PERSONAL INFORMATION IMPACT ASSESSMENT

PERSONAL INFORMATION IMPACT ASSESSMENT

Personal Information Impact Assessments (PIIA) are used to investigate, recognize, and mitigate potential risks to data when

• implementing a new POPI compliance framework
• changing processes
• introducing new processes
• changing technology
• introducing new technology
• transferring personal data to a foreign jurisdiction (transfer impact assessment)
• changing the type and classification of information which is processed
• appointing or being appointed as an operator
• before launching a new project

or in any other instance where a risk assessment is required because of new or changed risks to information security, confidentiality or integrity.

The Information officer is responsible for ensuring that a personal information impact assessment is done so that adequate measures and standards are implemented in order to comply with the conditions for the lawful processing of personal information.

 

PIIA PURPOSE

By performing a PIIA you will be able to:

• Identify and understand data protection risks
• Assess the possibility of the risks happening as well as the potential impact if they do
• Calculate methods to decrease or eliminate those risks
• Decide if the benefits of the change, outsourcing or project outweigh data protection risks
• Implement required risk mitigation and protective measures
• Prepare an informed statement that will disclose the risks to any affected person
• Document data protection measures to demonstrate compliance to the Information Regulator
• Identify opportunities to incorporate “Data Privacy by Design”

 

WHEN IS A PIIA REQUIRED?

A PIIA is required in order to identify the risks to personal information, data subjects and the organisation and create a compliance framework to address these risks. Instances where a PIIA may be required includes:

• Where data is processed and there has not been any impact assessment completed
• A systematic monitoring of an area on a large scale.
Example: Using a security camera placed on a business premises to record and monitor behaviour and identify criminal activity.
• Processing special categories of data (sexual orientation, race, religion, etc.) or children’s information.
Example: An employment application that collects racial information or criminal history from persons who wish to apply for a job.
• Data concerning vulnerable data subjects that may be unable to provide valid consent. Example: Processing the data of children or mentally ill individuals.
• Innovative technological or organisational solutions.
Example: Software that provides user access based on fingerprints or face recognition.
• Processing data which is highly sensitive and where a breach may lead to criminal prosecution
Example: Processing bank account information of suppliers, customers or staff.
• Evaluation or scoring of individuals, including profiling and predicting.
Example: An internet technology that monitors user behaviour and uses that information to build marketing profiles.
• Automated decision-making with legal or otherwise significant effect on the lives of individuals.
Example: A computer program that uses the behavioural history of staff to automatically determine if they will qualify for an increase.
• An evaluation of consumer information in which decisions are made based upon automatic processing and profiling.
Example: A technology that uses a person’s financial history to automatically determine whether or not that person is eligible for a loan.

 

TRANSFER IMPACT ASSESSMENT

Your organisation must ensure that there are protections, enforceable rights and legal remedies that are ‘essentially equivalent’ to those guaranteed under POPI when transferring information across border. You are therefore required to assess the impact and security implications of a transfer of Personal Data to a country outside South Africa. This assessment is commonly known as the Transfer Impact Assessment or “TIA”.

A TIA is a risk assessment, (similar to a privacy impact assessment) which the Data Exporter must undertake to assess whether personal data being transferred to third countries will be adequately protected in the third country, or whether supplementary measures are required. It is also important to determine the risks of the country/ies to which personal data may be “onward transferred” from the third country.

It allows organisations to make a lawful transfers by ensuring appropriate safeguards are in place to address the circumstances.

 

WHAT SHOULD BE INCLUDED IN A TIA

In practice, a TIA establishes whether the legal framework in a third country allows the government or intelligence agencies or third parties in that third country to access any transferred data. Specifically, the TIA should assess the following 3 areas:

