Safeguarding Data: Service Providers and Software as a Service (SaaS)
The Act makes YOU responsible and accountable to be knowledgeable and implement appropriate measures to protect personal information. You remain accountable and responsible even if you outsource services.
- If you are going to share any personal information with service providers or business partners, make sure it is in the best interest of your customers and obtain their consent.
- Update or enter into specific written agreements with your service providers where they commit to comply with the PoPI act when dealing with your personal information as well as the personal information under your care that they may have access to from time to time.
- Perform an inspection of their systems to satisfy yourself that they do in fact take PoPI seriously and can deliver on the promises they make. It is all very well that you like and trust the people that you may be dealing with on a regular basis, but your risk is in what happens in the back office and the people you do not know who has access to your information. Ask the service provider to provide you with a data map to confirm where your data will be stored and how access will be managed and tracked.
- Are you the system administrator/s of your own systems? Who else has system administration rights? Review and restrict access to necessary personnel only. If you outsource your email hosting for example, does the service provider have access to your mailbox and contact information and can they confirm this in writing?
- If you outsource backups or any part of your IT infrastructure, are there rules and mechanisms in place to protect your personal information from unauthorised parties?
- If you make use of online communication or productivity services like Google Docs, Gmail, Dropbox, Office/Outlook365, Skype, etc. where are they physically located (hosted) and where is your data being stored, backed up or replicated to? If you do not know then you have to find out as personal information is not allowed to leave our country’s borders unless it is in line with the service (in their interest), with the customer’s consent and only to a jurisdiction where their legal entities are subject to the same/similar data protection laws.
- Are you sending and receiving email communications on a mobile device like a tablet or mobile phone? These services often make use of international servers to back up information, manage volumes and divert communications, unbeknownst to you, across the border. Make sure you understand how your service works.
- Keep in mind that just because you contract with a local IT provider it does not mean that they use only local products or services. They may in turn source solutions from overseas (e.g. to remain competitive) which will expose your data. Make sure you are informed about the solutions your service providers use and their implications to you. Cover all the bases when it comes to managing your data.
Leave a Reply
Want to join the discussion?Feel free to contribute!