Trending

Deloitte sounds out PPI legislation warning

Gareth Vorster

 ·4 Apr 2012

The pending Protection of Personal Information legislation will require companies to do more than just secure their data – it will force them to extensively review their business policies and processes, argued professional services group, Deloitte.

Data privacy, in terms of the South African legislation, is about information relating to an individual’s personal information being safeguarded, the company said. “If you have information about people, you can no longer deal with it as you used to.”

Deloitte said that, from the point where personal information is collected, organisations will have to get a person’s permission to use his or her information. Historically, South African organisations collected data and used it liberally.

“The PPI legislation will require that any terms or contract concluded must have a consent element built in,” said Dean Chivers, director of Deloitte Legal. Information can only be used in terms of the permissions obtained, and when information is no longer required for the purposes for which it was collected, it will have to be destroyed.

This, and other requirements, will mean that organisations will have to scramble to meet the deadlines imposed by the legislation, especially given that a sound PPI solution can take approximately three years to implement.

“Information will have to be secured regardless of whether it’s in ‘soft data’ form  – electronic information – or ‘hard data’ form documents; and the security requirements include control of access to information,” Chivers said.

Deloitte stressed that changes to systems to make companies compliant with the demands of the PPI legislation, will have to be accompanied by extensive training of staff across disciplines, as new rules will apply to what were previously routine corporate functions.

Processes will have to be built around the collection, processing, monitoring, distribution and ultimately destruction of all personal information held by an entity.

“The primary responsibility of safeguarding information will rest with the collector of the data. In this regard, the proposed legislation makes it clear that the safe-guarding cannot be outsourced,” the advisory group concluded.