A model to assess organisational information privacy maturity against the Protection of Personal Information Act

Includes bibliographical references.Reports on information security breaches have risen dramatically over the past five years with 2014 accounting for some high-profile breaches including Goldman Sachs, Boeing, AT&T, EBay, AOL, American Express and Apple to name a few. One report estimates that 868,045,823 records have been breached from 4,347 data breaches made public since 2005 (Privacy Rights Clearing House, 2013). The theft of laptops, loss of unencrypted USB drives, hackers infiltrating servers, and staff deliberately accessing client’s personal information are all regularly reported (Park, 2014; Privacy Rights Clearing House, 2013) . With the rise of data breaches in the Information Age, the South African government enacted the long awaited Protection of Personal Information (PoPI) Bill at the end of 2013. While South Africa has lagged behind other countries in adopting privacy legislation (the European Union issued their Data Protection Directive in 1995), South African legislators have had the opportunity to draft a privacy Act that draws on the most effective elements from other legislation around the world. Although PoPI has been enacted, a commencement date has still to be decided upon by the Presidency. On PoPI’s commencement date organisations will have an additional year to comply with its requirements, before which they should: review the eight conditions for the lawful processing of personal information set out in Chapter three of the Act; understand the type of personal information they process ; review staff training on mobile technologies and limit access to personal information; ensure laptops and other mobile devices have passwords and are preferably encrypted; look at the physical security of the premises where personal data is store d or processed; and, assess any service providers who process in formation on their behalf. With the demands PoPI places on organisations this research aims to develop a prescriptive model providing organisations with the ability to measure their information privacy maturity based on “generally accepted information security practices and procedure s” ( Protection of Personal Information Act, No.4 of 2013 , sec. 19(3)) . Using a design science research methodology, the development process provides three distinct design cycles: 1) conceptual foundation 2) legal evaluation and 3) organisational evaluation. The end result is the development of a privacy maturity model that allows organisations to measure their current information privacy maturity against the PoPI Act. This research contributes to the knowledge of how PoPI impacts on South African organisations, and in turn, how organisations are able to evaluate their current information privacy maturity in respect of the PoPI Act. The examination and use of global best practices and standards as the foundation for the model, and the integration with the PoPI Act, provides for the development of a unique yet standards-based privacy model aiming to provide practical benefit to South African organisations

The effect of pertinent factors in preparation for compliance with the South African Protection of Personal Information Act of 2013 (POPI)

A research report submitted n partial fulfillment of the requirements for the degree of Master of Arts in the field of Information Communication Technology Policy and Regulation MA (ICTPR) to the Faculty of Humanities, University of the Witwatersrand, May 2018While South Africa passed the Protection of Private Information (POPI) Act in 2013, it has not been fully enforced. Consequently there is only a basic understanding of the effect of preparation to comply with the Protection of Personal Information (POPI) Act on the organisation, staff and cost anticipated for the compliance effort. This study delves into these aspects to build a picture of various factors that are pertinent in preparation to comply. This study is exploratory due to the Act being relatively new and not fully enforced yet. It is qualitative in nature, specifically employing a constructivist lens, and gathering opinions and feelings of respondents to gain insights on the research question posed. The tool for data collection was formal semi-structured interviews that allowed for all interviewees to be asked the same questions and for flexibility to drill down into responses to gain deeper insight. The analytical framework combines elements from two ISO standards - 19600 & 17799 (now 27002) and the OECD’s Compliance Cost Assessment (CCA) framework. The retrospective effect of the Act was determined to be a risk in preparation for compliance particularly the conditions for lawful processing of information as currently held information would need to comply with the Act as well as new information being collected going forward. Compliance with legal requirements works hand in hand with corporate governance. The King IV codes are an example of corporate governance standards in South Africa and have bearing on data protection and data governance and suggest that it be on the agenda of the Board of an organisation. While the codes of governance are detailed and good practise by many accounts they are not legally binding and as such the POPI Act can be seen to be the legal instrument to ensure a minimum standard of protection across the board. A unique aspect of the POPI Act is pertinent to organisations in that juristic person’s privacy is protected by the Act. Various reasons are given for this, but the analysis determined that the most plausible is that this is due to the constitution. How this is done could be determined by a future study into the matter. Governance and organisational theory are traversed also. Compliance with legislation is central to these. The Act stands to affects the structure of organisations and spur change. The study also proposes a model for compliance.MT 201

