Protecting personal information is crucial. Failing to do so can cause significant financial harm and emotional distress to the individuals concerned and can cause irreparable harm to the University’s reputation. The University is not only committed to safeguard personal information, but also to empower its students and staff to protect themselves.
When processing personal information, UP is striving to:
- process personal information responsibly
- be transparent about how personal information is used
- only share personal information if we must and only with third parties we trust
- keep information safe
Recently, the University of Greenwich in the United Kingdom was fined £120,000 by their Information Regulator, the Information Commissioner’s Office, for failing to ensure that a microsite under its control was secure and that hackers could not access the underlying databases.
This breach illustrates that cybersecurity programs alone cannot protect institutions without robust information governance, of which access control is an important aspect. Good information governance provides an additional line of defence by ensuring that databases do not contain unnecessary or very sensitive information. This means that even if a database is compromised, the impact will be limited.
Both the Protection of Personal Information Act (POPIA) and the European Union’s General Data Protection Regulation (GDPR) make information governance a requirement for regulatory compliance. This is why compliance with regulatory requirements is one of the main drivers of the iGaPP programme.
The EU GDPR came into effect on 25 May 2018.
President Cyril Ramaphosa has announced 1 July 2020 as the commencement date for POPIA. This means that we have until 30 June 2021 to ensure that all University activities that involve personal information are fully aligned with this Act.
The POPIA makes provision for the development of industry specific Codes of Conduct, thus allowing industries to translate principles into standards. These standards are referred to as Industry Codes of Conduct. On a sector level, Universities South Africa (USAf) has adopted a POPIA Industry Code of Conduct for public universities.
The Code includes standards relating to
- the collection or creation of personal information;
- third party management;
- information sharing;
- information security;
- de-identification and pseudonymisation;
- access control principles;
- gathering of metadata (information about information);
- information quality; and
- document retention and destruction rules.
One of the primary aims of iGaPP is to transform the Code into policies, procedures, and guidelines and to put it into practice.