Safeguarding Data: People
- Education, education, education. Putting the most advanced and expensive systems and controls in place will not protect information if the people involved are negligent and/or ignorant in protecting personal information. It is important that you create awareness and a culture of protecting personal information through education. This includes orientation and guides for new staff and regular workshops and reminders for existing staff. There is only so much you can monitor and control with technology and the implementation of PoPI still relies heavily on the people to consider whether what they are doing is legal or not. For example: Many people forward an email received from a customer (containing their signature with their name, email address and phone number) to other parties like external suppliers or other departments without considering the implication and whether they have the consent of the owner to do so.
- Human Resources (HR) / Payroll. Most companies already split or manage information related to their employees and contractors/agents separately. Do not assume these measures are sufficient protection. Revisit all HR systems and controls as part of your overall PoPI Implementation, including recruitment efforts (e.g. collecting and storing CV’s). Obtain consent from employees, contractors/agents, etc. to collect, store and process their personal information – just like you would from a customer.
- Make everyone responsible to find gaps and recognise the people who find them. It will take time to find and address all the gaps in your business so start early and make it a positive thing, especially in the early days. Every gap identified is an opportunity to learn something new and improve your systems. People will make mistakes and it will take time for them to change their ways so allow enough time for this. It would probably not be a good idea to start with disciplinary actions as your way of implementing new policies.
- Set people up for success. This also means removing any opportunities for making mistakes. So ensure you remove or change systems that do not conform to policies and put controls in place to manage exceptions. For example: if you put a process in place to “check out” a USB memory stick you have a lot more control than just allowing anyone to take one and copy data. A new person will not know that there are rules around copying data onto a memory stick if there is no one to control this or no process to guide them. At WorkPool we have a process in place to ensure that client data is encrypted before it is copied onto a memory stick and when it is returned (checked in) the data is destroyed. This means a person cannot forget to perform their duties and even if a memory stick goes missing or is stolen it is far less of an issue as the data itself is encrypted.
- At some point in the process of implementing PoPI in your business you will have to switch to “serious mode” where there will beconsequences for people who do not conform to the rules. Set a date for this, make everyone aware of the change in focus and then start acting on every offence. Prepare your HR department or Labour consultant to be able to step in and deal with these occurrences in an efficient and effective manner.
- Lead by example. Business owners should not create rules and then not follow it themselves. Set an example in the way you embrace PoPI and the changes that go along with it and staff will treat it as serious and follow your lead. We often see companies where processes allow for management or the owners of the business to take short cuts and side step the rules that other people have to follow. Business owners will have to accept that they too would need to make some changes.
- Prevent negligence that stems from carelessness. Make sure staff see and treat personal information as valuable. This means they cannot leave paper files lying around or copy/share files (both paper and electronic) without it being in line with the policies. Staff must also take special care that devices like laptops, tablets and mobile phones with personal information are secured and do not lie around where they can be stolen or accessed by other parties.
Leave a Reply
Want to join the discussion?Feel free to contribute!