IACT-AFRICA and PTC POPIA and PAIA COMPLIANCE IMPLEMENTATION GUIDE FOR SMALL & MEDIUM ENTERPRISES
Table of Contents
Purpose and Scope of the Guide. 4
1.1. Compliance Preparation Project (CPP) Charter. 6
1.2. Information Officer Appointment. 6
1.4. POPIA Assessment & Remediation Tracker. 7
2.1. Overview of assessment types. 9
2.1.1. Assessment Categories. 9
2.1.4. Personal Information Risk Management Tool Scales. 10
2.2. Assessments to be completed. 12
2.2.1. POPIA Consent Compliance Assessment. 12
2.2.2. POPIA Processing Lawfulness Assessment. 14
2.2.3. POPIA Existing Contracts and Policies Review Tool 16
2.2.4. POPIA Digital Devices Assessment Tool 18
2.2.5. Information Security Assessment. 20
2.2.6. POPIA Personal Information and Physical security risk management. 21
2.2.7. Data Protection Assessment. 23
2.2.8. Information Sharing and Subject Access Assessment. 23
2.2.9. Direct Marketing Assessment. 24
2.2.10. POPIA Personal Information Diagnostic Tool 25
2.2.11. POPIA Web Site Assessment tool 27
3.1. Integrated Assessment Report. 29
3.1.1. List of Assessments completed. 29
3.1.2. Assessments output summary. 30
4. Phase 4: Translate (Implementation). 32
Part A. Organisational Measures. 32
4.1. POPIA Consent Compliance and POPIA Processing Lawfulness Measures. 32
4.2. POPIA Existing Contracts and Policies Review.. 33
4.2.1. Existing Contracts Review Tool 33
4.2.1.1. Responsible Party to Operator Agreement. 33
4.2.1.2. Transborder Agreement. 33
4.2.1.3. POPI Personal Information Sharing Checklists. 34
4.2.1.4. Personal Information Sharing Agreement Outline. 34
4.2.2. Existing Policies Review Tool 35
4.2.2.1. POPI Act/POPIA Policy. 35
4.2.2.2. Information Security Policy. 35
4.2.2.3. POPIA Personal Information Backup Policy. 36
4.2.2.4. POPIA Data Breach Response. 36
4.2.2.5. PAIA Manual Template. 36
4.2.2.6. PAIA data subject access request handling process. 37
4.2.2.7. POPIA Records and Retention Management Policy. 37
4.2.2.8. Customer Privacy Notice. 37
4.2.2.9. Website Assessment Actions. 37
4.2.2.10. POPIA Physical and Information Risk Assessment Actions. 38
4.2.2.11. POPIA Staff Consent Form.. 38
4.2.2.12. POPIA Employee Compliance Commitment Form.. 38
4.2.2.13. POPIA Staff Training Records. 38
Part B: Technical Measures for Compliance. 38
4.3. Information Security (Technical Measures). 39
4.4. Personal Information Management. 39
4.4.1. Personal Information Diagnostic tool 39
4.4.2. Personal Information Backup Policy. 39
4.4.3. POPIA Records and Retention Management Policy. 40
5. Post Implementation Compliance. 41
Appendix A: Form 4 from the POPI Act Regulations. 44
Table 1: Project Team Structure. 6
Table 2: Probability Scale. 10
Table 4: Consent Compliance Assessment Description. 13
Table 5: Processing Lawfulness Assessment Description. 15
Table 6: Existing Contracts Review Tool Description. 17
Table 7: Existing Policies Review Tool Description. 18
Table 8: Digital Devices Column Description. 19
Table 9: Information Security Assessment Column Description. 20
Table 10: POPIA Personal Information and Physical Risk Assessment Column Description. 21
Table 11: Risk Assessment Dropdown Values. 22
Table 12: Data Subject Assessment Responses Description. 23
Table 13: Information Sharing and Subject Access Assessment Column Description. 24
Table 14: Direct Marketing Assessment Column Description. 25
Table 15: Checklist Front and Checklist Back. 27
Table 18: List of Assessments Completed. 29
Table 19: Recommendations Table. 30
Table 20: POPIA Physical and Information Risk Assessment Actions. 38
Table 21: Post Implementation Compliance Checklist. 41
Figure 1: POPI Act I-A-C-T Compliance Methodology. 4
Figure 2: POPI Assessment & Remediation Tracker. 8
Figure 3: UK ICO Assurance Scale. 10
Figure 4: Consent Compliance Assessment. 13
Figure 5: Processing Lawfulness Assessment. 14
Figure 6: Existing Contracts Review Tool 16
Figure 7: Existing Policies Review Tool 17
Figure 8: Digital Devices Assessment. 19
Figure 9: Information Security Assessment. 20
Figure 10: POPIA Personal Information and Physical Risk Assessment. 21
Figure 11: Data Subject Assessment. 23
Figure 12: Information Sharing and Subject Access Assessment. 24
Figure 13: Direct Marketing Assessment. 24
Figure 14: Personal Information Diagnostic Tool 26
Figure 15: Assessments output summary. 30
Welcome
Welcome to the IACT-Africa and PTC POPI Act/POPIA Implementation Guide for small and medium enterprises. It is your guide for implementing a set of appropriate practices for achieving and maintaining compliance with the POPI Act. The context of such measures is a requirement contained in the POPI Act Regulations published December 2018 which requires a compliance framework to be established and maintained.
The I-A-C-T methodology enables alignment with standards and frameworks such as ISO 29100 (privacy Framework), ISO 27701 (Privacy Information Management System) and the NIST Cyber Security framework. It is also your guide for protecting the personal information for which your organisation is responsible. This is guide is designed to help you to implement the IACT-Africa & PTC POPIA Compliance Essentials Licence Toolkit and is not a free standing guide.
The subject of protecting personal information is often seen as a legal compliance issue and while this is true, there are many good business reasons to implement the practices covered in this guide.
We know from experience this guide will enable you to walk a successful journey and to implement a set of effective measures for complying with POPIA and protecting personal information. We are available to help you with any questions or challenges you encounter through our support channels.
If you are new to the POPI Act/POPIA, we recommend that you read the Camargue Protection of Personal Information book as well as the POPI Act Regulations published in December 2018. Please contact us if you need these documents.
Copyright Notice
John Cato and Dr Peter Tobin jointly own the copyright for the contents of this guide and the original intellectual property items contained in the POPIA Compliance Essentials Licence Toolkit.
Purpose and Scope of the Guide
The purpose of the guide is primary to enable small businesses to implement a POPIA and PAIA compliance framework without the need for significant support services. In view of this, the guide covers the minimum set of compliance toolkit items. We therefore do not warrant that it covers items contained in the more comprehensive POPIA and PAIA Compliance Toolkit.
Methodology
The methodology guides you along a proven compliance implementation process. It consists of 4 phases and is known as the POPI Act I-A-C-T compliance methodology. The 4 phases are:
Figure 1: POPI Act I-A-C-T Compliance Methodology
- Initiate – Initiate your project with the required people and agreed timeframes
- Assess – Assess your current state of compliance
- Consider – Consider what you have discovered in the Assess phase
- Translate – Translate what you consider to be appropriate into implementation actions.
It is important to follow the 4 phases as many organisations want to implement a set of policies and tick a few boxes so that they can claim to have complied with the requirements of the POPI Act.
Organisations who only implement policies, for example, miss many vital activities which are needed such as managing personal information, related risks, supplier contract management and many others. They also miss great business benefit opportunities which good privacy and data protection practices can give an organisation. We therefore encourage you to walk the complete journey.