Data management instruments to protect the personal information of children and adolescents in sub-Saharan Africa

Recent data protection regulatory frameworks, such as the Protection of Personal Information Act (POPI Act) in South Africa and the General Data Protection Regulation (GDPR) in the European Union, impose governance requirements for research involving high-risk and vulnerable groups such as children and adolescents. Our paper's objective is to unpack what constitutes adequate safeguards to protect the personal information of vulnerable populations such as children and adolescents. We suggest strategies to adhere meaningfully to the principal aims of data protection regulations. Navigating this within established research projects raises questions about how to interpret regulatory frameworks to build on existing mechanisms already used by researchers. Therefore, we will explore a series of best practices in safeguarding the personal information of children, adolescents and young people (0-24 years old), who represent more than half of sub-Saharan Africa's population. We discuss the actions taken by the research group to ensure regulations such as GDPR and POPIA effectively build on existing data protection mechanisms for research projects at all stages, focusing on promoting regulatory alignment throughout the data lifecycle. Our goal is to stimulate a broader conversation on improving the protection of sensitive personal information of children, adolescents and young people in sub-Saharan Africa. We join this discussion as a research group generating evidence influencing social and health policy and programming for young people in sub-Saharan Africa. Our contribution draws on our work adhering to multiple transnational governance frameworks imposed by national legislation, such as data protection regulations, funders, and academic institutions

Higher education access in South Africa for students with criminal records

No Abstrac

Addressing trust, security and privacy concerns in e-government integration, interoperability and information sharing through policy: a case of South Africa

Technology enabled government promises to deliver better services and hence facilitate better lives for citizens. However such e-government cannot be implemented without trust between government and citizens and between government departments. Concerns over information security and privacy have become a contentious issue for governments and stand in the way of that trust. Policy and legislation are two mechanisms that governments have to implement to address these concerns. The purpose of this study was therefore to identify and review policy and legislative measures implemented by the South African government to address information security and privacy as well as e-government information sharing, integration and interoperability. The study is an interpretive case study using documentary evidence and a review of literature as data collection methods. The study found that South Africa has implemented a number of policy and legislative measures aimed at addressing these concerns. The study concluded that some of these measures are compromised by poor implementation, poor coordination in government, poor state of governance, conflicting legislation and policy and poor compliance

The regulation of unsolicited electronic communications (SPAM) in South Africa : a comparative study

The practice of spamming (sending unsolicited electronic communications) has been dubbed “the scourge of the 21st century” affecting different stakeholders. This practice is also credited for not only disrupting electronic communications but also, it overloads electronic systems and creates unnecessary costs for those affected than the ones responsible for sending such communications. In trying to address this issue nations have implemented anti-spam laws to combat the scourge. South Africa not lagging behind, has put in place anti-spam provisions to deal with the scourge. The anti-spam provisions are scattered in pieces of legislation dealing with diverse issues including: consumer protection; direct marketing; credit laws; and electronic transactions and communications. In addition to these provisions, an Amendment Bill to one of these laws and two Bills covering cybercrimes and cyber-security issues have been published. In this thesis, a question is asked on whether the current fragmented anti-spam provisions are adequate in protecting consumers. Whether the overlaps between these pieces of legislation are competent to deal with the ever increasing threats on electronic communications at large. Finally, the question as to whether a multi-faceted approach, which includes a Model Law on spam would be a suitable starting point setting out requirements for the sending of unsolicited electronic communications can be sufficient in protecting consumers. And as spam is not only a national but also a global problem, South Africa needs to look at the option of entering into mutual agreements with other countries and organisations in order to combat spam at a global level.Mercantile LawLL. D

SMALL ENTERPRISE FINANCE AGENCY (SEFA) PREPAREDNESS TO IMPLEMENT THE PROTECTION OF PERSONAL INFORMATION (PoPI) ACT, No. 4 of 2013

