gapp awards gallery banner

Accountability for the governance of Information Technology

Since 2000, under the Promotion of Access to Information Act (PAIA) and the Electronic Communication Acts, companies are obliged to disclose to individuals, on request, the personal information they hold, amend if necessary or opt them out of your list. The companies had to appoint an Information Officer and have a procedure to deal with requests. This person can also be given this responsibility under the awaited POPI as PAIA’s compliance will be taken over under the Protection of Personal Information (POPI).

The requirement of an Information Officer will be regulated under POPI, which is awaiting the President’s signature.

In the meantime, Section 5 of the new Companies Act has incorporated the duties, liabilities and penalties of Board members, not only to apply to the directors but also to prescribed officers and to all committee members, which includes a responsible member for IT compliance.

The law requires proper guidelines, training and every reasonable step must be taken to deal with the issues.

The business judgment rule has been added to the Companies Act.

There are three requirements:
•You can’t have a conflict of interest. Always disclose if you have a conflict.
•You can never make a decision if you are not fully informed. Never answer the question unless you know that you are fully informed. You can always say you are not sure and can check.
•All the law expects is that you act as a reasonable person who is expected to have the knowledge and experience for this position.

King III- data management- Information Technology responsible officer.
King III has added a new chapter that deals exclusively with the governance of information technology.

The Board must be comfortable that an effective governance structure is in place to improve the overall status of IT governance while ensuring that future platforms will meet strategic needs and remain competitive.

IT should form an integral part of the company’s risk management.

It is becoming more critical that companies should designate a Social Media Officer.

Accountability under POPI
There is a specific condition in POPI that companies are accountable for the administration and the legality of the personal data they hold.

Companies must appoint an Information Officer to be responsible for the organisation’s compliance of the conditions in POPI, protect all personal information they hold and develop personal information policies and practices.

Give full management support to the appointed person and communicate the name internally and externally like on the website and publications.

Remember that the management of this function is a responsibility of the Board.

Analyse all personal information handling practices including ongoing activities and new initiatives.

Compile a checklist answering questions like:
•‘what why how’ you collect and use personal information
•‘where’ do you keep and ‘how’ you secure it
•‘who’ has access or use it, internally and externally
•‘when’ it is destroyed.

Take special attention, within the confines of your company, to the processing of special personal information like religious, philosophical beliefs, ethnic origin, health and criminal behaviour.

POPI regulates the compilation and usage of the personal information of children under the age of 18.

Develop and implement policies and procedures to protect personal information like:
•Define the purpose of collection (most important)
Obtain consent
•Ensure to keep the information correct, complete and current
•Ensure adequate security measures
•Have a retention and destruction timetable
•Respond to inquiries and complaints with a request process.
•Include privacy protection clause in contracts with suppliers to ensure that third parties provides the same level of protection as you do
•Inform and train staff on privacy policies and procedures
•Make the information available to customers.

Some clauses in contracts transferring personal information to third parties
•Name a person to handle all privacy aspects of the contract
•Limit the use of the personal information to the specific purpose to fulfil the contract
•Return or dispose of the transferred information upon completion of the contract
•Use appropriate securities to protect the information
•Allow your organisation to audit the third party’s compliance with the contact as necessary

Register with the Information Regulator
All companies holding personal information will have to register with the Information Regulator and document the purpose, policies and procedures to comply with POPI.

Security is paramount
Another new requirement that could be quite onerous is that should a company be aware of a breach of security to the personal information they hold, will have to immediately report it to the Regulator, and explain what they are doing to address the issue. Companies will have to notify all individuals who could have been affected.

Joining the dots
POPI will fall into line for the accountability of the governance of Information Technology, databases and use of personal information and can now be consolidated with the IT function accountable to the Board.

Christiane Duval – Founder and CEO
Umthetho & Management Resource
Consultant on Privacy, Direct Marketing & Consumerism
Was a member of the Privacy law commission project
Ehtics Committe chair of DMASA
20 years experience as legal advisor at Reader’s Digest SA
Studied law at Witwatersrand University.
Cell: 083 242 3757   Email :

Previous Article
Next Article