SMECounting Software & Web Development

SMECounting

IT Network Security and the POPI Act

POPI Act refer to the Protection of Personal Information Act of 2013 also known as POPIA.
The first purpose of POPIA is to give effect to the Constitutional right to privacy.
    It also:
  • Regulate the manner in which personal information may be processed;
  • Provide a person with rights and remedies to protect their personal information from processing that is not consistent with POPIA; and
  • Establish measures or rules, including a Regulator, to ensure respect for and to promote, enforce and fulfil the rights of a person who is protected by POPIA
The Act applies to the processing of personal information entered into a record by or for a responsible party.
  • Person means an identifiable, living, natural person, and where applicable to, an identifiable, existing juristic person.
  • Personal Information means information relating to a person.
  • These are referred to as a Data Subject
Some examples of personal information would be information like:
  • Someone's home, postal and email addresses,
  • Their fingerprints and / or identity number,
  • Comments in a survey or complaint form,
  • Their information captured in a curriculum vitae or a job application form

If you are a property owner and renting out a property privately, then the POPI Act also applies to you.
The POPI Act does not differentiate whether it is a small homebased, one man business or a large Corporation.

All business entities keep some form of accounting records of their day to day business operations.

    Some of these records may include:
    • Customer Invoices;
    • Supplier Purchases;
    • Employee salary payments;
    • Some businesses, like Legal Practitioners and Estate Agents may also keep FICA Information;
    • while businesses, like Accounting and Auditing firms will keep a lot more information than just the few examples listed above

The question is:
Is your data storage compliant with the POPI Act?


If your answer is YES or MAYBE to any of the following questions, then your IT Network should be compliant with the POPI Act

  • Do you store / save any of the following on a computer, such as a Laptop, Desktop or a File Server?

    • Employee Information, like ID Numbers, Addresses, Banking detail, Emergency Contact Information?
    • Employee Payslips?
    • Employee Leave and Medical records?
    • Customer Information like Account Applications, Owner / Director Personal Information?
    • Customer Banking Detail?
    • Customer Service Agreements?
    • Supplier Information like Addresses, Banking Detail, Service Agreements
    The POPI Act refers to these entities or persons as the Data Subject

  • Does any Staff member works remotely / off-site?

  • Are there Staff members who have authorization to login to the Office IT Network from a remote location?

    • Is your electronic data secured?

    To mention a few things that happen to electronic data on a daily basis:
    • Cyber Attacks like Ransomware
    • Internet Virusses;
    • Unauthorized Access;
    • Computer crashes;
    • Hacking

    Compliance with the POPI Act will:

  • Help to protect the personal information in your possession
  • Increase confidence in your business
  • Reduce exposure to unnecessary risk
  • Help to protect your reputation

    • Non-Compliance with the POPI Act may lead to:

  • Unnecessary financial risk
  • Loss of a good reputation
  • Negative Publicity
  • Hefty fines by the Regulator
  • Civil Action by the Data Subject

    • Our focus is on the keeping and storing of electronic records

    The POPI Act require that personal information in the possession of a business is properly safeguarded to prevent:

    • Loss of, damage to or unauthorised destruction of personal information
    • Unlawful access to or processing of personal information

      • Personal information may get lost, damaged or unlawfully accessed in a multitude of ways, eg:
        • Theft of electronic records
        • Computer viruses
        • Computer crashes
        • Hacking of databases
        • Unauthorized Network Access
        • Accidental damage caused by employees, contractors or service providers
        • Natural disasters

    The Tax Administration Act, Act 28 of 2011

    Every business, either as individual or as a company, is a taxpayer. As a taxpayer, every business must comply with Section 29 of the Tax Administration Act.
    Taxpayers are allowed to keep records in an electronic form as long as the taxpayer adhere to the following rules:
    • Data must be kept in an acceptable electronic form as prescribed by Section 14 of the Electronic Communications and Transaction Act;
    • It is required that the person required to keep records is able to, within a reasonable period when called upon by SARS, to provide SARS with an electronic copy of the records, in a format that SARS is able to readily access, read and correctly analyse, or to send the records to SARS in an electronic form that is readily accessible by SARS, or to provide SARS with a paper copy of those records;
    • Records retained in electronic form must be kept and maintained at a place physically located in South Africa; and
    • Ensure that measures are in place for the adequate storage of the electronic records for the duration of the period referred to in Section 29 of the Act. This period is a period of not less than 5 years.

    An effective IT security system involves safeguarding your
  • Computer Hardware
  • and the Personal Information
    • stored on the hardware!

    The following steps are listed in the POPI Act:

  • Identify all reasonably foreseeable risks to personal information;
  • Identify the nature of the personal information in your possession;
  • Identify key risks involved with the collection, storing and processing of personal information; and
  • The implications for the data subjects should their personal information get lost, unlawfully accessed or destroyed

    • We can assist any size of business to ensure that their IT Network is compliant

    To mention just a few of the IT Safeguards that we can assist with:
  • Anti-virus Software
  • Firewall Protection
  • Password Protection
  • Access Control
  • Remote Login
  • Safekeeping of hardware
  • Business continuity plans and disaster recovery processes

    • No matter the size of your business or budget, we have a solution for you!


    Click here or on the Contact Us button at the top and send us a message with your contact information and we'll contact you
    As an alternative, you can also complete the Basic Risk Analysis Survey which will highlight possible Weak or high Risk Areas based on the information provided in the questionnaire. This is not a comprehensive survey and does not replace a full On-Site Analysis of Controls and Procedures to protect your data and any Personal Information.