The POPI Act I-A-C-T compliance methodology is designed to help you establish compliance with the POPI Act/POPIA as its primary objective. An important additional benefit from the methodology is that the compliance measures you implement are aligned with standards and frameworks such as ISO 29100 (Privacy Framework standard), ISO 27701 (Privacy Information Management System standard) and the NIST Cyber Security framework. Should you seek to align further with these or obtain certification in one or more of them, the measures will serve as a valuable foundation. They can also be used as reference points for decisions you make during your project.
Objective
The primary objective for your project should be to achieve compliance with the requirements contained in POPIA and in the Regulations published in December 2018. The output (compliance measures) from your project will serve as essential evidence for your compliance and will be very important should a complaint be lodged against your organisation and/or an investigation be conducted by the Information Regulator.
The driver for this can be found in section 109 in POPIA which states that where there is insufficient evidence of policies, procedures and personal information risk assessments being in place, fines will be higher than if they are in place. In summary, prevention is better than cure!
PHASE 1: INITIATE PHASE
1. Phase 1: Initiate
In the Initiate phase you should set up a project even if your company is small, it will help you to achieve your goals successfully. The key activities for this are described below:
1.1. Compliance Preparation Project (CPP) Charter
- The Compliance Preparation Project (CPP) Charter template provides a ready built document for you to get your project approved and initiated. It enable you to set your objectives, key timeframes, key stakeholders and roles.
- The CPP Charter includes a form as an appendix which helps you identify and define the key stakeholders and roles. It is very important that you make the project a team effort as the practices for managing personal information involve most areas in a company.
- Typical project roles and stakeholders are:
- Project Sponsor
- Steering committee (optional)
- Project Manager
- Project team members (including business unit managers, etc.) Their involvement will be essential as they will need to help with providing information in their areas e.g. policies, service provider contracts, IT system information, etc.). Table 1 below shows an example of a typical project team structure. They will also need to implement changes that are identified in their areas.
Table 1: Project Team Structure
Project Role | Name | Title |
Project Sponsor | J Doe | Chief Executive Officer |
Project Manager | M Doe | Project Manager |
Deputy Information Officer | A.N Other | Head of Compliance |
Project Team Member | A.N Other 1 | Information Security Officer |
Project Team Member | A.N Other 2 | Head of Procurement |
Project Team Member | A.N Other 3 | CIO/IT Manager |
Project Team Member | A.N Other 4 | Risk Manager |
In smaller organisation, these roles are often combined so the project team composition could be quite simple.
1.2. Information Officer Appointment
- The appointment of the Information Officer is required by POPIA and PAIA laws. The POPIA and PAIA Information Officer Appointment letter is provided in order to help you formalise the appointment. It is recommended that you make the appointments at the start of your project. Important points are:
The Information Officer is the Designated Head of the organisation e.g. CEO, MD, owner or Head of a Government department. He or she may appoint one or more Deputy Information Officers to fulfil their responsibilities. This appointment does not release the Designated Head from accountability of personal information protection.
In order to implement the POPIA and PAIA Information Officer Appointment Letter in your organisation you should change [Company Name] to your organisation name, add the name of the Information Officer and Deputy Information Officer at the end of template, obtain the relevant signatures and date the letter. Ensure that you file the signed letter as this document forms the basis of demonstrating compliance with Condition 1: Accountability in POPIA
1.3. CPP Project Plan
- The Initiate phase also includes developing your project plan which will help you achieve your objectives in the anticipated timeframes. The CPP Project Plan template provides a sample plan for you to use as the basis for your project plan.
1.4. POPIA Assessment & Remediation Tracker
One of the most important tools for managing you project is the POPI Assessment & Remediation Tracker tool. The purpose of this Tracker is to enable you to manage the multiple assessments and remedial actions involved in completion of your POPIA & PAIA project.
The functions of the Tracker are described below.
- The tracker tab has the capability to track assessments at the Corporate and Business Unit level which can be named on the Ranges tab.
- Organisation entities can be named can be named on the Ranges tab.
- Primary and secondary contacts responsible for the completion of assessments can be named on the Ranges tab.
- The status field shows 5 status categories which can be tailored via the Ranges tab.
- The Tracker can be amended to use as a Heat Map with conditional formatting
- A graph tab can be added where totals of the various assessments and their status can be shown
- Suggested use of the status categories is
- Not yet started: this assessment has not yet been evaluated to identify whether it needs to be completed for the relevant BU / responsible person in that column
The status of assessment is displayed using the following colours:
- Red: Assessment assigned, no promise date given; or promise date given but missed; in either case the assessment is outstanding for completion
- Amber: Assessment assigned, promise date give, work underway but not yet past due
- Green: Assessment assigned and completed
- Not applicable: This assessment is not applicable for the relevant BU / responsible person in that column.
Figure 2 below provides a view of a sample Tracker.
Figure 2: POPI Assessment & Remediation Tracker
PHASE 2: ASSESS PHASE
2. Phase 2: Assess
Once the Initiate phase has been completed, the next phase is the Assess phase. This is an essential phase as it enables you to assess your current state of compliance with the POPI Act/ POPIA. The assessments will help you to carry out a structured assessment in terms of the requirements in the POPI Act. They will also serve as an overall risk assessment and they will provide a foundation for you to maintain compliance on an ongoing basis.
2.1. Overview of assessment types
Before starting the assessments, take time to read this section and ensure that you gain an understanding of the fundamentals of the assessments described here.
2.1.1. Assessment Categories
The Assessment tools fall into 3 main categories:
- Category 1 – Simple – Binary (Yes/No answer) assessments;
- Category 2 – Inventory – Building lists of items such as contracts and policies as well as digital equipment;
- Category 3 – Comprehensive Questions – Contains predefined questions which require answers and action plans to be submitted.
2.1.2. Rating Scales
The rating scale used in the assessment tools are described below.
- Simple Binary Scale used by Category 1 Assessments
The Category 1 assessments mostly use a simple Yes, No and Not Applicable rating scale and dropdown list. These should be self-explanatory.
- UK ICO Assurance Rating Scale used by Category 2 and 3 Assessments
The Category 2 and 3 assessments mostly use the UK Information Commissioner’s Office (ICO, UK data privacy regulator. The ICO is the UK’s independent body for upholding information rights. It is the UK’s privacy and data protection authority which is the equivalent to the Information Regulator in South Africa. It is highly regarded internationally and is arguably the most mature information commissioner and authority globally. The assurance rating scale is described below:
UK ICO Assurance Rating Scale
- High assurance
- Reasonable assurance
- Limited assurance
- Very limited assurance
- Not applicable
These are described in Figure 3 below:
Figure 3: UK ICO Assurance Scale
2.1.3. Priority Scale
In addition to the Assurance scale, a number of assessments use the Priority scale listed below for prioritising actions. These are used in conjunction with the Assurance scales.
- High, critical we get this right
- Medium to high important we get this right
- Medium to low, first choice of optional items
- Low, nice to have, optional item
2.1.4. Personal Information Risk Management Tool Scales
The Risk Management tool is based on a risk methodology and because of this it uses its own risk based scales. These are outlined in Table 3 below:
Probability scale
The probability of a risk taking place can be rated using on the options in table 2 below:
Table 2: Probability Scale
DESCRIPTION | GUIDELINES | SCALE | NOMINATED |
VALUE | |||
Frequent | This is an immediate threat which could occur at any time. Immediate remedial action is required to remove or reduce the risk. | 5 | Several per year |
Probable | The threat exists and it threatens the business continuously. Action is required to reduce this risk. | 4 | 1:1 year |
Occasional | The threat exists but the history of this type of situation indicates occurrence is infrequent. Action could be taken to reduce this risk but it the cost-benefit of the actions must be calculated. | 3 | 1:3 years |
Remote | A slight threat is perceived from this source but the situation is unlikely to occur. No action is required to reduce this risk, unless the business demands minimal risks. | 2 | 1:5 years |
Improbable | No perceived threat exists from this source. No action is required to reduce the risk. | 1 | 1: 10 years |
Impact scale
The impact of a risk if it materialises is described in table 3 below.
