The promulgation of the Protection of Personal Information Bill (PPI) is imminent. The PPI Act aims to bring SA in line with the privacy legislation of key trading partners. The Bill has been a long time in the making but the core principles remain the same:
- Process personal information in a legal and reasonable manner.
- Only process personal information for a specific, explicitly defined and lawful purpose.
- Take steps to ensure that the data subject is aware of that purpose.
- Ensure that any further processing of personal information is compatible with the stated purpose of collection.
- Ensure that personal information remains complete and accurate.
- Notify the data subject and the regulator that you are collecting personal information, and record the purpose of collection.
- Protect the security and integrity of personal information.
- Provide for data subject participation in the collection of personal information to ensure purpose, accuracy and relevance.
South African companies which provide onshore cloud computing services or via offshore third parties will be responsible for upholding these principles when processing and storing personal information. This responsibility extends to and must be managed when using offshore or onshore outsourcing partners.
The process to ensure compliance should start now.