It’s Tuesday, 6th July 2021. PoPIA is in full effect after a grace period of one year. And yet, people are still struggling to understand the implications.
The Protection of Personal Information Act places data privacy first.
This means that the rights of data subjects – the prospects, customers, employees, vendors and partners whose data we collect – must be taken seriously when collecting and processing personal information.
Data privacy can be defined as the right (of individuals and legal entities) to have control over how their personal data is collected and used.
What is personal information?
Personally Identifiable Information (PII) is any data (like and ID number or email address) that can be used to identify and individual. While this is the defintion in common use in the US, personal data goes beyond this constraint to cover any data linked to a person.
South Africa’s PoPIA defines personal information as:
“information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;”
The difference between personal information and data privacy
While the above definition of personal information may seem vast, it is self contained.
From a data management perspective, data privacy is much more difficult to define because it is context sensitive. Sometimes particular data (or data sets) are private, and in other contexts it is not.
For example, if I am dealing with my doctor I would like them to have full access to my medical history. On the other hand, I would not want this to be shared with the general public.
This means that, in order to comply with data privacy regulations like PoPIA is is not enough to identify personal information. We also have to capture the context of how this data is being used, by whom, and for what purpose.
The key data management challenge is ensuring that we are transparent with our data subjects as to why we are requesting their data, and that we limit access to data based on these agreed purposes.
In order to achieve this we need to understand the context of where personal data is being used – something that is difficult to achieve in large organisations
To protect and manage data assets and ensure compliance and data privacy, organisations require an automated data stewardship platform that brings data governance, data catalog, data lineage and data privacy management together and provides the necessary context and oversight..
With audit controls and data monitoring to track required actions, security protocols and retention policies, organisations with the right platform can provide automatic alerts for potential violations to ensure privacy and compliance. The same platform should facilitate an audit of business processes dealing with perosnal data to identify and manage compliance, operational and reporting gaps. Users can visually display these processes and connect related business terms, reports and rules to the appropriate steps so everyone has a common understanding of affected data assets.
Data governance that includes a data catalog and data lineage provides accountability for data ownership and the ability for organizations to know where data is located and how it is being used. As a result of putting governance practices in place and using the appropriate tools, organizations improve the security and transparency of data usage, keep private information private and have a strategy for achieving data privacy compliance.