Table 3: Impact Scale
Risk Impact | |||
DESCRIPTION | GUIDELINES | SCALE | NOMINATED VALUES |
Note: We recommend that you define a set of values for risk impact that relate to your business | |||
Catastrophic | System loss; irreparable reputational damage; criminal action (jail and/or significant fine); bad public relations; loss of agency, client base, market share. | 5 | |
Critical | Major damage to reputation; substantial liability damages; criminal charges (suspended sentence and/or large fine); damages, claims and costs will exceed contingency; company dividend at risk. | 4 | |
Serious | Risk of measures to limit reputational and other damage cause business interruption; consumes contingency; requires an insurance claim. | 3 | |
Marginal | Minor PR damage that can be managed routinely; will only require an apology letter; costs accommodated as part of contingency or insurance excess. | 2 | |
Negligible | So minor as to be regarded as having no consequence. | 1 |
2.1.5. Ranges
The Ranges sheet enables you to tailor the values to your environment. It enables you to change the values for dropdown lists especially the names of people in your company. To make changes simply go to the Ranges table, look for the column that has the value you want to change and make the relevant changes.
2.2. Assessments to be completed
In this section, we provide a guide to the assessments that need to be completed. As mentioned, the assessment are is a critical part of your compliance journey because they enable you to assess where you are in terms of compliance. Perhaps more importantly, they help you to map your way forward for protecting personal information both in the short term and long term.
These assessment should be used to achieve a sound level of compliance in the short term and for maintaining it on an ongoing basis in the longer term.
The assessments provided are:
- POPIA Processing Lawfulness Assessment.
- POPIA Consent compliance Assessment Tool.
- POPIA Existing contract & policy review tool.
- Information Security Assessment tool.
- POPIA Personal Information and Physical security risk management tool.
- POPIA Digital Devices Assessment Tool.
- Data Protection Assessment.
- Information Sharing and Subject Access Assessment.
- Records Management Assessment.
- Direct Marketing Assessments.
- POPIA Personal Information Diagnostic Tool Light Version.
- POPIA Web Site Assessment tool.
2.2.1. POPIA Consent Compliance Assessment
The purpose of this assessment is to establish if you are obtaining consent for collecting and processing personal information.
Column B enables you to build a list of processes that require consent for processing personal information for a valid purpose. The list of business processes you have compiled in the POPIA Processing Lawfulness Assessment should be used for this assessment.
Note: It will be useful to cross reference the Processing Activities in the POPIA Processing Lawfulness Assessment as Consent and Purpose are essential principles for complying with POPIA.
The screen shot in Figure 4 below is a view ofa blank assessment sheet. Your task is to build a list of processes or activities in which you collect processing of personal information.
Figure 4: Consent Compliance Assessment
The columns are described in Table 4 below:
Table 4: Consent Compliance Assessment Description
Column | Description |
Processing activity evaluated name. | This is the name of the activity or process in which personal information is collected. Examples are: Collecting personal information for marketing purposes; Signing up new customers;Onboarding new staff;A credit application form. etc. |
Processing activity evaluated name description: | A brief description of the activity or process being evaluated |
Section 11 Consent: 11. (1) Personal information may only be processed if— (a) the data subject or a competent person where the data subject is a child consents to the processing. | This is a question asking if consent has been obtained from the data subject or a competent person (parent or legal guardian) if the data subject is under 18 years of age. Your answer should be provided using a dropdown value, either Yes or No; |
Comments | Add any comments relating to your answer here |
Section 11 Consent criteria met? 11. (2) (a) The responsible party bears the burden of proof for the data subject’s or competent person’s consent as referred to in subsection (1) (a). | Has your organisation obtained consent from the data subject for the activity or process? |
Comments | Add any comments relating to your answer here |
Section 11 Consent criteria met? 11. (2) (b) The data subject or competent person may withdraw his, her or its consent, as referred to in subsection (1) (a), at any time. | Has the data subject or competent person been given the option of withdrawing consent for the activity or process? |
Comments | Add any comments relating to your answer here |
2.2.2. POPIA Processing Lawfulness Assessment
The purpose of this assessment is to establish if you are processing personal information for lawful purposes. It helps you to identify areas in which you collect personal information and if you are doing so in a lawful manner in terms of the requirements in sections 9 to 11 in POPIA.
This assessment will enable you to identify and implement the appropriate changes for ensuring that you are processing personal information in a lawful manner. It is valuable to do a cross check with the activities in your POPIA Consent Compliance Assessment.
The screen shot in Figure 5 below is a view ofa blank assessment sheet. Your task is to build a list of processes or activities in which you collect processing of personal information and to assess them from a lawfulness perspective.
Figure 5: Processing Lawfulness Assessment
Screen short part 1
Screen shot part 2
Screen shot part 3
The columns are described in table 5 below:
Table 5: Processing Lawfulness Assessment Description
Column | Description |
Processing activity evaluated name | This enables you to build a list of business process in which you collect, process and store personnel information. Your task is to build a list of these processes and to assess them in term of lawfulness i.e. are you collecting and processing personal information for valid and lawful purposes. Examples of these are: Collecting personal information for marketing purposes; Signing up new customers;Onboarding new staff. |
Processing activity evaluated description. | The purpose of this column is to provide a description of the process in the Processing activity evaluated name column (above), this will give it context. |
Comments: | Add any comments relating to your answer here. |
Lawfulness criteria met? 9. (b) in a reasonable manner that does not infringe the privacy of the data subject. | The purpose of this question is to assess if the data subject has given their consent for their personal information to be collected for a clear purpose and if this has been given willingly. Your answer should be provided using a dropdown value, either Yes or No. |
Comments: | Add any comments relating to your answer here. |
Lawfulness criteria met? 11. (c) processing complies with an obligation imposed by law on the responsible party. | The purpose of this question is to assess if processing of personal information is necessary for the organisation to comply with a law without requiring the data subject’s consent. Your answer should be provided using a dropdown value, either Yes or No. |
Comments: | Add any comments relating to your answer here. |
Lawfulness criteria met? 11. (d) processing protects a legitimate interest of the data subject | The purpose of this question to assess if the processing of personal information is necessary for protecting the legitimate interest of the data subject without obtaining consent. Your answer should be provided using a dropdown value, either Yes or No. |
Comments: | Add any comments relating to your answer here. |
Lawfulness criteria met? 11. (e) processing is necessary for the proper performance of a public law duty by a public body | The purposeof this question is to assess ifthe processing of personal information is necessary for a public body e.g. a government organisation, to comply with a public law; |
Comments: | Add any comments relating to your answer here. |
Lawfulness criteria met? 11. (f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied. | The purposeof this question is to assess ifthe processing of personal information is necessary for pursuing the legitimate interest of your organisation or of a third party to whom the personal information is supplied. Your answer should be provided using a dropdown value, either Yes or No. |
Comments: | Add any comments relating to your answer here. |
Is at least one criteria met? If so, proceed with processing. If not, do not proceed until lawfulness addressed. | The purpose of this question is to assess if you have answered ‘Yes’ to at least on one of the questions above. Your answer should be provided using a dropdown value, either Yes or No. Note: If you have not met at least one of the criteria i.e. answered Yes to at least one question for the activity or process, do not proceed with processing until you have addressed the lawfulness requirement. |
2.2.3. POPIA Existing Contracts and Policies Review Tool
The purpose of this assessment is to develop inventories of your contracts and policies so that compliance with the requirements for personal information risks are addressed.
This assessment tool consists of two (2) assessments or tools, namely a Contracts assessment and a Policies assessment.
