitachi Information Forum: The Protection of Personal Information Act Could Kick Start Data Optimisation
The Protection of Personal Information Act will give businesses the opportunity to reinvent their enterprise data storage and management, says Hitachi Data Systems (HDS).
Johannesburg, SA, November 11, 2014 – Speaking at the Hitachi Information Forum in Johannesburg last week, HDS experts outlined the changing data storage and management environment, noting that big data and new legislation were forcing a fresh look at data storage and management.
Today, enterprises face more than just exponentially growing volumes of data to manage: they must also be in a position to identify the relevant data from a vast pool of ‘dark data’ in order to tap into the ‘treasure trove of data’ which businesses can use to innovate and stay ahead of the competition.
POPI to impact data management and storage
Cleo Becker, HDS Regional Counsel Sub-Saharan Africa, Middle East and Turkey, Israel, highlighted the impact of the Protection of Personal Information (POPI) Act on the data centre. There are eight processing principles which must be complied with by all companies processing personal information in terms of POPI. Becker highlighted three principles of particular importance to those working in the data centre environment.
Purpose specification: anyone collecting, processing or storing personal information must make the data subject aware of the purposes for which it will be used and destroy it after this purpose has been achieved;
Security safeguards: companies who process personal information must ensure that adequate security safeguards are in place to maintain its integrity and confidentiality, and
Data subject participation: if a person requests that a company who is processing its personal information delete, update or modify its personal information which is no longer accurate or relevant, the company in question must ensure that the personal information is updated or they may need to find and permanently delete this data from every source. In the data center this means locating all copies of the personal information (including any back up copies).
“Importantly, businesses should also be aware of the fact that POPI differentiates between personal information and special personal information. Special personal information includes areas like medical history, race, religion and criminal records – these are subject to an even higher standard of security than just personal information.”
These provisions impact on the management and storage of data in a number of ways, she explained. As the majority of companies in South Africa will process personal information relating to their customers and employees, businesses need to be aware of the legislation governing the management and storage of each type of data.
For example, although there is no prescribed period for data retention in South Africa most companies generally retain data for at least three years to satisfy numerous legal requirements. “POPI says you can’t keep the personal information for longer than needed to achieve the purpose for which it was collected or subsequently processed,” says Becker. “So, for example, for employee information, you would want to keep it for the lifetime of the employment relationship and at least for three years thereafter so that you can settle any employment or PAYE disputes. Likewise, customer information would be kept for the lifetime of the contract and at least three years after that to settle any disputes. After that, you need to securely delete it, destroy it or de-identify it in a way that it can no longer be reconstituted at a later date.
In South Africa, multiple bodies enforce data retention laws for different kinds of data. SARS asks individuals to store tax information for up to five years, whereas FICA and RICA demand that you collect and retain personal customer information for a specified period of time. So it’s very important that you know the type of personal information you’re collecting the applicable retention legislation as specific laws will overrule the general retention period prescribed by POPI.”
Storage itself is also an important element, said Becker. “The Electronic Communications and Transactions (ECT) Act is important when using electronic records for evidentiary purposes – for example, when you want to use certain emails in a dispute in the CCMA. You need to ensure that the data is saved in the same format in which it was created. When the court assesses the evidentiary weight of that data message, they are going to be looking at how it was maintained and stored.”
The changing data centre
Compliance will require changes in the data centre, Becker said. “You need to know what kind of personal information you’re storing. You need to conduct a risk assessment and be aware of all the internal and external risks. And once you’ve done that you need to put adequate security safeguards in place to protect against those risks, and constantly review them to ensure that they are enforced. You will then improve your data quality and that leads to a greater ROI on other work streams such as data analytics. It also reduces the risk of loss of the information and, ultimately, leads to greater customer loyalty and trust.”
Echoing this sentiment, Stuart Cheverton, Business Development Consultant – File and Content Solutions at HDS South Africa, said: “We have to look at managing our data a little differently. We have to cope with large amounts of data, we have to decide what is relevant and what isn’t. Compliance with legislation such as POPI will help us put these policies in place. Once we embark on this road, we will get to a point where we start reducing the volume of data we are storing and managing, which gives us the ability to more effectively extract valuable information from this data.”
Find Out More
HDS News Hub
About Hitachi Data Systems
Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., provides information technologies, services and solutions that help companies improve IT costs and agility, and innovate with information to make a difference in the world. Our products, services and solutions are trusted by the world's leading enterprises, including more than 70% of the Fortune 100 and more than 80% of the Fortune Global 100. Visit us at HDS.com.
About Hitachi, Ltd.
Hitachi, Ltd. (TSE: 6501), headquartered in Tokyo, Japan, is a leading global electronics company with approximately 326,000 employees worldwide. The company’s consolidated revenues for fiscal 2012 (ended March 31, 2013) totaled 9,041 billion yen ($96.1 billion). Hitachi is focusing more than ever on the Social Innovation Business, which includes infrastructure systems, information & telecommunication systems, power systems, construction machinery, high functional material & components, automotive systems and others. For more information on Hitachi, please visit the company's website at http://www.hitachi.com.