POPI Checklist for the IT guy

spamsam

Active Member
Joined
Jul 29, 2017
Messages
57
Reaction score
24
Does anyone know what the established standard is for securing your server, web app, email service, etc so that it is considered 'POPI compliant'?

Whenever I ask a lawyer - their eyes kinda glaze over and then i remember that these are people that need assistance logging into Facebook...

Whenever I ask an 'IT guy' - the low level ones ask 'What's POPI', and the high level ones start getting panic attacks because they know they need it too but nobody can actually give them the actual requirements.

It's a rock and a hard place - and quite frankly the regulators themselves have failed to give any sort of guidance here.

I feel like a concrete checklist is something that can actually benefit the industry as a whole.
 
Adding 'Data Locality' to the list. :)
More like asking but afaik if it contains local resident information like addresses, IDs, etc. It should be stored locally and will be an issue of stored abroad. Clarification would be nice..
 
You need a way to get permission from PI owner before collecting personal information. You must be able to show what PI you have, when you collected it, what does your organisation need it for, outside parties you transferred the info to, and how you destroyed the PI when longer needed.

Also be able to show how data/PI is secured against unauthorised access.

You can read the ACT yourself.
 
Does anyone know what the established standard is for securing your server, web app, email service, etc so that it is considered 'POPI compliant'?

Whenever I ask a lawyer - their eyes kinda glaze over and then i remember that these are people that need assistance logging into Facebook...

Whenever I ask an 'IT guy' - the low level ones ask 'What's POPI', and the high level ones start getting panic attacks because they know they need it too but nobody can actually give them the actual requirements.

It's a rock and a hard place - and quite frankly the regulators themselves have failed to give any sort of guidance here.

I feel like a concrete checklist is something that can actually benefit the industry as a whole.

There's no prescribed standards unfortunately. Here's what POPIA requires:
  1. A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
    1. loss of, damage to or unauthorised destruction of personal information; and
    2. unlawful access to or processing of personal information.

      There's also no established checklist or POPI/POPIA certification recognised by the regulator
 
There is no such thing as "POPI Compliant". There is, however, a set of clauses in an act that imply standards that have largely never been tested IRL, with virtually no enforcement capability by an information regulator that itself was subject to a data leak in it's 2nd week of operation and has thus far been incapable of processing the required POPI officer registrations, a year later. Bottom line, you will only be scrutinised and held responsible for all the things you should have done, after you get caught out in a high-profile data leak.
 
All hot air.If you an IT person , just implement security best practices , as per the vendor (microsoft , cisco etc).
 
There's no prescribed standards unfortunately. Here's what POPIA requires:
  1. A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
    1. loss of, damage to or unauthorised destruction of personal information; and
    2. unlawful access to or processing of personal information.

      There's also no established checklist or POPI/POPIA certification recognised by the regulator

It's the vagueness of 'taking appropriate, reasonable technical and organisational measures' in the act that I am trying to cut thru, because at the end of the day I sit with the decision to make between competing products and security strategies that all have differing technical features.
 
There is no such thing as "POPI Compliant". There is, however, a set of clauses in an act that imply standards that have largely never been tested IRL, with virtually no enforcement capability by an information regulator that itself was subject to a data leak in it's 2nd week of operation and has thus far been incapable of processing the required POPI officer registrations, a year later. Bottom line, you will only be scrutinised and held responsible for all the things you should have done, after you get caught out in a high-profile data leak.
I want look at two systems and be able to say:

- System A is adequately protected because I was able to demonstrate I implemented A, B and C. (so much so that if there is ever a situation where fingers are pointed, then I will be insulated agains liability )

- System B needs some love because only A and B have been implemented but C is still lacking.
 
All hot air.If you an IT person , just implement security best practices , as per the vendor (microsoft , cisco etc).
There are obvious things to implement like changing default ports/settings, using tls for transit. These just make sense. But it would be nice to know what to actually put on the checklist so one gets to a point where it's possible to determine the technical minimum for specific scenarios.

This can also be looked at from the other perspective where some implementations would be a definite no-no, for eg. lawyers sending mails in plaintext over the internet or banking apps that connect to the banks servers over an unencrypted connection.
 
