19 July 2020
Napoleon Hill asserted that “patience, persistence, and perspiration make an unbeatable combination for success”.
This quotation resonates as one believes it kept the information regulatory team unwavering in its relentless plea for the remainder of the Protection of Personal Information Act (POPIA) to be declared effective.
Several sections of the act were, at the beginning of this month, proclaimed effective – six years since POPIA was enacted. The sections provide guidelines on minimum
requirements for processing special categories of personal information. They further outline minimum conditions that ought to be met by organisations processing personal information.
This is a significant move in the country’s stance towards the handling of personal data, more so as the Department of Health has and continues to gather personal data sets amid the COVID-19 pandemic.
These guidelines are outlined in the Information Regulator’s PPI COVID-19 Guidance Note, detailing compliance controls required for processing personal information of data subjects who tested positive for COVID-19, alongside their contacts.
It is a general expectation that parties processing this data have their ducks in a row and are POPIA compliant. However, reality has proven that this is mere wishful thinking. This, therefore, calls for the department to prioritise a data privacy programme that will ensure that COVID-19 data touchpoints are somewhat compliant by June 2021.
This is an arduous task and with the department’s focus on fighting the pandemic, there is the possibility that the department might be non-compliant by next year.
To ensure it is in good standing by the time of assessment, the department should consider a set of recommended pragmatic controls. First, it should decide on a privacy operating model. This will guide whether it needs to appoint a privacy officer or can assign the responsibilities to other officials.
Once a privacy office is established, the team will initiate a data privacy impact assessment to assess the data processing risk posture and determine mitigating controls for high-risk areas. The team will then formulate an incident management procedure manual outlining guidelines to be observed by officials in data touchpoints.
Thereafter, a data life cycle inventory will be created, outlining categories of personal data held by the organisation.
- Gwala is data governance manager at Alexander Forbes. He writes in his personal capacity.