Print Page   |   Contact Us   |   Report Abuse   |   Sign In   |   Membership Application
SITE Content Search
News & Press: EDITORIAL

Accountants and spying

Wednesday, 30 July 2014   (0 Comments)
Posted by: Nicolaas van Wyk
NSA whistleblower, Edward Snowden, has urged lawyers, journalists, doctors, accountants, priests and others with a duty to protect confidentiality to upgrade security in the wake of the spy surveillance revelations.

Snowden said professionals were failing in their obligations to their clients, sources, patients and parishioners in what he described as a new and challenging world.

"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default," he said.
The response of professional bodies has so far been patchy.

A minister at the Home Office in London, James Brokenshire, said during a Commons debate about a new surveillance bill on Tuesday that a code of practice to protect legal professional privilege and others requiring professional secrecy was under review.

Snowden's plea for the professions to tighten security came during an extensive and revealing interview with the Guardian in Moscow.

The former National Security Agency and CIA computer specialist, wanted by the US under the Espionage Act after leaking tens of thousands of top secret documents, has given only a handful of interviews since seeking temporary asylum in Russia a year ago.

In lieu of the above need to protect personal information Accountants need to consider the implications of the Protection of Personal Information Act. 

Simply put, the Protection of Personal Information Act (POPI) sets conditions for what companies can do with information about their customers.

The bill was passed by the National Assembly on 11 September 2012, with amendments approved on 20 August 2013. The President has signed a proclamation declaring some parts of the Protection of Personal Information Act No 4 of 2013 effective from 11 April 2014 

According to BiZConnect POPI protects personal information by restricting how it can be collected and used by a company, organisation or person, and sets out eight principles:

1. Accountability:

The responsible party (those who process the personal information) must ensure that all of the Act’s principles and the measures are complied with.
2. Processing limitation:

Processing of information must be done lawfully and in a manner that does not infringe the privacy of the individual. Personal information can only be processed if the processing is adequate, relevant and not excessive, given the purpose for which it is to be used.
3. Purpose specification:

Personal information must only be collected for a specific purpose and the individuals must be aware of this. Records must not be kept for longer than necessary to achieve the purpose for which it was collected.
4. Further processing limitation:
Further processing of the information must be compatible with the purpose of collection.
5. Information quality:
The holder of the data must take reasonable steps to ensure that personal information is complete, accurate, not misleading and updated when necessary. All the while, taking into account the purpose for which the information was initially collected.
6. Openness:
Steps are required to ensure that the data subject is aware of the personal information being collected and the purpose of collection.
7. Security safeguards:
The responsible party must secure the personal information under their possession/control. Should a security breach occur, the responsible party must notify the subject whose information is compromised.
8. Data subject participation:
The data subject can request whether an organisation holds their private information, and what information is held. They may also request the correction or deletion of information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
POPI Will Make it Essential for Prospects and Customers to Agree to Receive Your Communication
Stretch points out, “Specifically relating to the running of SMS marketing campaigns, direct marketers cannot use personal information for direct marketing unless they have the consumer’s permission. In the case of a direct marketing organisation, they must have ‘opted in’.”
The consumer can “opt-in” in one of two ways:
1.     Firstly, the consumer can give his or her explicit consent to receive direct marketing.This would ideally be obtained when the information is collected, but a direct marketer can also approach the consumer for consent later. If it does this, it can only approach the consumer once for consent.
A direct marketer must get a consumer’s contact details in the first place to approach the consumer for consent. Unless these contact details were in the public domain, such as a telephone directory, merely obtaining the contact details could be an infringement of POPI.
For example, if a direct marketer received a list of individuals and their contact details from a company that collects and sells marketing information, the data vendor would itself have infringed POPI by passing the list on to the direct marketer, even if the direct marketer never actually uses any of the information contained in the list. Unless the individual specifically consented to their information being passed on.
2.     Secondly, if the consumer is a customer of the direct marketer (and not of anyone else) then the direct marketer can use their information for direct marketing ONLY if:
  • The data was obtained in the context of the sale of a product or service, and
  • The direct marketing will be in respect of the marketer’s OWN similar goods/services, and
  • The consumer has been given a reasonable opportunity to object to receipt of direct marketing both when the data was first collected and on each occasion when direct marketing is made to the consumer.
POPI infringement: The Consequences Will be Harsh
POPI makes provision for enforcement notices to be served on those infringing the data protection principles or the direct marketing provisions of POPI. Failure to comply with an enforcement notice is an offence, and on conviction may lead to a fine, up to 10 years in prison, or both.
Perhaps more seriously, says Stretch, if a data subject suffers any loss as a result of an infringement, the responsible person will be strictly liable for this loss. In other words, it does not matter if the responsible person was negligent, or acted intentionally in infringing POPI – if the infringement caused loss to the consumer, the responsible person is liable.

more Latest News
There are currently no news items posted.
more Calendar

The upcoming calendar is currently empty.

Click here to view past events and photos »

Online Surveys
Membership Software Powered by YourMembership  ::  Legal