In our previous article, we discussed the importance of conducting a personal information assessment. This is required by Regulation 4(1)(b) of the Regulations published in terms of POPIA which places a legal obligation on responsible parties to perform a personal information impact assessment to ensure that adequate measures and standards exist in its business in order to comply with the conditions for the lawful processing of personal information.
- HOW DO I KNOW WHETHER I AM A “RESPONSIBLE PARTY”?
- A responsible party is a body or person who determines the purpose of and means for the processing of personal information. Included in this definition are companies and businesses, whether or not they are public or private organisations. Typically, if your business is the custodian of any personal information (belonging to employees, customers or suppliers), your business will be a “responsible party” for purposes of POPIA.
For example:
- HR files of ABC (Pty) Ltd
Responsible party: ABC (Pty) Ltd
- ABC (Pty) Ltd outsources the capturing and managing of its HR files to Outsource (Pty) Ltd
Responsible party: ABC (Pty) Ltd
- ABC (Pty) Ltd outsources its entire HR function to Outsource (Pty) Ltd
Responsible party: ABC (Pty) Ltd
- A responsible party needs to comply with the conditions for the lawful processing of personal information and should conduct a personal information impact assessment to determine its compliance with POPIA.
- WHAT IS INVOLVED IN A PERSONAL INFORMATION IMPACT ASSESSMENT?
A personal information impact assessment, or “PIIA” for short, is an organisational assessment process to identify the nature, sources and seriousness of the risks to an organisation emanating from a security breach or failure in relation to the personal information processed by it. Once complete, the PIIA should contain concrete measures to remedy the risks identified, and set out safeguards, security mechanisms and measures to protect personal information within the organisation.
- ELEMENTS OF A PIIA
- A PIIA is an important step in ensuring your business’s overall compliance with POPIA. The process should ensure that the results can be verified and reproduced, enabling the Information Regulator to check whether all legal obligations have been addressed.
- The process for conducting a PIIA has three distinct stages, namely a preparation stage, evaluation stage and a reporting and safeguarding stage.
- This article examines the requirements of the preparation stage, and we will discuss the evaluation and reporting stages in follow-up articles.
- PREPARATION OF THE PIIA
- Before a PIIA is carried out, the objectives and scope of the assessment should be defined and a suitable assessment team appointed. The team should be independent with a sufficient level of accountability, and assisted by the Information Officer of the organisation.
- In order to adequately evaluate whether a high risk is likely, the responsible party should provide an overview of the data processing in its organisation. In order to comply with Section 11(1)(d) of POPIA, a systemic description of the data processing as well as the legitimate interest of the responsible party needs to be prepared. This includes:
- the data involved, as well as data storage and transfer protocols;
- the IT systems used and their interfaces; and
- the processes and procedures for the processing of personal information.
- IDENTIFICATION OF STAKEHOLDERS AND LEGAL REQUIREMENTS
- The preparation stage will also involve an assessment of the stakeholders and persons involved in the processing of personal information. These include all employees responsible for the processing of personal information, operators (for instance service providers like data centres), third parties who have access to the personal information and data subjects themselves.
- Of further note is that there may be other legal requirements in relation to the processing of personal information that may impact on your business, as POPIA does not regulate all legal aspects exhaustively. For instance, provisions in legislation regulating industries such as labour, welfare, financial services, telecommunications, health and rules on the protection of minors may impose additional requirements on how personal information should be processed.
- However, as a PIIA only deals with the technical aspects of processing, such additional requirements will only become relevant if they directly impact the processing.
- Once the preparation stage has been completed, the results should be captured in a PIIA inception statement or report.
In our next article we will examine the scope of the evaluation stage of a PIIA. In the meantime, contact us for advice on how to go about preparing for your PIIA.
Luïse Von Dürckheim-Botes
BProc; LLB; LLM (Criminal Law)(Cum Laude); LLM (Corporate Law)
Consultant
Corporate and Commercial Law
Email: luise@sstlaw.co.za
Phone: 012 361 9823
Leave A Comment