1. The specifics of the restricted transfer, including:

• Type and categories of personal data to be transferred. Set out the categories of data subject (e.g., customers, employees, or business contacts).
• How much personal data are you transferring?
• How often will these transfers occur?
• Types of entities involved in the transfer
• What is the format of the transferred data? For example, is it plain text, pseudonymised or encrypted?
• Method of transfer. How are you sending the data? For example, are you transmitting it by email, website encryption or secure file transfer protocol (SFTP)? Or does it involve remoted access to data stored in Ireland
• Who is it going to? What kind of organisation is the importer? (e.g., a public regulator, an IT company, a parent or service company in your group). Is the importer a controller, joint controller, processor, or sub-processor?
• Where the importer is located? Will the importer be forwarding data to another organisation? If so, what kind of organisation are they and where are they located?
• Sector in which the transfer occurs
• Is the importer subject to professional or other rules, which apply in addition to the general legal regime of the destination country? (e.g., if the importer is a law firm, then it may be subject to rules of professional conduct).
• Purpose of the transfer – Why are you making the transfer? What will the importer (and any other party to whom they forward on the data) be doing with the personal data?
• The technological and organisational security the importer has in place to protect the data
• Whether the data will be stored outside South Africa or whether there is remote access to data stored within South African borders
• Movement of data when under the control of the importer
• Possibility of data being forwarded on by the importer to another entity or country

2. The particular facts about the destination country, including:

• Whether there are adequate data protection mechanisms equal to POPI
• Its human rights record
• Its legal and court system
• How overseas judgments are recognised and enforced
• Its laws and practices regulating third-party access (including public authority surveillance).

3. The potential impact on the data subjects of the transfer, and any risk of harm to data subjects which may be identified.

It is important to ensure the level of protection does not decrease over time. Further considerations for the data importer are whether the level of protection is undermined by any of the following:

• Changes to the processing by the importer
• Changes to the legal framework in the destination country
• Technical developments facilitating the bypassing of security arrangements.

It is worth noting that in carrying out the TIA, it is best to focus only on those parts of the destination country’s legal regime which are relevant to the restricted transfer.

 

What Must You Do?

Assessments should be conducted in a methodical and organised way and be fully documented. The assessment scope should be clear, identifying the process or function under review, as well as the information.

All risks to the information must be identified, and this applies to the information at rest and in transit.

Once risks have been identified, these should be assessed in terms of probability and impact and a risk score obtained. This risk assessment should be done on the basis of “inherent risk”, in other words, the risk without taking account of any controls or mitigation you have in place.

Once the inherent risk is calculated, the existing mitigation and risk management controls in the organisation should be identified. Existing controls should be assessed to see whether these are sufficient to effectively mitigate the risk. The risk that remains after the implementation of controls is the “residual risk”.

Where the existing controls reduce the residual risk to an acceptable level, no further action may be required, but where the risk is not effectively mitigated, action is needed.

Ways of addressing the risk should be identified and then evaluated, in order to find an appropriate solution.

Considerations and recommendations should be made in respect of the residual risks and proposed treatment, such as whether a proposed change or project is worthwhile considering the risk, or whether risk treatment is viable.

Where risk treatment is anticipated or proposed, the effectiveness should be tested to ensure that the risk is adequately managed.

Where this is not possible, a decision will have to be made about the area under risk, and what the best course of action will be.

 

PRIVACY BY DESIGN

“Privacy by Design” is a concept implemented to ensure data protection in the European Union, and it provides some valuable guidance to ensuring that you comply effectively and efficiently.

It is a concept that states that organisations must consider privacy concerns at the outset of data processing practices, rather than applying features retroactively. This means that data protection is already integrated into a system or procedure when it is created.

There are 7 fundamental principles to this:

1. PROACTIVE NOT REACTIVE

The approach is characterized by proactive rather than reactive measures. Privacy measures should anticipate and prevent privacy invasive events before they happen, rather than waiting for privacy breaches to occur. This means building in measures to prevent breaches and potential privacy harms from the outset.

This should be applied to information technologies as well as organisational practices, early and consistently. You should recognize poor designs, anticipate poor practices and outcomes, and correct any failures, well before they occur in a pro-active, systematic, and innovative way.

For this approach to be effectively applied, it must be supported by a clear commitment at the highest levels and throughout the organisation to set and enforce the standards in a culture of continuous improvement.

2. DEFAULT SECURITY SETTING

The approach aims to deliver the maximum degree of security by ensuring that personal information is automatically protected in any given IT system or business practice. Individuals should not have to take actions to secure their privacy, and it should be built into systems by default. Personal data should be automatically protected in any system or business practice.

3. PRIVACY EMBEDDED INTO DESIGN

The idea is that security is embedded into the architecture of your IT systems and business practices and is not just an “add on”. This involves considering potential privacy issues during the design, operation and management of systems and practices. The result is that the appropriate level of security becomes an essential component of the core functionality, is integral to the system, and does not diminish functionality.