- Existing Contracts Review Tool
The Existing Contracts Review toolenables you to build a list of contracts or agreements that you have with parties who process personal information as part of a service they provide. Appropriate actions can then be taken to ensure that you address shortfalls in contracts with service providers from a personal information perspective.
Your task here is to build a list of Contracts, Agreements and Terms and Conditions with service providers where the services to which these relate involve personal information. It is a vital part of your compliance journey that you build.
Establishing written contracts with Operators (Service Providers) is required in the Security Safeguards condition in POPIA and helps you to manage your third party personal information risks. Furthermore, it enables you to manage personal information risks that may exist with these parties and it will give you legal recourse in the event of a compromise (breach) taking place if it is their fault.
Once you have built your list of contracts/agreements/terms and conditions, your next task is to review and assess whether they include a commitment as the Operator (or Processor if it is an overseas company) to protecting personal information or data they process for your organisation. If you don’t seem to have an agreement with a service provider, the Terms and Conditions and/or Data Protection Agreement and Privacy Policy they publish serves as an agreement to which you will have agreed when you signed up for the service.
How to use the Contracts section in the Existing Contracts tool.
The screen shot in Figure 6 below is a view ofa blank assessment sheet. Your task is to build a list of or agreements which relate to the processing of personal information.
Figure 6: Existing Contracts Review Tool
The columns are described in Table 6 below:
Table 6: Existing Contracts Review Tool Description
Column | Description |
Contract name | This is the name of the Contract name, service agreement, terms and conditions document, or service provider |
Ref #. | The reference number of the contracts or agreement if it has one. |
Update for POPI required? | Whether or not the Contract needs to be updated or whether an additional agreement i.e. is there a commitment to protecting personal information or the inclusion of an Operator or Processor role? If there is no commitment to this, it needs to be updated or a Responsible party to Operator agreement is needed. A template for this is included in the toolkit. Select Yes, No or Don’t know in the dropdown. |
Assurance rating. | Assurance rating. Please refer to the Rating Scales in paragraph 1.2. for help in the ratings and select the appropriate rating from the dropdown list. This tool uses the ICO Assurance scale. |
Contract Type | This allows you to specify the type of contract by selecting the appropriate type in the dropdown list. A number of options are available as a drop down. These include Customer, Supplier, Operator, Transborder, Employee and Other types. |
Name of Contract Owner | The name of the person in your organisation who owns/is responsible to managing the contract. |
Contract Expiry Date | The expiry date of the contract if applicable. |
Comments | Add any comments you feel are relevant about a contract e.g. the actions to be taken. |
2.2.3.2. Existing Policies review Tool
The Existing Policies review tool enables you to build a list of the policies you have in place. Your task is similar to the Contracts inventory task.
If you do not have many formal policies, the list below can be used to build your list. The screen shot in Figure 7 below is a view ofa blank assessment sheet.
This is an essential assessment as Section 109 in POPIA states that where there is no evidence of policies having been implemented, fines will be higher than if evidence can be shown.
Figure 7: Existing Policies Review Tool
The key polices you should have in place are listed below. You should list those that you have and don’t have in the assessment sheet.
- POPI Act / POPIA Policy.
- Information Security Policy.
- POPIA Data breach response.
- Privacy and Consent notices.
- POPIA and PAIA Information Officer Appointment Letter.
- PAIA Manual.
- PAIA data subject access request handling process.
- Records and Retention Management Policy.
- POPIA Staff Consent Form.
- POPIA Employee Compliance Commitment Form.
- POPIA Staff Training Records list.
Each of the columns and how to use them is described in Table 7 below:
Table 7: Existing Policies Review Tool Description
Column | Description |
Policy name | This is the name of the policy. |
Ref #. | The reference number of the policy if it has one |
Update for POPI required? | Whether the policy needs to be updated for POPIA. Guidelines for decisions for policies are: Does the have relevance to personal information?If it has relevance to personal information, check if there are any references to processing of personal information in the policy. If there are no such references, the policy may require an update. |
Assurance Ratings | These are the same as the Assurance Ratings described in the assessment above i.e. the ICO Assurance scale. |
Name of Policy Owner | The name of the person in your organisation who owns/ is responsible to managing the policy. |
Policy Expiry Date | The expiry date of the policy. This should be used to your policy review process which should done at least once a year. |
Comments | Add any comments you feel are relevant about a policy e.g. the actions to be taken. |
2.2.4. POPIA Digital Devices Assessment Tool
The reason for this assessment is to identify the degree of compliance with Condition 7 of POPIA which requires appropriate and reasonable technical and organisational security safeguards to be implemented and the degree of risk of loss or compromise of personal data in the use of those devices.
Your task is to build a list of all the Digital Devices in your organisation. You should include PCs, Laptops, Tablets, Smartphones, Servers, Printers/Scanners/Copiers, Access Control Systems, CCTV systems. If you have an Asset Register for your Digital Devices. There are a number of columns that should also be completed for each device which are described below.
The screen shot in figure 6 below is a view ofa blank assessment sheet. It is a wide sheet and is shown in two sections below. Your task is to build a list of your digital devices.
Figure 8: Digital Devices Assessment
Part 1 of screen shot
Part 2 of screen shot
The columns are described in table 8 below:
Table 8: Digital Devices Column Description
Column | Description |
Row #. | The row number of the entry. |
Asset #. | The asset number of the device it you have given it one |
Make | The make of the device e.g. Acer, Dell, HP, Apple, etc. |
Model | The model of the device e.g. Aspire, Inspiron, MacBook, etc. |
Serial #. | The serial number of the device’ |
Date of Acquisition | The date on which the device was acquired. |
User Name | The name of the user of the device. |
Purpose | The purpose for which the device is used. This is a dropdown list which has a number if values. These include End user, Server, Shared resource, Floating resource, Back-up device, Transfer device and Recording devices. |
PI Present? | This is used to highlight whether or not the device stores Personal Information. This is a dropdown list which has the options PI Held (yes it does) or N/A (not applicable). |
Special PI Present? | This is used to highlight whether or not the device stores Special Personal Information e.g. Religion, Race or Ethnic Origin, Health Information, Biometric information. This is a dropdown list which has the options PI Held (yes it does) or N/A (not applicable). |
Confidentiality Classification | This is the confidentiality class of the information on the device. This is a dropdown list which includes public, internal use only, confidential and highly confidential. |
System Name | The name given to the system when it was configured initially. |
Location | The location in which the device is used. |
Operating System | The Operating System on the device e.g. Windows 10, IOS, Android, Linux, etc. |
Antivirus | The type of antivirus software used e.g. Sophos, Norton, MacAfee, Symantec, etc. |
Firewall | The type of firewall used if there is one installed. Consult your service provider or IT/ Network support person if you need help. |
Encryption | This is used to highlight whether or not the device has encryption software installed. This is a dropdown list which includes Yes, No or Don’t know options. |
Auto-lock Enabled | This is used to highlight whether or not the device has auto-lock enabled i.e. does it lock automatically if it is left unattended for a while. This is a dropdown list which includes Yes, No or Don’t know options. |
Password Protected | This is used to highlight whether or not the device has password protection enabled. This is a dropdown list which includes Yes, No or Don’t know options. |
2.2.5. Information Security Assessment
The reason for this assessment is to identify the degree of compliance with Condition 7 (Security Safeguards) in the POPI Act. This requires that appropriate and reasonable organisational and technical measures are in place for protecting personal information.
The assessment consists of 19 questions structured into a number of groups. The questions are fairly self-explanatory. The assessment headings are shown in figure 9 below.
