Explorative Analysis of the Implications and Compliance of the Protection of Personal Information (POPI) Act in a Open and Distance Learning (ODL) Institution: Are we there Yet? 26 October 2017 Nelson Masindi & Matseliso Palesa Molapo Department of Institutional Research and Business Intelligence

Presentation overview Objectives Background What is the POPI Act Non-compliance to POPI Act Pre POPI Act: Practices of accessing information Compliance to the Act Institutional Risks of access to personal Information Recommendations

Objective This presentation seeks to explore how the university is fairing in implementing the Protection of Personal Information (POPI) Act with possible recommendations. Provide a platform for discussion of how other institutions are doing in implementing the Act

Background As a public and Open Distance Learning (ODL) institution the University of South Africa (Unisa) provides access to more than 380,000 students per year who come from diverse backgrounds in Africa and beyond. As a comprehensive distance education the values of the institutions espouses the values of the Constitution of the Republic of South Africa [4], particularly human integrity, the achievement of equality and social justice (Access to Information Manual 2006). The introduction of the POPI Act has forced universities and other like institutions to reconsider their policies and practices in personal information management and access and how they have been conducting business.

What is the POPI Act The Protection of Personal Information (POPI) Act was passed in the National Assembly of the Republic of South Africa and enacted on 26 November 2013 and its purpose is to prevent the unauthorised disclosure of personal information. It is there to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing of anyone’s personal information by holding them accountable should they abuse or compromise anyone’s personal information in any way.

What is the POPI Act It is founded on Section 14 of the Constitution of the Republic of South Africa, 1996, which provides that everyone has the right to privacy. Academic institutions now have a legal obligation to ensure that the personal information about students and staff is sufficiently managed and protected. They can only disclose this information with the consent of the individuals. While the Promotion of Access to Information Act (PAIA) provides for access to information, POPI cautions against dissemination of personal information without the consent of the affected individuals. The system of government in South Africa before 27 April 1994, amongst others, resulted in a secretive and unresponsive culture in public and private bodies which often led to an abuse of power and human rights violations The right of access to any information held by a public or private body may be limited to the extent that the limitations are reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom as contemplated in section 36 of the Constitution

Non-compliance to POPI? Institutions that do not comply with the POPI Act face possible prison terms and fines of up to R10-million; further financial losses due to legal proceedings, and damage to the reputation of the institution The office of the regulator has been established and will be in effect 2018 .

Pre POPI Act: Access to Information Internal staff could access information from different points, although it had some advantage to the University, there were some information security concerns. Internal academics and regional centre staff could access personal student information using their credentials to logging into the systems without any clearance from the department head or managers. Although there were concerns with the risk associated with access to personal student information regarding security and trust there is a Policy on Data Protection, which guide staff and remind them about their role on usage of such information.

Pre POPI Act: Access to Information External requests to access institutional data were handled more carefully and were only processed when the required A form is received and permission is granted by the UNISA legal department to submit the information. The information was granted in aggregated format without any personal identifiable features

Institutional Risks of access to personal Information

Compliance to the Act Establishment of the New Directorate: Institutional Information The role of the Directorate: Institutional Information is to monitor business processes and ensure compliance with the legislation, understanding of the requirements by business owners, and to provide amendments to business processes, thereby enshrining the fundamental rights of privacy within Unisa business practice. Perform Personal Information Risk Assessment of Data Subjects Implement Safeguards/ Action Plans to address risks identified Conduct POPI Act Awareness and Training Investigation and resolution of reported privacy related breaches Provide advices and guidance on POPI Act related enquiries

Requirements to accessing personal Information Any member of staff who, during the course of their official duties, requires access to personal student information must apply for permission to access. Applications must include the following: Reasons why an applicant believe should have access to “Function 195”. A letter of motivation from line manager (at least at the level of a Deputy Director). For instance, it is now more complicate for a lecturer to get her/his student information and it takes much longer because he/she has to complete a form, motivate for wanting such information, get signature/ approval from the line manager then send to the office of Registrar/ Deputy Registrar for approval. If the application is approved

Compliance to the Act The university revoked all staff members’ access to personal student information on what is called “Function 195”. Access is now limited to designate departments managing student and staff data within the university to protect both the confidentiality and integrity of the information.

RECOMMENDATIONS Establishing institutional policy/strategy that will govern the implementation of the Act. Establishing a central unit for the management of institutional databases. Educating and training staff on the ethics of information security. Incorporating POPI into the day-to-day operations of an institution. Engagement with institutional stakeholders in the implementation of the Act. Removal/minimising of unnecessary requirements for personal information on institutional templates.

Recommendations Minimising/limiting access points of personal information. Aligning job function and access to personal information. Entering into contractual agreements with service providers to ensure adherence to POPI. Destroying used personal data after a period of five years

Central Data/Information Management Unit Recommendations Align job funtion to information access Central Data/Information Management Unit Align job function to information access Reduce amount of information collected Closing many access point of information Provide information security awareness training Reduced staff access to information Contractual agreements with service provider who process information on behalf of the institution adhere to POPI Act

Are We there Yet? Is the Institution ready for the kick-start the POPI Act regulatory processes in 2018?