Under the PoPI Act you are responsible to safeguard all forms of personal information of other entities in your possession and be able to prove that you have taken appropriate and reasonable steps to do this. In fact, it would be up to you to disprove any claims and/or satisfy the Regulator that you have taken adequate steps and have put in place adequate systems to meet this requirement. Keep in mind that thanks to easy access to information and efforts by consumer press, consumers are more educated these days and informed about their rights. People will inevitably want to lash out when their personal information lands in the wrong hands, especially if they suffer some kind of loss or inconvenience as a result. Often these reactions are based on perceptions rather than fact. It is therefore best that you prepare for this type of event or accusation, irrespective of whether you are responsible for the breach or not, by having aComplaints Process in place to deal with it. The Regulator may still create its own code/s of conduct and supporting documentation for complaints, however our advice would be to be proactive in this to ensure you play an active role in managing these complaints.
The customer must have “reasonable grounds” to believe that the personal information was leaked through you or from your systems, so education and communication is key in pre-empting and preventing unnecessary complaints. It would be in your interest to prepare and maintain the following documents in advance so that it can be used in discussions with the customer to assure them of the rules and measures you have in place to protect them, or to convey to this to the regulator who will inevitably need this information as part of the investigation:
- data map for company personal information (as discussed in previous section)
- systems architecture document (including software applications used, associated permissions, etc. as described under the BNS architecture and implementation guide)
- your policies and procedures relating to personal information as well as how you enforce them (this should e.g. address the use of “USB memory sticks”, username/password rules, remote access, protection of data copied onto laptops or phones, security updates, backups, etc.)
- security events register (indicating dates and times of security threats and breaches on e.g. the firewall, events of theft of laptops/PC’s, tablets and mobile phones including data that was on it, etc.)
- an easy to understand audit trail indicating access to and changes to personal information
It is obviously essential that business activities in real life match what these documents say. These documents cannot just be something you only take out when there is a problem. These policies and procedures must form an integral part of your business operations, which is why using a BNS is an obvious choice. Be very careful though that by disclosing this information you do not equip someone with the information they need to identify and exploit weaknesses in your systems! Keep information high level and share only what is necessary to provide them with the assurances they need. We highly recommend that you have a standard Non-Disclosure Agreement (NDA) ready and request that all parties sign this before you disclose this information.
By being prepared in this way and having all this information ready, as well as demonstrating your willingness to discuss any special circumstances (if any) and continued commitment to protect your customers’ data it may very well satisfy the customer and prevent the matter from escalating further.