There is an old Welsh military saying: “The enemy of my enemy is my friend”. CRS Technologies’ Dave Philp takes a look at some new legislation which may just see an alliance of necessity between HR and IT.
Technology and people – some say like oil and water. A batch of new legislation, however, will mean that these departments will have to work together or fall foul of some very serious compliance requirements.
The Protection of Personal Information Bill (PPI) is causing some confusion in the marketplace. It will have significant impact on companies who collect and store data, including personal data of their employees. Effectively this means every company that employs individuals, both local and foreign.
Firstly, the Protection of Personal Information Bill should not to be confused with the proposed Protection of Information Bill, which is being hotly debated in the media. The latter will see the State able to classify documents as ‘sensitive’ and incarcerate anybody found in possession of such information. Unsurprisingly, the media have taken umbrage with this and hence the ensuing furore.
The PPI, however, will afford people with more rights to privacy and has generally been welcomed by most civil society groups.
That said, the PPI is set to cause some headaches for folk in the HR and IT departments and it would be very wise indeed for companies to begin thinking about what data they have, and how they can guarantee its protection.
In a nutshell, the PPI has been drafted to protect an individual’s right to privacy. The Bill introduces measures to regulate the collection, storage and distribution of personal information. It should be seen in conjunction to our Constitution and the Declaration of Human Rights and places South Africa in line with international privacy standards.
The problem for companies creeps in when we examine how the proposed Bill seeks to administer these rights.
The Bill envisages that regulation will take place through external enforcement by the Information Protection Regulator but also through the internal appointment, by both private and public bodies, of information protection officers and deputy information protection officers.
Companies are obliged to notify the Regulator before they commence with the processing of personal information and to furnish it with comprehensive details such as the purpose of the processing and a description of the categories of data subjects and of the information or categories of information relating to them.
The Bill also contains particularly rigorous regulations concerning the processing of so called “special personal information”, which is information concerning children; an individual’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, or criminal behaviour. And this will clearly impact most HR departments.
Moreover, any organisation who stores such data has to provide proof that reasonable measures have been take to ensure the integrity and protection of this data. And this is where the IT departments will be affected.
To add a further conundrum, legal advisors are warning that this proposed legislation will have to be read in conjunction with existing legislation such as the Promotion of Access to Information Act 2 of 2000 which has been enacted to ensure fair and reasonable access to information by interested parties.
It is clear that this Bill, in whatever form it is enacted, will be burdensome to many organisations. It is sensible then, to embark on some work beforehand to make future compliance a little easier.
Here is a shortlist of some action your company can take now:
- Figure out what personal information you have stored at the moment
- Assess how it is being stored
- Assess the security behind your storage solution
- Draw up a comprehensive checklist of departments and personnel who have reason to request personal information so you know who has access to sensitive information
- Assess your right to this information based on current and future legislation
- Assess ways your company can comply with future legislation by using technology
By having this basic checklist in place you will already be many steps down the line when the Bill is enacted. If you are unsure, call in an advisor or even conduct an external audit. Just like our financial advisors tell us to run financial health checks at the beginning of each year, your company should be examining existing IT and HR solutions and evaluating their efficacy. You will be surprised that with just a little effort, you can improve your operations – and your bottom line.
Click here to download the PDF of the Personal Information Bill, as it was tabled. (763kb)