Mapping ‘Security Safeguard’ Requirements in a data privacy legislation to an international privacy framework: A compliance methodology

2015 Information Security for South Africa (ISSA) Pub Date : 2015-11-23 DOI:10.1109/ISSA.2015.7335062

I. Govender

{"title":"Mapping ‘Security Safeguard’ Requirements in a data privacy legislation to an international privacy framework: A compliance methodology","authors":"I. Govender","doi":"10.1109/ISSA.2015.7335062","DOIUrl":null,"url":null,"abstract":"It is commonplace for organisations to collect personal information to be processed and stored on their systems. Until recently, there was no comprehensive legislation that addressed the `processing' of personal information by organisations in South Africa. The Protection of Personal Information Bill (“POPI”) was signed into law in November 2013 and is expected to come into effect, later this year (2015). POPI is informed by international data privacy legislation. The implications are that it will be incumbent for organisations to revisit how they `handle' peoples' personal information. This can be a daunting task as evidenced by countries that still find it a challenge to comply with data privacy laws that have been enacted there, a while ago. This article proposes a methodology to comply with POPI. The Generally Accepted Privacy Principles (GAPP) is an American/Canadian framework containing international privacy requirements with best practices. Both, POPI and GAPP address a common purpose: `How personal information is collected, used, retained, disclosed, and disposed.' GAPP is reputed as a solid benchmark for good privacy practice, comprising of ten overarching privacy principles which yields a set of criteria for effective management of privacy risks and compliance. Much of the provisions in POPI is addressed in GAPP. A key condition (Security Safeguards) in POPI stipulates what aspects of personal information must be adequately secured, with limited insight on how to go about this process. Accordingly, this article proposes a methodology to fill this gap. All of the provisions under `Security Safeguards' in POPI is mapped onto GAPP, thereby contextualising GAPP to facilitate compliance with South Africa's data privacy legislation and to the same end, complying with international privacy laws. This framework could also be implemented as a checklist/auditing document, guiding the organisation in its implementation of data privacy and POPI compliance.","PeriodicalId":126848,"journal":{"name":"2015 Information Security for South Africa (ISSA)","volume":"7 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 Information Security for South Africa (ISSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSA.2015.7335062","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

It is commonplace for organisations to collect personal information to be processed and stored on their systems. Until recently, there was no comprehensive legislation that addressed the `processing' of personal information by organisations in South Africa. The Protection of Personal Information Bill (“POPI”) was signed into law in November 2013 and is expected to come into effect, later this year (2015). POPI is informed by international data privacy legislation. The implications are that it will be incumbent for organisations to revisit how they `handle' peoples' personal information. This can be a daunting task as evidenced by countries that still find it a challenge to comply with data privacy laws that have been enacted there, a while ago. This article proposes a methodology to comply with POPI. The Generally Accepted Privacy Principles (GAPP) is an American/Canadian framework containing international privacy requirements with best practices. Both, POPI and GAPP address a common purpose: `How personal information is collected, used, retained, disclosed, and disposed.' GAPP is reputed as a solid benchmark for good privacy practice, comprising of ten overarching privacy principles which yields a set of criteria for effective management of privacy risks and compliance. Much of the provisions in POPI is addressed in GAPP. A key condition (Security Safeguards) in POPI stipulates what aspects of personal information must be adequately secured, with limited insight on how to go about this process. Accordingly, this article proposes a methodology to fill this gap. All of the provisions under `Security Safeguards' in POPI is mapped onto GAPP, thereby contextualising GAPP to facilitate compliance with South Africa's data privacy legislation and to the same end, complying with international privacy laws. This framework could also be implemented as a checklist/auditing document, guiding the organisation in its implementation of data privacy and POPI compliance.

查看原文本刊更多论文

将数据隐私立法中的“安全保障”要求映射到国际隐私框架:合规方法

组织收集个人信息并将其处理和存储在其系统中是司空见惯的。直到最近，南非还没有全面的立法来解决组织对个人信息的“处理”问题。《个人信息保护法案》(“POPI”)于2013年11月签署成为法律，预计将于今年晚些时候(2015年)生效。POPI遵循国际资料私隐法例。这意味着企业有责任重新审视他们如何“处理”人们的个人信息。这可能是一项艰巨的任务，正如一些国家所证明的那样，它们仍然认为遵守不久前颁布的数据隐私法是一项挑战。本文提出了一种遵从POPI的方法。普遍接受的隐私原则(GAPP)是美国/加拿大的框架，包含国际隐私要求和最佳实践。POPI和新闻出版总署都有一个共同的目的:“如何收集、使用、保留、披露和处理个人信息。”GAPP被誉为良好隐私实践的坚实基准，包括十项总体隐私原则，这些原则产生了一套有效管理隐私风险和合规的标准。POPI中的许多条款在GAPP中得到了解决。POPI中的一个关键条件(安全保障)规定了个人信息的哪些方面必须得到充分保护，但对如何进行这一过程的了解有限。因此，本文提出了一种方法来填补这一空白。POPI中“安全保障”项下的所有条款都映射到GAPP，从而将GAPP置于背景中，以促进遵守南非的数据隐私立法，并达到同样的目的，遵守国际隐私法。该框架也可以作为检查表/审计文件实施，指导组织实施数据隐私和POPI合规性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2015 Information Security for South Africa (ISSA)

自引率

0.00%

发文量