PROTECTION OF PERSONAL INFORMATION POLICY
Eversmile South Africa (Pty) Ltd., because of the role it fulfils as collator and custodian of sensitive personal information which includes, information relating to identity, race, gender, age, identifying number, e-mail address, telephone number etc. has a legal and moral responsibility to its clients to ensure that all the staff of Eversmile South Africa (Pty) Ltd.:
• obtain and process personal information fairly; and
• keep it only for a specified and explicit lawful purpose; and
• process it only in ways compatible with the purposes for which it was given initially; and
• keep personal data safe, confidential, and secure; and
• keep data accurate, complete, and up to date; and
• retain it for a period no longer than is necessary for the specified purpose; and
• provide a copy of a clients’ personal information to that client, on request.
The introduction of the Protection of Personal Information Act (“POPIA”) further strengthens the need to ensure confidentiality of personal information. The POPIA is an important legal reform, creating a regime of consumer protection that has become essential in the information age. It is data protection legislation intended to protect the personal information of individuals held by third parties. The legislation centers on a set of “information protection principles” which flesh out a general and higher-level requirement that personal information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject.
Three important concepts are defined in the Act namely:
‘data subject’ means, according to the definitions in Section 1, the person to whom personal information relates. While the data subject is the principal right-holder under the POPIA, the principal duty-bearer is termed the “responsible party”, defined as “the public or private body or any other entity which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.
“personal information” means information about a person’s race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language, education, medical information, financial information, criminal or employment history, an identifying number, e-mail address, physical address, telephone number, blood type, biometric information, personal opinions, views or preferences of a person; correspondence of a private or confidential nature; and the name of the person if it appears with other personal information relating to the person.
“process” meaning collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation, use, dissemination, distribution, merging, linking, blocking, degradation, erasure or destruction of information.
POPIA requires that an Information Protection Officer be appointed. Lindie Denny, an employee within the company will assume the duties of the Information Protection Officer for the company where the responsibilities are defined in the Act as:
each responsible party must ensure that there are, within that body, one or more information protection officers whose responsibilities include –
(a) the encouragement of compliance, by the body, with the information protection principles;
(b) dealing with requests made to the body pursuant to this Act;
(c) working with the Commission in relation to investigations conducted pursuant to Chapter 6 of this Act in relation to the body;
(d) otherwise ensuring compliance by the body with the provisions of this Act.
Information protection principles contained in POPIA can be summarised as follows:
• Any person who stores personal and private information (“PI”) about anyone else may not do so without the direct consent by the effected person – the “data subject”.
• Any “data subject” may request to review any PI stored about them at any time and such information may not be withheld. The “data subject” may request for correction to be made to erroneous information and the data holder will be obliged to make such corrections.
• No PI may be disclosed to any person without the direct authorisation of the “data subject”. A breach in this regard will be considered a serious and punishable offence.
• No alterations or changes of any nature may be made to the PI or data kept on a “data subject” without the direct authorisation of the “data subject”.
• No data may be released to any person resulting in the distinctive identification of a “data subject” for the purposes of research, statistics, or any other similar purpose.
It is therefore essential that all Eversmile’s employees working with the personal information of all clients must be educated on the principles of POPIA and how to deal with requests by any person regarding enquiries regarding “data subject”. The golden rule should be not to disclose any information to any person if you are not convinced it is correct to do so. In such an instance, the request should be forwarded to the Information Protection Officer.
Security measures regarding the protection of employee information must be reviewed to ensure the safe keeping of information.
The purpose of this Policy is to provide guidelines to assist employees to ensure that PI in their possession is kept safe and secure and that Eversmile South Africa (Pty) Ltd. therefore meets all legal responsibilities.
This section of the Policy sets out guidelines in several specific areas where particular attention should be paid to help protect the confidentiality of PI held by the company.
1. It is essential that the Information Protection Officer is aware of what PI is held, where it is held, and the consequences should that PI be lost or stolen.
2. Access to the Eversmile office as well as documents, software, data center and server rooms used to host hardware and software on which PI is stored should be restricted only to those Eversmile staff members that have authorisation to view and access the PI.
3. Access to documents or databases which are no longer in active use, and which contain PI should be removed where such access is no longer necessary or cannot be justified.
