While some of the initial dust has settled after 1 July 2021 which was the compliance deadline date for the implementation of Protection of Personal information within an organisation, it is not time to become complacent with just drawing up the relevant policies and procedures. Companies must not only ensure that they have implemented the relevant technological safeguards, identified and appointed the relevant people responsible for the safeguarding the processing of personal information but that they have taken steps to bring the appropriate level of awareness to all employees within the organisation. Depending on their position within your company and their associated responsibilities, it may be sufficient to provide employees with training as to what personal information is, and why it needs to be a safeguarded, including a short lesson on the advent of the intent and social media along with a discussion around cybercrimes and how to both spot them and avoid them in their personal lives. However that is not where the buck stops with all your employees and company’s must take additional steps for employees at middle, senior management and sales staff, for employees whose job function it is to deal with personal information (be it for an external or internal individual) and anyone employee who has access to email and the internet.
The company’s S51 PAIA Manual should contain it a list of circumstances under which personal information can be shared, with who and for which purposes. Appropriate technical and organisational measures should have already been taken to prevent unauthorised or unlawful access to personal information, and to prevent accidental loss, destruction or damage to personal information. Employees may already have signed an Employment Contract Annexure, confirming their consent for the sharing of personal information for purposes related to legal, compliance and similar functions related to upholding the employment agreement and the company’s associated obligations.
Learning to share personal information securely, professionally and legally needs to become a matter of habit in order to protect the rights of all employees, clients, customer, vendors and service providers. Every person within the organisation must be trained so as to ensure that when sharing information, they first ask the following questions:
- Am I sharing personal information?
- Do I have permission to share this personal information?
- Is the person I am sharing this personal information, authorised to receive it?
- How can I go about sharing this personal information in the most secure way (what level of security is required)?
To answer this these questions, individuals must foremost understand what constitutes personal information. For that, employees can refer to the company’s Protection of Personal Information Policy. In addition, individuals should have received awareness training to assist them with understanding what is required and why.
In deciding the most appropriate way to share personal information and the level of security required, individuals must always take into consideration the level of sensitivity of the information as well as the urgency of the situation, which pre-empted the requirement for the sharing of personal information.
If employees are unsure of how to share information securely, they should consult their manager, departmental Operator, or the company’s Information Officer.