Figure 9: Information Security Assessment
The responses to the questions should be provided in line with the following columns in table 9 below:
Table 9: Information Security Assessment Column Description
Column | Description |
Rating | This has a drop down listed which uses the ICO rating Scale described in 1.2.1 above |
Evidence | The name of a document e.g. a policy should be entered here |
Action to be completed: | A description of the action to be completed in order to address any gap |
By Whom | The name of the person/department responsible for completing the action |
By When | The date for completion of the action |
The reason for this assessment is to identify compliance with Condition 7, section 19 (2) in POPIA which requires an assessment of all risks to personal information are assessed and managed. This is an essential assessment as Section 109 in POPIA states that where there is no evidence of risks assessments having been conducted, fines will be higher than if there is evidence. Figure 10 below provides a view of the POPIA Personal Information and Physical security risk management assessment tool.
Figure 10: POPIA Personal Information and Physical Risk Assessment
Part 1 of screen shot
Part 2 of screen shot
The responses to the questions should be provided as per the following columns in tables 10 and 11 below.
Table 10: POPIA Personal Information and Physical Risk Assessment Column Description
Column | Description |
Risk # | The risk number starting at 1 |
Risk Category | This is a drop down which has 35 items. These should each be assessed for applicability for your organisation and used to complete the columns in the rest of the row. Please see the Drop Down table below for values. |
Risk Name | The name of risk (you should add this) |
Risk Description | A description of the risk in the Risk Name |
Preventative Action | This a drop down which has 15 items. Select the appropriate action for the risk |
Probability of Risk occurring (p) | This is a drop down which has 3 items: Low, Medium and High. Select the appropriate probability for the risk. Please see the Drop Down table below for values. |
Impact if risk does occur (i) | This is a drop down which has 3 items: Low, Medium and High. Select the appropriate impact if the risk does current does occur. |
Overall risk assessment (p x i) | This is a drop down which has 3 items: Low, Medium and High. Select the appropriate value for the overall risk, this is the Probability x the Impact of the risk. |
Possible risk option selected | This a drop down which has 4 items. Select the appropriate risk option for the risk. |
Residual risk identified | The residual risk is the risk you still have once you have chosen the appropriate Preventative Action and Possible Risk Option i.e. a factor over which you have no control. |
Risk owner | The person in your organisation who is responsible for managing the risk. |
Risk audit date | The date of the last risk audit if there was one. |
Table 11: Risk Assessment Dropdown Values
Risk Category | Preventative Action | Possible risk response option selected |
Access codes | alarm systems | Accept |
Building access | documentation | Avoid |
Cleaning staff | emergency alert | Mitigate – contingency |
Contractor (other) behaviour | encryption | Transfer- insure |
Damage to document/device | fire detection (smoke/heat) | |
Destruction of paper documents | fire prevention | |
Disposal of paper documents | fire suppression (sprinkler/manual) | |
Document loss | id badge cancellation | |
Doors and barriers | id badges for all | |
Electricity related problems | information classification scheme | |
Fire/flood | inspection | |
Generator failure | lock-down | |
Governance of risk | process/procedure | |
Insecure waste disposal | random security checks | |
Key issue / recovery | training | |
Lightning strike | ||
Loss in transit | ||
Loss of document/device | ||
Loss of power | ||
Lost id badges | ||
Lost keys | ||
Off – site usage | ||
Outdated access rights | ||
Power spikes | ||
Secure area access control failure | ||
Security guards | ||
Site access | ||
Staff behaviour | ||
Storage | ||
Student behaviour | ||
Theft of device | ||
UPS failure | ||
Visitor behaviour | ||
Walls and fences |
2.2.7. Data Protection Assessment
The reason for this assessment is to identify the degree of compliance with Condition 2 (Purpose Specification which includes Consent). The primary requirement is for ensuring that the roles, responsibilities and processes are in place for managing records of consent.
The assessment consists of 14 questions structured into a number of groups. The questions are fairly self-explanatory. The assessment headings are shown in figure 11 below.
Figure 11: Data Subject Assessment
The responses to the questions should be provided are described in table 12 below:
Table 12: Data Subject Assessment Responses Description
Column | Description |
Rating | This has a drop down listed which uses the ICO rating Scale described in 1.2.1 above |
Evidence | The name of a document e.g. a policy should be entered here |
Action to be completed: | A description of the action to be completed in order to address any gap |
By Whom | The name of the person/department responsible for completing the action |
By When | The date for completion of the action |
2.2.8. Information Sharing and Subject Access Assessment
The reason for this assessment is to assess the data subject access request process readiness as required by the Promotion of Access to Information Act (PAIA). This process is required to make provision for Data Subject Requests as the POPI Act does not include such provision but it does include access rights for citizens (data subjects).
The assessment consists of 14 questions structured into a number of groups. The questions are fairly self-explanatory. The assessment headings are shown in figure 12 below.
Figure 12: Information Sharing and Subject Access Assessment
The responses to the questions are described in table 13 below.
Table 13: Information Sharing and Subject Access Assessment Column Description
Column | Description |
Rating | This has a drop down listed which uses the ICO rating Scale described in 1.2.1 above |
Evidence | The name of a document e.g. a policy should be entered here |
Action to be completed: | A description of the action to be completed in order to address any gap |
By Whom | The name of the person/department responsible for completing the action |
By When | The date for completion of the action |
The reason for this assessment is to identify compliance with the Consent and Purpose requirements contained in Condition 2 (Processing Limitation) and Condition 3 (Purpose Specification) as well as Data Subject Rights Regarding Direct Marketing (Condition 8).
The assessment consists of 5 questions structured into a number of groups. The questions are fairly self-explanatory. The assessment headings are shown in figure 13 below.
Figure 13: Direct Marketing Assessment
The responses to the questions are described in table 14 below.
Table 14: Direct Marketing Assessment Column Description
Column | Description |
Rating | This has a drop down listed which uses the ICO rating Scale described in 1.2.1 above |
Evidence | The name of a document e.g. a policy should be entered here |
Action to be completed: | A description of the action to be completed in order to address any gap |
By Whom | The name of the person/department responsible for completing the action |
By When | The date for completion of the action |
2.2.10. POPIA Personal Information Diagnostic Tool
The reason for this assessment is to identify all Personal Information in your organisation. It is a tool for building a personal information inventory for your organisation. It enables you to list processing types, record types and user access types to prepare the organisation for action for ensuring compliance with the POPI Act.
The assessment tool consists of a number of template sheets for business functions. The template is designed to enable you to insert details of information in your systems (computer and paper based) and to define the items/fields that are listed as personal information and special personal information the POPI Act. It also enables you to specify the owners of information as well persons/roles who have access to it.
Each template has a number of columns each of which enable you to define information for record types in a business function or system. An example of a function could be the Human Resources function/department. This area typically has employee records, payroll records, leave records, etc. The function sheet in figure 14 below provides a sample of a typical HR function sheet.
Figure 14: Personal Information Diagnostic Tool
Function sheets for business function/areas such as Customer Relationship Management, Finance and Electronic Communication should be also be completed.
2.2.11. POPIA Web Site Assessment tool
The reason for this assessment is to identify compliance with Condition 7, Security Safeguards, Chapter 2, section 5, Rights of Data Subjects and the Promotion of Access to Information Act (PAIA) in connection with web sites owned or controlled by your organisation.
The assessment tool consists of 2 sections, a Front End Checklist and a Back End Checklist. They aim to help you check that your website has appropriate security safeguards and that it conforms to internationally accepted privacy practices. The columns in the assessments are described in tables 15 and 16 below. They are the same for both assessments.
