1 / 18

Nelson Masindi & Matseliso Palesa Molapo Department of Institutional Research

Explorative Analysis of the Implications and Compliance of the Protection of Personal Information (POPI) Act in a Open and Distance Learning (ODL) Institution: Are we there Yet? 26 October 2017. Nelson Masindi & Matseliso Palesa Molapo Department of Institutional Research

thorp
Download Presentation

Nelson Masindi & Matseliso Palesa Molapo Department of Institutional Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Explorative Analysis of the Implications and Compliance of the Protection of Personal Information (POPI) Act in a Open and Distance Learning (ODL) Institution: Are we there Yet?26 October 2017 Nelson Masindi & MatselisoPalesa Molapo Department of Institutional Research and Business Intelligence

  2. Presentation overview • Presentation overview • Objectives • Background • What is the POPI Act • Non-compliance to POPI Act • Pre POPI Act: Practices of accessing information • Compliance to the Act • Institutional Risks of access to personal Information • Recommendations

  3. Objective • This presentation seeks to explore how the university is fairing in implementing the Protection of Personal Information (POPI) Act with possible recommendations. • Provide a platform for discussion of how other institutions are doing in implementing the Act

  4. Background • As a public and Open Distance Learning (ODL) institution the University of South Africa (Unisa) provides access to more than 380,000 students per year who come from diverse backgrounds in Africa and beyond. • As a comprehensive distance education the values of the institutions espouses the values of the Constitution of the Republic of South Africa [4], particularly human integrity, the achievement of equality and social justice (Access to Information Manual 2006). • The introduction of the POPI Act has forced universities and other like institutions to reconsider their policies and practices in personal information management and access and how they have been conducting business.

  5. What is the POPI Act • The Protection of Personal Information (POPI) Act was passed in the National Assembly of the Republic of South Africa and enacted on 26 November 2013 and its purpose is to prevent the unauthorised disclosure of personal information. • It is there to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing of anyone’s personal information by holding them accountable should they abuse or compromise anyone’s personal information in any way.

  6. What is the POPI Act • It is founded on Section 14 of the Constitution of the Republic of South Africa, 1996, which provides that everyone has the right to privacy. • Academic institutions now have a legal obligation to ensure that the personal information about students and staff is sufficiently managed and protected. They can only disclose this information with the consent of the individuals. • While the Promotion of Access to Information Act (PAIA) provides for access to information, POPI cautions against dissemination of personal information without the consent of the affected individuals.

  7. Non-compliance to POPI? Institutions that do not comply with the POPI Act face possible prison terms and fines of up to R10-million; further financial losses due to legal proceedings, and damage to the reputation of the institution The office of the regulator has been established and will be in effect 2018 .

  8. Pre POPI Act: Access to Information • Internal staff could access information from different points, although it had some advantage to the University, there were some information security concerns. • Internal academics and regional centrestaff could access personal student information using their credentials to logging into the systems without any clearance from the department head or managers. • Although there were concerns with the risk associated with access to personal student information regarding security and trust there is a Policy on Data Protection, which guide staff and remind them about their role on usage of such information.

  9. Pre POPI Act: Access to Information • External requests to access institutional data were handled more carefully and were only processed when the required A form is received and permission is granted by the UNISA legal department to submit the information. The information was granted in aggregated format without any personal identifiable features

  10. Institutional Risks of access to personal Information

  11. Compliance to the Act • Establishment of the New Directorate: Institutional Information • The role of the Directorate: Institutional Information is to monitor business processes and ensure compliance with the legislation, understanding of the requirements by business owners, and to provide amendments to business processes, thereby enshrining the fundamental rights of privacy within Unisa business practice. • Perform Personal Information Risk Assessment of Data Subjects • Implement Safeguards/ Action Plans to address risks identified • Conduct POPI Act Awareness and Training • Investigation and resolution of reported privacy related breaches • Provide advices and guidance on POPI Act related enquiries

  12. Requirements to accessing personal Information Any member of staff who, during the course of their official duties, requires access to personal student information must apply for permission to access. Applications must include the following: • Reasons why an applicant believe should have access to “Function 195”. • A letter of motivation from line manager (at least at the level of a Deputy Director).

  13. Compliance to the Act • The university revoked all staff members’ access to personal student information on what is called “Function 195”. • Access is now limited to designate departments managing student and staff data within the university to protect both the confidentiality and integrity of the information.

  14. RECOMMENDATIONS Establishing institutional policy/strategy that will govern the implementation of the Act. Establishing a central unit for the management of institutional databases. Educating and training staff on the ethics of information security. Incorporating POPI into the day-to-day operations of an institution. Engagement with institutional stakeholders in the implementation of the Act. Removal/minimising of unnecessary requirements for personal information on institutional templates.

  15. Recommendations • Minimising/limiting access points of personal information. • Aligning job function and access to personal information. • Entering into contractual agreements with service providers to ensure adherence to POPI. • Destroying used personal data after a period of five years

  16. Recommendations • Align job funtion to information access

  17. Are We there Yet? • Is the Institution ready for the kick-start the POPI Act regulatory processes in 2018?

More Related