4. Passwords used to access PC’s, applications and databases should be of sufficient strength to deter password cracking or guessing attacks. A password should include numbers, symbols, upper and lowercase letters. If possible, password length should be around 12 to 14 characters but at the very minimum of 8 characters. Passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates must be avoided. The Protection Information Officer is responsible to ensure that passwords are changed on a regular basis and that an audit trail is received which highlights non-compliance.
5. A procedure must be instituted which evaluates requests from other organisations or third parties for access to PI stored by Eversmille South Africa (Pty) Ltd.
6. Personnel who retire, transfer, or resign should be removed immediately from mailing lists and access control lists. It is the responsibility of the Protection Information Officer to ensure that procedures are in place to ensure compliance with this provision of the Policy.
7. Contractors, temporary staff, consultants, and external service providers employed by Eversmile should be subject to strict procedures with regard to accessing PI. This must be by way of a formal contract which includes the necessary confidentiality clauses and ensures that such parties will undertake and adhere to similar requirements as set out in this Policy to ensure the confidentiality of PI.
8. The Protection Information Officer must ensure that each employee receives a copy of this Policy which should be understood and signed by each employee of the company.
9. The Protection Information Officer is responsible for completing a Risk Audit examining the risks associated with the storage, handling, and protection of PI at least every six months.
10. Procedures should be put in place in relation to disposal of client files (both paper and electronic) containing PI. Paper with PI must be shredded, and the Protection Information Officer must ensure that adequate shredders are available. Further, procedures should also be put in place in relation to the secure disposal of computer equipment (especially storage media) at end-of-life.
11. New staff should be carefully coached, trained, and should be fully informed of their obligations before being allowed to access confidential or PI.
12. Staff should ensure that visitors to the office or other unauthorised persons are unable to view personal or sensitive information whether held in the form of paper documents or information displayed on PC monitors.
13. All staff should ensure that PCs are logged off or “locked” when left unattended for any period of time. Where possible, staff should be restricted from saving files to the local disk. Users should be instructed to only save files to their allocated network drive.
14. PI documents must be locked away in a secure location when not in use. A “Clean Desk Policy” must be implemented to ensure that no documentation is left on employee’s desks overnight.
15. Appropriate and secure filing procedures (both paper and electronic) should be drawn up and followed.
The following guidelines should be followed with regards to PI data held on paper files: –
1. Paper records and files containing PI should be handled in such a way as to restrict access only to those persons with business reasons to access them.
2. This should entail the strict enforcement of a policy whereby paper files containing such data are locked away when not required or overnight – a “clean desk policy”. Where possible consideration should also be given to the implementation of a register or logging access to paper files containing PI.
3. PI held on paper must be kept hidden from visitors to the offices.
4. Secure disposal of confidential waste should be in place and properly used. The discipline must be instilled into all staff members that papers, notes or any paper containing PI must be shredded.
All staff members of Eversmile South Africa (Pty) Ltd. are required to take extreme care when using email in particular:
1. Standard unencrypted email should never be used to transmit any PI. Staff members that have to use e-mail to transfer such data must ensure that PI is encrypted either through file encryption, the use of a secure e-mail facility which will encrypt the data (including any attachments) being sent or at the very least, robust passwords. The default option should always be to utilise the strongest encryption methods available. Employees should ensure that e-mails contained PI is sent only to the intended recipient.
2. Where PI is held on applications and databases with relevant security and access controls in place, additional controls should be considered that would prevent such data from being copied to applications where no security or access controls are in place and/or can be bypassed.
In the event that a large amount of work is to be performed at the premises of clients, the Eversmile South Africa (Pty) Ltd. staff should be able to access servers and databases remotely. This brings its own challenges in relation to data security which Eversmile South Africa (Pty) Ltd. must address. With regard to PI, the following guidelines should be adhered to:
1. In the first instance, all PI held electronically should be stored centrally on the server. Data that is accessible by remote access should not be copied to employee’s PC’s or to portable storage devices, such as laptops, memory sticks and external hard drives that may be stolen or lost.
2. When accessing data remotely, it must be done via a secure encrypted link with relevant access controls in place.
3. Additional stringent security and access controls should be in place including inter alia the mandatory use of strong passwords or security token authentication.
4. PI being accessed in this way should be prevented from being copied from the central location to the remote device.
5. Eversmile South Africa (Pty) Ltd. will utilize technologies that will provide for the automatic deletion of temporary files which may be stored on remote machines by its operating system.