Table 15: Checklist Front and Checklist Back
Column | Description |
Item # | The item number you allocate starting from 1 |
Review Date | The date of the review/assessment |
Front-end checks | There 26 checks for the Front-end and 15 for the Back-end check. These should be answered by your web administrators and marketing colleagues |
Page URL | The URL for the checks refer to above |
Item Title | The title of the item e.g. web page |
Rating | ICO Assurance Rating scale |
Comments | Your comments, typically relating to actions needed |
Supporting Artefacts | Evidence of item assessment e.g. a policy or procedure document |
Recommended action | Actions needed to remediate issues or gaps identified |
Table 16: Checklist Front
Checklist Front |
POPI Act compliance related items |
change password procedure |
clear about optional / mandatory data |
consent where required (staff, clients, partners) |
contact us |
data captured not excessive |
data subject request process |
data validation used |
Frequently Asked Questions (FAQs) |
help text available |
id creation |
lost id process |
lost password |
multi-tier privacy policy |
PAIA manual |
password creation strength |
payment mechanisms |
permission to use other PI |
permission to use staff details |
PI of children |
privacy notice statement(s) |
purpose of data capture explained |
security mechanisms /e.g. https |
special PI |
subscription options (email, newsletter) |
Transborder statement |
unsubscribe options |
Best Practice Items |
consumer protection compliance statement |
cookies auto pop-up |
copyright notice |
industry or sector compliance |
terms and conditions |
use of captcha or similar |
Table 17: Checklist Back
Checklist Back |
audit trail available |
authorised personnel access only |
Automated intruder alerts e.g. failed login? |
Data shared with? |
data storage |
education of employees |
log file availability |
opt out / unsubscribe management |
overall delivery platform for the site |
protection documentation |
Security checks conducted |
Site back-up in place |
Security certificates |
Penetration tests completed |
PHASE 3: CONSIDER PHASE
3. Phase 3: Consider
In this phase you should consider the outcomes of the assessments you have completed and decide what implementation actions are necessary. It is important to consider the following:
- What process, procedural, documentation, technical and contractual changes need to be made;
- The entire Personal Information life cycle from acquisition through ultimate disposal;
- All the organisational and technical factors for success (e.g. HR, IT, processes).
In order to make it easy for you, have provided a template for developing an Integrated Assessment Report. The template provides a structure for summarising your assessments as well as for listing recommendations, implementation actions, responsibilities and timeframes for each assessment.
3.1. Integrated Assessment Report
3.1.1. List of Assessments completed
You should compile a list of the assessments completed and the names of the person/s who completed them. Table 18 below provides an example.
Table 18: List of Assessments Completed
Item # | Assessments | Assessments completed by |
1 | POPI Act Compliance Health Check | |
2 | POPIA Consent Compliance Assessment | |
3 | POPIA Processing Lawfulness Assessment | |
4 | POPIA Existing Contracts and Policies Review | |
5 | POPIA Digital Devices Assessment Tool | |
6 | Information Security Assessment | |
7 | POPIA Personal Information and Physical security risk management | |
8 | Data Protection Assessment | |
9 | Information Sharing and Subject Access Assessment | |
10 | Direct Marketing Assessment | |
11 | POPIA Personal Information Diagnostic Tool | |
12 | POPIA Web Site Assessment tool |
3.1.2. Assessments output summary
You should then compile a summary of the assessments and summary rating for each one. Figure 15 below provides an example.
Figure 15: Assessments output summary
3.1.3. Recommendations
The next and very important step is to complete a recommendations table which summarises these from the assessments you have completed and the considerations you have given to gaps that need to be addressed for achieving compliance. You should list actions and timing for addressing the gaps.
Once populated, the recommendation based on the sample in table 19 below will become your detailed implementation plan.
Table 19: Recommendations Table
Item # | Assessments | Recommendation |
1 | POPI Act Compliance Health Check | Recommendation: xxxx Action: xxxx Timing: xxxx |
2 | POPIA Consent Compliance Assessment | Recommendation: xxxx Action: xxxx Timing: xxxx |
3 | POPIA Processing Lawfulness Assessment | Recommendation: xxxx Action: xxxx Timing: xxxx |
4 | Direct Marketing Assessment | Recommendation: xxxx Action: xxxx Timing: xxxx |
5 | Existing contracts and policies | Recommendation: xxxx Action: xxxx Timing: xxxx |
Phase 4: Translate Phase
4. Phase 4: Translate (Implementation)
The purpose of the Translate phase is to translate your actions to achieve the following objectives:
- Translate your plans into action
- Translate the conditions for lawful processing into specific evidence of your remediation plan taking effect
- Translate your short term compliance preparation project into a long term compliance journey
- Translate the cost of compliance into the benefits of compliance
The essential short term objective is to implement the recommendations and actions contained in the Recommendations task in the Consider phase as these will become your appropriate and reasonable technical and organisational measures for demonstrating compliance. We recommend that you open each assessment and review the detail therein when you take action on the recommendations in the Integrated Assessment Report.
Part A. Organisational Measures
It is difficult to separate organisational and technical measures so we have provided our guidance as far as possible. Typical actions for implementing organisational measures are described below:
4.1. POPIA Consent Compliance and POPIA Processing Lawfulness Measures
Two of the essential requirements for complying with POPIA is ensuring that you obtain consent for a clear, valid and lawful purpose or purposes. In order to address those requirements, it may be necessary to implement changes to the activities you evaluated in the POPIA Consent Compliance Assessment and POPIA Processing Lawfulness Assessments.
When taking action on your consent and purpose changes, we recommend that you implement recommendations for both the POPIA Consent Compliance Assessment and POPIA Processing Lawfulness Assessments in parallel as far as possible.
The activities that you assessed in both of these assessments will normally have a form or other method of collecting/updating personal information such as a computer system associated with them. If your assessment indicated that you have not asked for consent for a clear and lawful purpose, the form or system needs to be changed to include wording and a field/tick box for obtaining consent from the data subject (individual or company).
Form 4 in the POPI Act Regulations published in December 2018 shows the appropriate method for obtaining the consent of a data subject for the processing of personal information for the purpose of direct marketing. The important aspects are to ensure that your changes include obtaining consent for a clear and lawful purpose and that the data subject provides consent consciously through a mandatory tick box or dropdown field.
Applying the above will be different for every organisation so your knowledge of the activities or processes you listed in the POPIA Consent Compliance Assessment and POPIA Processing Lawfulness Assessment will need to be applied. It is also likely to be necessary to engage your colleagues in various business areas or departments as part of this activity. The changes you make will be visible to your employees, customers and other stakeholders which will give them confidence that you are protecting their personal information in a responsible manner.
Content contained in the Privacy Notices section in the POPIA Privacy and Consent Notices template will assist you in making the changes you may need.
4.2. POPIA Existing Contracts and Policies Review
In the Assessment phase, there were 2 assessment tools that you populated name, the Existing Contracts Review Tool and the Existing Policies Review Tool. Implementation actions are needed for each of the line items you inserted i.e. individual contract amendments and additional policies.
4.2.1. Existing Contracts Review Tool
There are a number of templates in the Contracts sub-folder in the Translate folder in your toolkit. These are described below:
4.2.1.1. Responsible Party to Operator Agreement
The most common requirement is for establishing agreements with service providers who provide services involving personal information to your organisation. In order to address this requirement, the Responsible Party to Operator clauses template should be used. The content of this template can be used to amend an existing contract or to establish an additional contract with the service provider (Operator). Points to be aware of are:
- The Responsible Party is your organisation, insert your company name and address for this;
- The Operator is the service provider, insert their company name and address for this.
The information above is required for the section near the beginning of the document and at the end of the document (Agreement signed by) section. Once you have populated the document, ensure you get the relevant signatures. Challenges you may face in obtaining Operator signatures are:
- An Operator/Service Provider does not wish to cooperate in which case you need to decide whether the personal information risk of continuing to use them is acceptable or whether you should find an alternative to them;
- An Operator may have their own equivalent agreement such as a Data Protection Agreement or there may be similar clauses in their Terms & Conditions documents. If in doubt, contact us for support.
