Ф franciscronje.com

  • Home
  • Services
  • POPIA
  • About
  • POPIA WORKSHOPS
  • Blog
  • Referrals
  • Contact
  • Terms of Use

POPI, the Cloud and Jurisdiction

2/10/2012

1 Comment

 
One of our South African clients recently asked us to assist them in dictating privacy conditions in terms of their "Cloud Computing" service agreement with a US company that provides a recruitment platform as part of their general Human Resource (HR) support service.

Although we managed to negate most of their privacy concerns by including appropriate clauses, the issue of the "Cloud and Jurisdiction" raised an interesting dilemma, which for now seemed relatively easy to resolve, but might yet prove difficult with the advent of POPI and new EU Data Protection legislation, recently proposed. I will address the proposed EU changes in an upcoming post.

But before I continue, let's clarify certain concepts.

What is "Cloud Computing"?

The US Department of Commerce's National Institute of Standards and Technology (NIST), defines "Cloud Computing" as follow: 

"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

In layman's terms, "Cloud Computing" refers to applications and services offered over the Internet. These services are offered from data centers all over the world, which collectively are referred to as the "cloud." This metaphor represents the intangible, yet universal nature of the Internet.*

Examples

Examples of "Cloud Computing" include online backup services, social networking services, and personal data services.

Reasons for using the "Cloud"

Most organisations are considering and some are already using "Cloud Computing" to reduce cost by converting capital expenditure into operational expenditure. 

This is purported to lower barriers to entry, as infrastructure is typically provided by a third-party and does not need to be purchased for one-time or infrequent intensive computing tasks. Pricing on a utility computing basis is fine-grained with usage-based options and fewer IT skills are required for implementation (in-house).**

Security could also improve due to centralization of data, increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data (e.g. personal information), and the lack of security for stored kernels. 

No surprise then that privacy advocates have their doubts about the "Cloud".

This discussion is however not focused on the security or postives and negatives of "Cloud Computing", but rather on the issue of jurisdiction when faced with "Cloud" services.

POPI, the "Cloud" and Jurisdiction

Although section 3 of working draft 5 of the POPI Bill deals with the application of the proposed Act and section 74 will regulate the manner in which a responsible party is allowed to transfer personal information outside of South Africa, the multi-faceted question remains; 

Whose jurisdiction would apply when an organisation (foreign or local), utilises "Cloud" service providers (located in or outside South Africa), to process its personal information (belonging to locals or foreigners)?

I recently read an interesting article, relevant to this issue by Michael Chertoff (US secretary of homeland security from 2005 to 2009), which might cast some light. 

There is no doubt that jurisdiction is already relevant to the many organisations utilising "Cloud" services, but I could only imagine that jurisdiction would become even MORE complicated in South Africa once the Protection of Personal Information (POPI) Bill is promulgated into legislation.

SA courts in the near future might have to decide, but for now, a comparative analogy might be drawn from the US - EU examples highlighted in the Chertoff article.

Click here to read his article.

I think the basis of this article needs further debate. Please comment or write to me for further discussion.

*  Techterms.com
** Wikipedia
1 Comment

POPI and faxes

2/9/2012

0 Comments

 
Despite advances in technology, a significant amount of highly sensitive personal information continues to be sent via fax. Individuals and employees alike, whether at work or at home, sometimes forget the sensitivity of content they sent via faxes. In most instances, they are ignorant of the possible disclosure thereof to unauthorised recipients.

A lot of awareness, although not always successfully implemented, has been raised regarding the use of emails at work (privacy, defamation etc.), but for some obscure reason, the same can’t be said for faxes sent.  

Although a majority of emails sent by organisations contain disclaimers or legal notices, one has to look wide and far to find any similar notices on faxes.

In a recent report by the UK's Commissioner’s Office, information from data breaches received, coupled with audit findings, highlighted the fact that a failure to encrypt personal information in appropriate circumstances, remains a top data protection concern.

With the eminent promulgation of POPI legislation in South Africa, organisations will be well advised to familiarise themselves with POPI guidance on using faxes.

Below are some useful recommendations*:

1. Consider whether sending the information by a means other than fax is more appropriate, such as using a courier service or secure email. Make sure you only send the information that is required. For example, if an attorney asks you to forward a statement, send only the statement specifically asked for, not all statements available on the file.

2. Make sure you double check the fax number you are using. It is best to dial from a directory of previously verified numbers.

3. Check that you are sending a fax to a recipient with adequate security measures in place. For example, your fax should not be left uncollected in an open plan office.

4. If the fax is sensitive, ask the recipient to confirm that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine.

5. Ring up or email to make sure the whole document has been received safely.

6. Use a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents.

* Recommendations supplied by the ICO UK
0 Comments

    Author

    Francis Cronje is an Information Governance specialist and provides insight from a legal and governance perspective on a wide range of topics in the Information and ICT sphere, including matters pertaining to the Protection of Personal Information (POPI) / Data Protection / Privacy, Information Security and other related topics.

    View my profile on LinkedIn
    Follow @franciscronje

    Archives

    September 2017
    January 2016
    September 2015
    July 2015
    May 2014
    February 2014
    November 2013
    August 2013
    July 2013
    June 2013
    May 2013
    March 2013
    January 2013
    November 2012
    September 2012
    August 2012
    June 2012
    April 2012
    March 2012
    February 2012
    January 2012
    September 2011

    Categories

    All
    Corporate Governance
    Data Protection
    Developing Countries
    Ict
    Information Security
    Ncop
    Popi
    Privacy
    Protection Of Personal Information
    South Africa
    Zuma

    RSS Feed

  • Home
  • Services
  • POPIA
  • About
  • POPIA WORKSHOPS
  • Blog
  • Referrals
  • Contact
  • Terms of Use