- A condition for the processing of personal information is that you process personal information securely by means of ‘appropriate, reasonable technical and organisational measures’’.
- You are required to secure the integrity and confidentiality of personal information in your possession or under your control.
- You are also responsible for the integrity and confidentiality of personal information processed by your operators (and their subcontractors).
- The technical and organisational measures you take must prevent—
- loss of, damage to or unauthorised destruction of personal information; and
- unlawful access to or processing of personal information.
- In order for you to secure the integrity and confidentiality of personal information, you must take reasonable measures to—
- identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
- establish and maintain appropriate safeguards against the risks identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
- You must have due regard to generally accepted information security practices and procedures (e.g. ISO 27701) which may apply to your business generally or be required in terms of specific industry or professional rules and regulations.
- You must ensure that an operator or anyone processing personal information on your behalf or an operator—.
- processes such information only with your knowledge or authorisation; and
- treats personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.
- You must put in place a written contract with the operator to ensure that the operator establishes and maintains the security measures referred to in section 19.
- The measures must also enable you to restore access and availability to personal information in a timely manner in the event of a physical or technical incident.
- You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.
☐ We undertake an analysis of the risks from processing personal information, and use this to assess the appropriate level of security we need to put in place.
☐ When deciding what measures to implement, we take account of generally accepted information security practices and procedures like ISO 27701.
☐ We have policies in place to direct the implementation of security practices.
☐ We make sure that we regularly review our information security measures and, where necessary, improve them.
☐ We understand that we may also need to put other technical measures in place depending on our circumstances and the type of personal information we process.
☐ We understand the requirements of confidentiality and integrity for the personal information we process.
☐ We make sure that we can restore access to personal information in the event of any incidents, such as by establishing an appropriate backup process.
☐ We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
☐ Where appropriate, we implement measures that adhere to an approved code of conduct.
☐ We ensure that all the operators we use implement appropriate technical and organisational measures.
- Why we should worry about information security?
- How do you select technical and organisational measures?
- What level of security is required?
- What technical measures are needed?
- What organisational measures are needed?
- What do we need to do?
- How do we notify security compromises?
Poor information security leaves your systems and services at risk and may cause real harm and distress to data subjects – lives may even be endangered in some extreme cases.
Some examples of the harm caused by the loss or abuse of personal information include:
- identity fraud;
- fake credit card transactions;
- targeting of individuals by fraudsters, potentially made more convincing by compromised personal information;
- witnesses put at risk of physical harm or intimidation;
- offenders at risk from vigilantes;
- exposure of the addresses of service personnel, police and prison officers, and those at risk of domestic violence;
- fake applications for tax credits; and
- mortgage fraud.
Although these consequences do not always happen, you should recognise that data subjects are still entitled to be protected from less serious kinds of harm, for example embarrassment or inconvenience.
Information security is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of POPIA.
The information security requirement goes beyond the way you store or transmit information. Every aspect of your processing of personal information is covered. This means the security measures you put in place should seek to ensure that:
- the data can be accessed, altered, disclosed or deleted only by those you have authorised to do so (and that those people only act within the scope of the authority you give them);
- the data you hold is accurate and complete in relation to why you are processing it; and
- the data remains accessible and usable, i.e, if personal data is accidentally lost, altered or destroyed, you should be able to recover it and therefore prevent any damage or distress to the individuals concerned.
Your approach to selecting technical and organisational measures should be risk based. Select those measures that will be most effective in protecting the rights of data subjects.
The GDPR does not define the security measures that you should have in place. It requires you to have a level of security that is ‘appropriate’ to the risks presented by your processing. You need to consider this in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of your processing.
This reflects both the GDPR’s risk-based approach, and that there is no ‘one size fits all’ solution to information security. It means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organisation.
So, before deciding what measures are appropriate, you need to assess your information risk. You should review the personal data you hold and the way you use it in order to assess how valuable, sensitive or confidential it is – as well as the damage or distress that may be caused if the data was compromised. You should also take account of factors such as:
- the nature and extent of your organisation’s premises and computer systems;
- the number of staff you have and the extent of their access to personal data; and
- any personal data held or used by a data processor acting on your behalf.
Technical measures are sometimes thought of as the protection of personal data held in computers and networks. Whilst these are of obvious importance, many security incidents can be due to the theft or loss of equipment, the abandonment of old computers or hard-copy records being lost, stolen or incorrectly disposed of. Technical measures therefore include both physical and computer or IT security.
When considering physical security, you should look at factors such as:
- the quality of doors and locks, and the protection of your premises by such means as alarms, security lighting or CCTV;
- how you control access to your premises, and how visitors are supervised;
- how you dispose of any paper and electronic waste; and
- how you keep IT equipment, particularly mobile devices, secure.
When considering information security, you should look at factors such as:
- system security – the security of your network and information systems, including those which process personal data;
- data security – the security of the data you hold within your systems, eg ensuring appropriate access controls are in place and that data is held securely;
- online security – eg the security of your website and any other online service or application that you use; and
- device security – including policies on Bring-your-own-Device (BYOD) if you offer it.
Carrying out an information risk assessment is one example of an organisational measure, but you will need to take other measures as well. You should aim to build a culture of security awareness within your organisation. You should identify a person with day-to-day responsibility for information security within your organisation and make sure this person has the appropriate resources and authority to do their job effectively.
Documentation is an organisational measure. So too are training, procedures, management supervision and policies
- Your security measures need to be appropriate to the size and use of your network and information systems;
- You should take into account the state of technological development and generally accepted information security practices and procedures;
- Your security must be appropriate to your business practices. For example, if you offer staff the ability to work from home, you need to put measures in place to ensure that this does not compromise your security; and
- Your measures must be appropriate to the nature of the personal information you hold and the harm that might result from any compromise.