It's the vagueness of 'taking appropriate, reasonable technical and organisational measures' in the act that I am trying to cut thru, because at the end of the day I sit with the decision to make between competing products and security strategies that all have differing technical features.
I think you conflating issues:

Protection of information/Data, there are already best practice created. Go with one of those. There are IT professionals that can assist.

POPI, itself requires the following:

1. Audit of what Personal Info, you collect, store and process. And where it is stored and in what format, (electronic/hardcopy etc. Signed Employment contracts tend to be hardcopies, attendence registers hardcopy etc.

2. What are the current measures inplace to protect the information. I.e. signed Employment contracts are generally locked in fireproof filing cabinets. IT systems: passwords, user access rights etc.

3. How do you ensure, you protect the information until no longer legally necessary. And how do you sure you destroy these records.

Yes, there is overlap with IT systems, but there is also an administrative, human component.

Anyway thats my 5 cents.
 
I want look at two systems and be able to say:

- System A is adequately protected because I was able to demonstrate I implemented A, B and C. (so much so that if there is ever a situation where fingers are pointed, then I will be insulated agains liability )

- System B needs some love because only A and B have been implemented but C is still lacking.
That is broadly possible in terms of the act, however, there are many areas where "adequately protected" can be a matter of opinion. IMHO it's more a matter of what is reasonable given the circumstances.
 
Data must be hosted stored locally?

This is a very interesting point.

When POPIA initially became “law” and before Azure, O365 & AWS had infrastructures in SA, many companies' websites and emails were hosted offshore.

When Microsoft & AWS finally implemented infrastructure in SA, clients were sent emails asking if they wanted to migrate their data (websites, emails etc) to SA-based infrastructure, many ignored those emails and left everything alone as all was working.

So, the interesting conundrum is: Are uses of O365 (and other solutions) whose data is hosted/ stored on international servers POPIA compliant?
 
POPIA has been an expensive pain in my ass. I spent over R 15k having my T&Cs redrawn to be POPIA compliant and a couple hours with my attorney having things spoon-fed to me, only to see plenty of unpunished POPIA breeches since.

#overit
 
This is a very interesting point.

When POPIA initially became “law” and before Azure, O365 & AWS had infrastructures in SA, many companies' websites and emails were hosted offshore.

When Microsoft & AWS finally implemented infrastructure in SA, clients were sent emails asking if they wanted to migrate their data (websites, emails etc) to SA-based infrastructure, many ignored those emails and left everything alone as all was working.

So, the interesting conundrum is: Are uses of O365 (and other solutions) whose data is hosted/ stored on international servers POPIA compliant?
Pay 1.5x to 2.0x extra for sql nodes in za? What if the setup is RSA first with EU, UK and/or USA fall-over(s)?

//rolleyes
 
This is a very interesting point.

When POPIA initially became “law” and before Azure, O365 & AWS had infrastructures in SA, many companies' websites and emails were hosted offshore.

When Microsoft & AWS finally implemented infrastructure in SA, clients were sent emails asking if they wanted to migrate their data (websites, emails etc) to SA-based infrastructure, many ignored those emails and left everything alone as all was working.

So, the interesting conundrum is: Are uses of O365 (and other solutions) whose data is hosted/ stored on international servers POPIA compliant?
I've had a legal opinion that personal data can be hosted offshore provided it is in a territory that has equivalent regulations to POPIA such as GDPR, and obviously in a data centre that complies with whatever those regulations are. So you could store information on a server in AWS in the EU but not in, for e.g., a one man data centre in the Cayman Islands.
 
I've had a legal opinion that personal data can be hosted offshore provided it is in a territory that has equivalent regulations to POPIA such as GDPR, and obviously in a data centre that complies with whatever those regulations are. So you could store information on a server in AWS in the EU but not in, for e.g., a one man data centre in the Cayman Islands.

The EU with GDPR has the same/better data protection as SA does but I believe the USA does not have the same levels and is therefore non-compliant. (But that all depends on who you speak to as there are differing opinions)
 
The EU with GDPR has the same/better data protection as SA does but I believe the USA does not have the same levels and is therefore non-compliant. (But that all depends on who you speak to as there are differing opinions)
Well the advice we have from an "expert" POPIA consultant is that hosting in a GDPR territory (i.e. EU) is okay, but hosting in the US is not because they do not have a consistent national policy (it depends on the state).
 
Top
Sign up to the MyBroadband newsletter
X