6. Eversmile South Africa (Pty) Ltd. must ensure that only known machines configured appropriately to the Company’s standards (for example with up-to-date anti-virus and anti-spyware software and full encryption), are allowed to remotely access centrally held PI. Authorization for remote access must be furnished by the Protection Information Officer. The strongest encryption methods available should be used to encrypt data on these machines.
7. Staff should be aware that it is imperative that any wireless technologies or networks used when accessing Eversmile’s systems should be encrypted to the strongest standard available.
LAPTOPS AND OTHER MOBILE STORAGE DEVICES
(Including USB memory sticks and external hard drives)
The use of laptops, USB memory sticks and other portable or removable storage devices has increased substantially in the last number of years. Likewise, the use of mobile phones to access and send e-mails has also increased. These devices are useful business tools however they are highly susceptible to loss or theft and often contain inferior security protection. Concomitantly, to protect the content held on these devices, the following recommendations should be followed:
All portable devices should be password-protected to prevent unauthorized use of the device and access to PI held on the device. In the case of mobile phones, both a PIN and login password should be used. Manufacturer or operator-provided PIN codes must be changed from the default setting by the user on receipt of the device.
1. Passwords used on these devices should be of sufficient strength to deter password cracking or guessing attacks and conform to the requirements listed in “General Procedures” above.
2. PI should not be stored on portable devices. In cases where this is unavoidable, all devices containing this type of data must be encrypted and password protected. With regard to laptops, full disk encryption must be employed regardless of the type of data stored.
3. When laptops or cell phones are being used in public places, care must be taken to avoid unwitting disclosure of PI.
4. Portable devices must not contain unauthorized, unlicensed, or personally licensed software. All software must be authorized and procured through the Eversmile’s IT service provider company.
5. Anti-virus/Anti-spyware/Personal Firewall software must be installed and kept up to date on portable devices. These devices should be subjected to regular virus checks using this software.
6. Eversmile South Africa (Pty) Ltd. must ensure that when providing portable devices for use by staff members, each device is authorized for use only by a specific named individual. The responsibility for the physical safeguarding of the device will then rest with that individual.
7. Laptops must be physically secured if left in the office overnight. When out of the office, the device should be kept secure at all times.
8. Portable devices should never be left in an unattended vehicle. Further, a policy must be introduced and strictly adhered to that if a member of staff is going out after work and the laptop will have to be kept in the car, then the laptop must be locked in a secure place in the Eversmile’s office overnight.
9. Portable storage media should only be used for data transfer where there is a business requirement to do so.
10. Staff owned devices including portable media players such as iPods, digital cameras, and USB sticks must be technologically restricted from connecting to Eversmile’s computers.
11. A robust, clear, and known procedure for early notification of the loss of a portable device must be instituted. This would allow for the disconnection of the missing device from the company’s server.
DATA TRANSFERS OF PERSONAL INFORMATION
Data Transfers are a daily business requirement when transferring PI. Such transfers should take place only where necessary and employing the most secure channel available. To support this, all Eversmile South Africa (Pty) Ltd. staff must adhere to the following:
1. Data transfers should, where possible, only take place via secure on-line channels where the data is encrypted.
2. “Strong” passwords (see “General Procedures”) must be used to protect the data during transfer. Such passwords must not be sent with the data it is intended to protect. Care should be taken to ensure that the password is sent securely to the intended recipient and that it is not disclosed to any other person.
3. Standard e-mail should never be used to transmit any personal data. Where file encryption or the use of a secure e-mail facility which will encrypt the data (including any attachments) is sent, staff must still ensure that the mail is sent only to the intended recipient.
4. When a data transfer with a third party is required, a written agreement should be put in place between both parties in advance of any data transfer. Such an agreement should define:
• The information that is required by the third party and the purposes for which the information can be used must also be defined if the recipient party is carrying out processing on behalf of Eversmile South Africa (Pty) Ltd.
• Named contacts in each organization responsible for the data.
• The frequency of the proposed transfers.
• An explanation of the requirement for the PI or requested data transfer;
• The transfer and encryption method that will be used (e.g. Secure FTP, Secure e-mail, etc.).
• The acknowledgement procedures on receipt of the PI.
• The length of time the information will be retained by the third party.
• Confirmation from the third party that the security, confidentiality, and storage of the PI will be handled to the same level of controls that Eversmile South Africa (Pty) Ltd. would apply to that category of information. Confirmation is also required clearly identifying the point at which the third party will take over responsibility for protecting the data.
