Whether or not we are obligated to share our personal information is an important question—and one we should prioritise. Not because the POPI Act (POPIA) has been in the spotlight but because it is in our interest to safeguard our Personal Information (PI). This PI includes everything from ID numbers and bank details to sexual orientation or political affiliation. It is the very blueprint of who we are!
Legislation such as POPIA intends to ensure this safeguarding by holding organisations and individuals accountable for upholding its principles. However, organisations shouldn’t only comply with the law to avoid punishment—they should value privacy because it is the right thing to do.
Our priority at ATG Digital is to ensure our compliance with POPIA, and we completed the first phase of our POPIA compliance process in 2019. However, it is constantly evolving and improving as our business grows.
Here is our advice to Data Subjects entering a private gated community or office park where you are asked for personal information.
Under the Act:
· “Data Subjects” are the people or entities to whom the PI belongs.
· The “Responsible Party” is the organisation that determines what information they need to collect and why. An organisation may collect data provided it has adhered to the 8 Conditions for Lawful Processing.
· We, ATG, are defined as an “Operator”.
As an Operator, we have made it our prerogative to learn how the legislation applies to us and share this with our Clients, Resellers and Data Subjects.
Our position is that our POPIA Compliance is rooted in the below points, as we have applied them to our gate scanners, too. We encourage all Data Subjects to interrogate the Responsible Party and Operator providing such services to ensure the same has been done.
Accountability: Every ATG Client knows they are a Responsible Party (RP) and understands their obligations under the Act. We provide educational materials and host regular webinars to assist them in meeting the requirements for compliance.
Processing Limitations: Information is scanned for the legitimate purpose of protecting private sites, which is both in the interest of the site owners/tenants and the Data subjects themselves, for the safety and security of themselves and their property.
Purpose Specification: Information is limited to that which is absolutely necessary for the operational requirements of each site; it is deleted as soon as reasonably possible following the RP’s requirements; and guards are empowered with lanyard cards and boards to assist in communicating to data subjects the reasons for the data being collected.
Further Processing Limitation: ATG does not share the data with any third parties and has safeguards in place to ensure this.
Information Quality: Data is scanned directly from source documents to prevent errors in capturing, and the Data Subject is encouraged to engage with us if they believe any data we hold is incorrect or inaccurate.
Openness: The RP is provided with the necessary signage for their entrances to communicate to the Data Subject the reasons for capturing, who we are and how they may contact us.
Data Subject Participation: We have a comprehensive Complaints Policy and a dedicated email address to assist any data subject who requires additional information on our POPIA Policies or Processes. However, as we are not the RP, we are not authorised to access or delete the information without the RP’s consent and involvement.
Security Safeguards: The list of safeguards we have implemented is too extensive to list completely, but it includes the following:
o All our employees are trained in information security; are legally and contractually obligated to keep Personal Information confidential; and only authorised persons can access such information.
o Our staff only access backend data upon receiving a written request from an authorised representative of the Responsible Party, and no information is shared with anyone who is not on this authorised list.
o The ATG devices hold no data, so the security guards, other guests, site managers or criminals cannot access the data via the device. Once data is scanned, it is immediately encrypted and uploaded to secure cloud-based storage. ATG uses Google Cloud Services: This decision is based on the exceptional service levels provided by Google, as well as their commitment to data security and international data protection legislation. Google Cloud Services hold multiple ISO certifications and is considered the ‘Gold Standard’ in secure cloud storage.
o Data can only be accessed via our secure platform using a password. We have a suite of Information Security Policies implemented to ensure our IT security is of the highest international standard. We perform regular penetration testing to ensure this security is in place.
The ATG Commitment: We will adequately safeguard and protect all Personal Information in our possession by adopting the appropriate, reasonable, technical, and organisational measures expected for our industry and within South Africa. We have implemented robust policies governing all areas of our business, including electronic and physical records, as well as the physical security of our premises. We welcome engagement with all stakeholders who want to discover more about how we have become compliant. We encourage all Data Subjects to educate themselves about what they should expect from us, our competitors and all organisations who may access their Personal Information.
For further information, please get in touch with ATG on popi@atgdigital.biz