4. FULL FUNCTIONALITY

Privacy by Design should seek to satisfy all of your organization’s legitimate objectives, and not just data security. When embedding this into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and the organisation’s requirements are optimised. (“win-win”)

To achieve this, objectives must be clearly identified, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary, in favour of finding a solution that enables multi-functionality.

5. FULL LIFECYCLE PROTECTION

The approach extends throughout the entire lifecycle of the data involved. This ensures secure lifecycle management of information, end-to-end. There should be no gaps in either protection or accountability. Standards should provide assurance of confidentiality, integrity and availability of personal data throughout its lifecycle.

6. TRANSPARENCY

Visibility and transparency are essential to establishing accountability and trust. Openness and transparency are key to accountability. Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. These keep stakeholders informed and ensure accountability.

7. USER-CENTRIC

You should keep the interests of the data subject uppermost by offering measures such as strong privacy defaults, appropriate notice, and empowering user-friendly options. This principle involves giving users a measure of control over their personal information, ensuring privacy practices are user-centric.

Furthermore, where you are able to empower data subjects to play an active role in managing their own personal information, aside from addressing the requirements of consent, accuracy, and access, this may also be an extremely effective control against abuses and misuses of privacy and personal data.

 

ACCOUNT NUMBERS

There is no specific section in the POPI Act which requires particular compliance with requirements relating to account numbers, however, specific reference is made in respect of contraventions relating to account numbers. This immediately indicates that additional precautions should be taken and controls put in place where your organisation processes account numbers.

An “account number” is defined as “any unique identifier that has been assigned-

(a) to one data subject only; or
(b) jointly to more than one data subject,

by a financial or other institution which enables the data subject to access his, her or its own or joint funds or credit facilities.

Bank account numbers fall into this category. Bank account numbers are used every day in most business operations, where debit orders or other bank transfers are processed. Where salaries are paid to staff, this is usually into their bank account.

There are therefore a number of risk areas which should be assessed and where particular attention should be paid, in respect of account numbers.

Where a bank account or other account number is intentionally, or negligently obtained from a data subject without their consent, or disclosed to someone without the required consent, this is a crime and there are potentially very severe penalties.

It is also a crime to procure (obtain or arrange) the disclosure of an account number to another person without the data subject’s consent.

This is therefore an area where you require robust policies and procedures to ensure that there is no contravention.

Strict security measures must be implemented as this is a high risk area. Account information should only be collected where absolutely necessary and then under controlled circumstances. The collection of this information must occur only where you have the required consent or are otherwise lawfully processing this information, and from persons who have the right authority.

Where you collect account details from an employee of a company, for example, make sure that the person has the necessary authority to provide this to you.

Account numbers should be treated as highly confidential, and the right measures implemented to ensure they are not inadvertently disclosed to unauthorised parties. Consider, for example, the case where IT is outsourced or where you engage the services of external persons such as accountants. You will need to establish whether these persons can access this type of information, and if so, for what purpose.

Where disclosure to another party of person is required, you should ensure that you obtain the necessary consent from the holder of the account before sharing, where this is a requirement. Full disclosure should be made in your privacy notice.

Controls should ensure that measures are complied with and that this risk is effectively mitigated.

 

What Must You Do?

Ensure that where you collect or process account numbers, this is with the full consent of the data subject, and that you have record of this consent. The consent must be done on an informed basis, so make sure that you can show that you have made the required disclosures before the consent is obtained, and that it is given freely and without duress.

Identify all areas of your organisation where account information is processed. Ensure that you implement robust protective mechanisms to ensure the security of account numbers.

Consider ensuring that any transmission of banking information, such as a customer’s bank account and routing number, be encrypted using “commercially reasonable” encryption technology if transmitted via an unsecured network, like the Internet.

Do not send bank account information via regular email and don’t enter bank account information on an insecure web form or enter it via an insecure system.

Ensure that where account information is shared, this is only with authorised persons and where the necessary consent has been obtained.

Where account numbers are no longer required, these should be appropriately disposed of.

Your policies and procedures need to ensure compliance and any contraventions must be addressed with the level of seriousness this merit.