4.2.1.2. Transborder Agreement
The purpose of the POPI Act Transborder Agreement template is to enable the Responsible Party (your organisation) and the Operator (a service provider such as a cloud service provider) in a country outside South Africa to formalise contractual commitment to providing adequate protection for Personal Information. This agreement is similar to the Responsible Party to Operator agreement already described but it caters for service providers and other recipients outside the South African borders.
It is important to ensure that the obligations of both parties are carried out. The following should be noted:
The Responsible Party should inform data subjects whose personal information will be sent to or processed outside South Africa that it is planned as well as the reason for the transfer. It should also ensure that the transfer is not prohibited by any other law or regulation.
The Operator must warrant that they will only process the personal information for the purpose specified by the Operator. The Operator must also warrant that personal information will be processed and protected in compliance with Chapter 9 of the POPI Act (Security Safeguards). This requires that appropriate and reasonable technical and organisation measure should be implemented in line with generally accepted information security practices. These must be listed in Annex 2.
It is important that you are familiar with the other obligations that the Operator has once the agreement is in place and that you monitor these periodically as they represent your rights as the Responsible Party. The Operator’s obligations are contained in section 7 in the Transborder agreement.
It is also important that you are familiar with the Rights of Data Subjects contained in section 8 and that the Operator understands and assists in supporting these where appropriate.
4.2.1.3. POPI Personal Information Sharing Checklists
The POPI PI Sharing Checklists document includes a number of forms and checklists which help you to assess requests for personal information to be shared as well to formalise and keep records of sharing activities.
The following forms and checklists are included:
- Template ‘Personal Information sharing request’ form;
- Template ‘Personal Information sharing decision’ form;
- POPI Personal Information Sharing Checklist – systematic sharing;
- POPI Personal Information sharing checklist – one off requests.
Each of the documents listed above contains guidance which is line with the conditions for lawful processing contained in POPIA. The most important conditions relate to having obtained consent for a clear and lawful purpose from the data subject/s. Any sharing arrangements must be compatible with the defined purpose so you should make sure that you comply with this before entering into any sharing agreements.
4.2.1.4. Personal Information Sharing Agreement Outline
This agreement is to be used where The Responsible Party is sharing personal information for which it is the Responsible Party as defined in the POPI Act.
The information may be shared with another organisation for a number of purposes, including but not limited to:
- Acting on behalf of employees, to pass information to parties such as pension funds; medical aids; South African Revenue Services (SARS), Financial Institutions, etc.;
- To fulfil statutory obligations by submitting returns to various organisations such as the Department of Labour; Sector Education and Training Authority (SETA).
Where your organisation fulfils the role of Responsible Party as defined in the POPI Act it is important that you comply with Condition 4: Further Processing, section 15 of the POPI Act.
4.2.2. Existing Policies Review Tool
During the Assess Phase, you would have listed the policies you have in place. You might not have all the recommended policies for privacy and protecting personal information which is why we have provided a comprehensive set of policy templates in our toolkit. The Policies folder also includes notices and a PAIA Manual. These are listed below:
- POPIA and PAIA Information Officer Appointment Letter.
- POPI Act / POPIA Policy.
- Information Security Policy.
- POPIA Personal Information Backup policy.
- POPIA Data breach response.
- PAIA Manual.
- PAIA data subject access request handling process.
- POPIA Records and Retention Management Policy.
- Customer Privacy Notice.
- Website Assessment Actions.
- POPIA Staff Consent Form.
- POPIA Employee Compliance Commitment Form.
- POPIA Training Records list.
Implementing the policies is relatively straightforward as the majority of them simply require you to replace [Company Name] with the name of your organisation. There are a few templates which need specific attention, these being:
4.2.2.1. POPI Act/POPIA Policy
The POPI Act/POPIA Policy provides a set of policy statements for each condition and section in the Act. It therefore demonstrates your organisation’s stance on complying with POPIA and provides guidance for your employees and other stakeholders.
To tailor the policy to your organisation, simply replace all [Company Name] instances with your organisation name, insert the name of the Information Officer and the appropriate dates into the table at the beginning of the template.
4.2.2.2. Information Security Policy
The Information Security is provided as the foundation for demonstrating your compliance with Condition 7 (Security Safeguards) in POPIA which requires technical and organisational measures for securing personal information to be in place. This policy is one of your organisational measures.
To tailor the policy to your organisation, simply replace all [Company Name] instances with your organisation name, insert the name of the Information Officer and the appropriate dates into the table at the beginning of the template.
4.2.2.3. POPIA Personal Information Backup Policy
The purpose of this policy is to ensure that your organisation’s electronic information resources are backed-up at scheduled intervals to suitably secure storage media in order to facilitate the restoration of all or part of those information resources in the event of loss or corruption of the original data.
It is important to tailor this policy to your organisation’s practices and to ensure that the sections covering Backup Schedules (4.2), Restoration (4.3) and Backup retention (4.5) represent the backup activities in your organisation both now and in the future. You should also replace all [Company Name] instances with your organisation name.
4.2.2.4. POPIA Data Breach Response
The purpose of the data breach incident response plan is to set out procedures and clear lines of authority for your staff in the event that the organisation experiences a data breach or suspects that a data breach has occurred.
This is a template on which the actual plan tailored to the needs of the organisation should be developed. In particular, the table on page 4 is designed to enable you to define the names and roles on members of the Data Breach Incident Response Team (DBIRT). Once you have added the details of the team members, it is essential that you turn your document into a living operational plan. You should also replace all [Company Name] instances with your organisation name.
4.2.2.5. PAIA Manual Template
The purpose of the PAIA Manual is to provide a process for external parties to request information held by a company. It is an enabler for citizens’ Right to Access to Information as contained in the Promotion of Access to Information Act (PAIA). It also provides a process for Data Subject Requests as contained in the Protection of Personal Act (POPI Act/POPIA) to raise a request. This will change once POPIA has fully commenced as there is a form in the POPI Act Regulations for this purpose.
In order to tailor the template to your organisation, your primary task is to replace the generic wording with information specific to your organisation i.e. company name, address, contact details, name of Designated Head (CO, MD or equivalent). You should also list the name and contact details of the person appointed by the Designated Head (Information Officer) to process PAIA requests.
Your next task is to refine the list of legislation to include the laws and regulations that apply to your organisation i.e. those with which you comply.
Once you have tailored the PAIA Manual template to reflect the details of your organisation, you should publish it prominently on the landing or home page of your website. You should also make a process based on Form C in the manual available to external parties so that they can raise a formal request for information.
If your organisation is a private body, you do not need to submit it to the Human Rights Commission. If, however, your organisation is public body (government organisation), it is mandatory to submit it to them.
4.2.2.6. PAIA data subject access request handling process
The purpose of this document is to provide you with guidance on handling Data Subject Access Requests (DSARs). Requests of this nature will be raised using the Form C request process you established in conjunction with your PAIA Manual.
The document helps you to assess if the request is a DSAR or a request for other company information. It also guides you in assessing the validity of the request and to decide whether to grant or decline the request.
4.2.2.7. POPIA Records and Retention Management Policy
The purpose for this policy is to establish the minimum requirements for Records Management in support of compliance with the POPI Act and good governance and effective risk management.
A records management policy is a cornerstone of effective management of records in an organisation. The policy also enables you to defined retention periods for various types of information in your organisation.
Sections that should be tailored to your company’s information are Roles and responsibilities (4.2), Approved Storage Locations (4.3.1), Records Retention Management Schedule (6.3).
4.2.2.8. Customer Privacy Notice
The Customer Privacy Notice template has been provided for use on your website to inform visitors about the personal information you collect, store and use. It should be amended to contain your company/organisation and checked for any areas that are not applicable i.e. information you do not collect or store.