This is a qualitative study on the preparedness of the Small Enterprise Finance Agency to implement the Protection of Personal Information Act (PoPI), No. 4 of 2013. The impetus for this study originated in the realisation that, after the promulgation of the Protection of Personal Information Act, No.4 of 2013 (PoPI) on 19 November 2013 to date, little done has been by public and private bodies to establish reliable controls for the processing and protection of personal information. Other factors were also considered, such as Section 13 of the National Archives and Record Service of South Africa Act (No. 43 of 1996 as amended), which requires government departments to develop, implement and maintain proper information management systems. This study intends to investigate the attitudes and opinions of those individuals involved in the management of personal information, who may contribute to the readiness to implement the PoPI Act at SEFA Head Office. The current gaps associated with the implementation of the Protection of Personal Information (PoPI) Act in SEFA are explored. The researcher also investigates the processes and procedures that are in place for the implementation of the PoPI Act and SEFA capabilities, as well as the current state of compliance to the implementation of the PoPI Act. The observation of SEFA Records Management Policy and Procedures, SEFA Records Retention Schedule, SEFA Records Classification Schedule and SEFA records storerooms compliance with ISO 11799-2003 (International Standard on Document Storage Requirements for Archives and Libraries) was the primary technique of data collection, followed by interviews based on a questionnaire. The sample involved in the questionnaire was drawn from a population of 173 staff members at the internal departments at SEFA Head Office, who manage personal information. Interviews were conducted with 10% (sample of 17 employees) of staff members from each of the 11 departments. The officials varied from Head of Departments, Managers and Administrators responsible for managing their departmental personal information.Information Scienc

Online Consumer Protection: an analysis of the nature and extent of online consumer protection by South African legislation

Includes bibliographical references

Investigating the Misalignment in the Existing E-Legislation of South Africa

South Africa has recently enacted several e-legislation in order to address the escalating e-crime, the rise in electronic abuse and also the indifferences of the past. However, research shows that many organisations including public institutions do not understand these laws and thus, fail to comply with them. One major contributor to this are the inconsistencies found in the legislation. The National Development Plan and the Mid-term Strategic Framework recognise the complexity of laws, and thus endorse improvements in the removal of unnecessary obstacles and consistencies. Hence, the objectives of the present study are to examine the existing e-legislation in South Africa; identify areas of misalignment and investigate the factors that contribute to the misalignment. Ultimately researchers aim to develop a framework that can be used to guide the alignment e-legislation in South Africa. Extensive literature review was conducted to understand alignment of legislation. Firstly, all the e-legislation that was passed between the years 2000 and 2013 was retrieved and obtained from Sabinet database. This legislation was studied extensively and inconsistencies were identified. A conceptual framework which indicates contributing factors to misalignment and impact of misalignment to non-compliance, was developed and proposed to guide alignment of e-legislation. Based on the conceptual framework a questionnaire with open ended question was developed and tested in the Parliament of South Africa, since this institution champions the development and implementation of national laws such as the e- legislation. A total number of 50 respondents participated in the survey wherein the focus groups were people who are involved in the process of making/drafting laws, specifically ICT Laws. The influence of the factors on misalignment was measured and both qualitative and quantitative analysis confirmed these influences. The study reveals that lack of good industry standards has the greatest influence to the misalignment of e-legislation in South Africa. For instance lack of benchmarking, standardised procedures contribute the most to the misalignment of e-legislation, and that misalignment results into non-compliance. Therefore, in order to address these issues, South Africa must emphasize on benchmarking with good industry standards, and this can be achieved through harmonisation of e-legislation in the region and globally. It is also a major concern that some aspects of earlier e-legislation have not been repealed. Qualitative data also raises some issues relating to lack of ICT skills by legislators, political influences, lack of public participation, etc. Capacity/skills development issues e.g. legislative drafting and ICT technical skills for legislators must be addressed. Moreover, public involvement as a constitutional mandate must be strengthened in South Africa to ensure citizens are engaged and actively participate in the law-making process

BYOD adoption concerns in the South African financial institution sector

Bring Your Own Device (BYOD) is an emerging trend and practice that is growing in use in many organizations. There is however very limited literature on BYOD in the context of financial institutions from a developing country perspective. The dearth of such studies is problematic because financial institutions deal with a lot of sensitive and confidential information and therefore their adoption of BYOD could be detrimental to their practice. This study contributes to this gap in literature by providing empirical observation that show how technological and contextual factors affect financial institutions adoption of BYOD. Following a qualitative approach, and using semi structured interviews as a source of data collection; the findings show that cost, complexity, a culture of innovation, and top management support were factors that were perceived as enablers of BYOD. South African organizations in the financial services use BYOD to help add value to their work as opposed to it being a cost saving necessity. However, the continuous changes in government regulation regarding the use of data; and the lack of conducive ICT infrastructure were deemed as hindrances to BYOD. As a result of the changing regulations and the lack of knowhow on implementation of these regulations, most organizations failed to formalize their BYOD strategies