• The method for highlighting breaches in the transfer process.
• Business procedures need to be in place to ensure that all such transfers are legal, justifiable, necessary of not contrary to any legislation requirement or provision.
PROCEDURE FOR OBTAINING CONSENT TO PROCESS AND STORE PERSONAL INFORMATION
Eversmile South Africa (Pty) Ltd. will provide Data Subjects with a POPI Agreement and Consent Declaration to obtain the Data Subject’s consent to the processing and storage of the Data Subject’s PI, provided such consent was not obtained in a different manner.
Eversmile South Africa (Pty) Ltd. will notify the Data Subject that the Data Subject must provide its informed consent or alternatively note any objection to the processing and storage of its PI within a set period of time, failing which Eversmile South Africa (Pty) Ltd. will accept that the Data Subject has consented to the processing and storage of its PI.
In the event that the Data Subject did not provide its informed consent, nor its objection to the processing and storage of its PI as set out above, Eversmile South Africa (Pty) Ltd. will within a period of 6 (six) months from their initial attempt to obtain consent from the Data Subject, send the POPI Agreement and Consent Declaration to the Data Subject again, in a second attempt to obtain the Data Subject’s consent or, alternatively its objection to the processing and storage of its PI, failing which Eversmile South Africa (Pty) Ltd. will accept that the Data Subject has finally consented to the processing and storage of its PI.
RIGHTS OF THE DATA SUJECT
The Data Subject has the following rights in respect of its personal information:
1. The right to object to the processing of its personal information obtained by the Company;
2. The right to withdraw its consent (where granted) to the processing of personal information by the Company provided that the lawfulness of the processing and the actions required for the conclusion or performance of a contract will not be affected;
3. The right to request access to its personal information processed by the Company;
4. The right to request that its personal information be corrected or deleted/destroyed;
5. The right to lodge any complaints with regard to its personal information with the Information Regulator of South Africa.
REQUEST FOR ACCESS TO PERSONAL INFORMATION
Section 22 of the POPIA states that a data subject may request a responsible party to confirm that they are holding PI about the data subject and may obtain a description of that information and details about who has had access to it. Where such a request is received, the matter must be referred to the Information Protection Officer who will ensure that the correct procedures are adopted.
Section 23 of the POPIA, provides for a right to request correction of personal information held by a responsible party if it is inaccurate, incomplete, misleading, out of date, and obtained unlawfully, irrelevant, or excessive. Where such a request is received, the matter must be referred to the Information Protection Officer who will ensure that the correct procedures are adopted.
APPROPRIATE ACCESS AND AUDIT TRAIL MONITORING
Eversmile South Africa (Pty) Ltd. has an obligation to keep information safe and secure and have appropriate measures in place to prevent unauthorized access to, or alteration, disclosure or destruction of, the PI and against their accidental loss or destruction. It is imperative therefore, that Eversmile South Africa (Pty) Ltd. has security in place to ensure that only those staff members with a business need to access particular PI are allowed to access the data. In addition to this general requirement, the following guidelines should be adopted:
1. Eversmile South Africa (Pty) Ltd. must ensure that their ICT systems are protected by use of appropriate firewall technologies and that this technology is kept up-to-date and is sufficient to meet emerging threats. The monitoring of the suitability of such safeguards will be the responsibility of the Information Protection Officer.
2. In order to capture instances of inappropriate access (whether internal or external), addition, deletion and editing of data, audit trails should be used.
3. Access to files containing PI should be monitored by the Information Protection Officer on an ongoing basis. Staff should be made aware that this is being done. An IT system or automatic audit trail may need to be put in place to support this supervision.
For the first time, South Africans will have their constitutional right to the privacy of their PI enforced. POPIA will bring South Africa in line with international data protection laws and at the same time, will protect PI collected and processed by public and private organisations.
PI privacy presents a growing challenge and Eversmile South Africa (Pty) Ltd. must adapt and comply with complex international laws on how they handle such information. POPIA requires Eversmile South Africa (Pty) Ltd. to establish appropriate policies and procedures to protect the various forms of data that are part of their business operations.
It is almost impossible to anticipate all eventualities and possibilities but strict adherence to this Policy together with heightened awareness of all Eversmile South Africa (Pty) Ltd. staff will ensure that the company not only complies with the relevant legislation but ultimately, safeguards the PI entrusted to it by Eversmile’s clients.