4.2.2.9. Website Assessment Actions
Each organisation will have identified its own actions in the Website Assessment but there are few actions that you should take as a minimum. These are:
- Publish your amended Customer Privacy Notice;
- If you collect personal information via your website (you should have evaluated this is the POPIA Consent Compliance and Processing Lawfulness assessments), amendments to the collection form as well as a tick-box should be added to your site;
- A Cookie Notice should be added if you use cookies to track the behaviour of visitors to you site to inform them of your practices and to give them the option to leave the website if they do not agree with this.
4.2.2.10. POPIA Physical and Information Risk Assessment Actions
An essential aspect of organisational measures is the management of personal information related risks. In your risk assessment tool, you will have highlighted physical and other personal information risks. Examples of a few common physical risks and measures are shown in table 20 below.
Table 20: POPIA Physical and Information Risk Assessment Actions
Risk | Organisational Measure/Risk Treatment Measure |
Inadequate building security e.g. entrances, gates, etc. | Security guards and access control systems |
Insecure areas e.g. areas such as HR areas, control rooms, etc. | Access control systems |
Inadequately secured records e.g. cupboards containing employee files, etc. | Locked cupboards, safes, etc. |
Insecurely document disposal e.g. documents discarded in waste bins | Shredders or external shredding services. |
4.2.2.11. POPIA Staff Consent Form
The purpose of this form is to obtain consent from employees for storing and processing their personal information for the purpose of maintaining employee records and sharing it with organisations such as medical schemes, SARS and other valid company specific purposes. Typical purposes are included in the template. Any additional purposes can be added provided they are lawful. A check against the POPIA Consent Compliance Assessment and the POPIA Processing Lawfulness will be helpful when adding any additional purposes.
4.2.2.12. POPIA Employee Compliance Commitment Form
The purpose of this form is to obtain commitment from employees when dealing with personal information. It contains a comprehensive list of types of personal information and scenarios in which they should exercise care.
The form should signed by all employees thereby obtaining an undertaking to safeguard personal information to which they access to and handle on behalf of the company.
4.2.2.13. POPIA Staff Training Records
It is important to maintain staff training records. The POPIA Staff Training Register template should be used to maintain records as well as attendance certificates from any POPIA course staff members attend.
Part B: Technical Measures for Compliance
Technical measures will vary between organisations and will depend on the detail in your assessments. There are, however, a number of areas common to most organisations, these being:
4.3. Information Security (Technical Measures)
Information Security is an essential practice in its own right as all organisations must use their best endeavours to protect all forms of information i.e. paper based/non-digital and digital/electronic based information. Within the context of personal information and this guide, it is important to review the following assessments you have completed:
- Information Security Assessment;
- Digital Devices Assessment;
- Personal Information Risk Assessment;
- Website Assessment.
Common findings in these assessments to name a few are:
- Inadequate anti-virus, anti-malware and anti-ransomware software;
- Weak password polices;
- Lack of auto-lock practices on PCs and laptops;
- Lack of use of file encryption software for personal information;
- Inadequate user access control and management;
- Inadequate personal information destruction practices;
- Inadequate remote working/work from home security practices;
- Uncontrolled management of employee and contractor owned devices;
- Inadequate network security e.g. lack of segmentation, firewalls, etc.
Very often quick wins can be achieved by implementing technical measures for a few of the above as appropriate in your organisation.
4.4. Personal Information Management
While the management of personal information is a combination of technical and organisational measures, there are a number of areas which should be considered. In order to do so, the following assessments and policies you completed should be reviewed for the following:
4.4.1. Personal Information Diagnostic tool
- Ownership of personal information in systems is often not clearly defined,
- User access rights are not well defined or controlled;
- Both of the above can be improved by management and technical access control solutions.
4.4.2. Personal Information Backup Policy
It is common for organisations to implement policies but to not follow these from operational and technical perspectives. Be sure that your technical activities for backing up and testing restores are carried out in terms of actual tasks.
4.4.3. POPIA Records and Retention Management Policy
As with the backup policy, it is important to that you follow you the records and retention management details in your policy so that you can demonstrate how you manage and destroy personal information once it has reached the end of its retention period.
Congratulations!!!
Congratulations are in order, you have reached the end of your POPIA compliance preparation project. However, it doesn’t end here as it is important to ensure that continue to maintain the good measures you have implemented. Section 5 covers Post Implementation Compliance so remember to make this an operational activity. Continuous improvement practices are also encouraged so that your organisation enhances its privacy and data protection practices.
POST IMPLEMENTATION PHASE
5. Post Implementation Compliance
As already mentioned, it is essential to continue with the ongoing monitoring of your POPIA compliance efforts and to ensure that you maintain your assessments, policies, contracts and other documents. To help you with this process, we have provided a self-assessment of POPI Act ongoing compliance monitoring checklist in table 21 below.
Completed by: (Name)________________
(Organisation)________________________(Date)____________________________
Table 21: Post Implementation Compliance Checklist
Action Item | Recommendation from IACT-Africa | Self-assessment feedback | IACT-Africa review comments |
Publishing policies and periodic review thereof | Annual review | ||
Induction training | Build POPI training into new staff induction; get staff consent form signed | ||
Periodic communication | Send out reminders to staff about POPIA every quarter; use stickers and videos | ||
Privacy notices are published | Annual review | ||
Approving contracts with Data Operators | Ensure any new contract covers POPI Act requirements | ||
Information Quality policies and controls | Conduct annual ownership audit for Personal Information at the organisationConsider clean desk audits every quarterConduct reviews of Personal Information data quality (accuracy, completeness, retention compliance) at least annually | ||
Security safeguards and controls | Request IT manager to conduct security checks at least every six months;Review business continuity plan on an annual basis | ||
PAIA manual | Annual review | ||
Information Regulator communications | Monitor establishment of the Information Regulator and any implications for youRegister the PPS Information Officer with the Regulator as soon as possibleTrack possible data breaches for reporting to the Information Regulator once established | ||
Staff to sign statement that they have been made aware of their responsibilities | Annual review | ||
Obtaining consent from staff – staff to sign consent form | Annual review | ||
Ensure that direct marketing policies and notices are in place | Annual review | ||
Ensure that data subject requests are handled in line with your POPI Policy | Monitor on an Ad Hoc basis | ||
Establish an Information Classification system based on varying degrees of sensitivity and criticality | Complete this within 6 months; implement within the following 6 months | ||
Keep up to date with POPIA and PAIA developments | Follow @sapopitalk on Twitter |
Ongoing support
Ongoing support is available via mail on popiasupport@iact-africa.com
APPENDICES
Appendices
Appendix A: Form 4 from the POPI Act Regulations
FORM 4
APPLICATION FOR THE CONSENT OF A DATA SUBJECT FOR THE PROCESSING OF PERSONAL INFORMATION FOR THE PURPOSE OF DIRECT MARKETING IN TERMS OF SECTION 69(2) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)
REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018
[Regulation 6]
TO: | __________________________________________ |
__________________________________________ | |
__________________________________________ | |
__________________________________________ | |
(Name of data subject) | |
FROM: | __________________________________________ |
__________________________________________ | |
__________________________________________ | |
__________________________________________ | |
Contact number(s): | __________________________________________ |
Fax number: | __________________________________________ |
E-mail address: | __________________________________________ |
(Name, address and contact details of responsible party) |
Full names and designation of person signing on behalf of responsible party:
…………………………………………………….
Signature of designated person
Date: ________________
PART B
I, _________________________________________(full names of data subject) hereby:
Give my consent.
To receive direct marketing of goods or services to be marketed by means of electronic communication.
SPECIFY GOODS or SERVICES:
SPECIFY METHOD OF COMMUNICATION: FAX:
E – MAIL:
SMS:
OTHERS – SPECIFY:
Signed at …………………………………… this …………………. day of ………………………20…………
………………………………
Signature of data subject