Protection of personal information policies, procedures and practices should regulate the way in which employees (and maybe operators) process personal information with the aim of protecting it. The policy must dovetail with your organisation’s other policies and policy framework. Often a POPI Policy is part of an Acceptable Use of IT Policy.
The target audience should be all employees who process personal information, but especially managers. And maybe operators.
Why are they important?
It is an important part of complying with POPI. If the Information Regulator decides to fine you, it must consider whether you failed to operate good protection of personal information policies, procedures and practices. The fine could be up to R10 million. If you want to reduce a possible fine you might get, you need to operate good protection of personal information policies, procedures and practices.
What should be in them?
The often have some general procedures. And then deal with some specific areas, like:
- Paper Records
- Retaining personal information
- Email and Personal Productivity Software
- Remote Access
- Laptops and Other Mobile Storage Devices (incl. Mobile Phones, PDAs, USB memory sticks, External Hard Drives, etc.)
- Using wireless networks
- Data transfers and encryption
- Posting of paper documents
- Appropriate Access and Audit Trail Monitoring
- Disposal of paper and media
- Incident Response
Characteristics of good ones
They should be:
- short and to the point
- in plain and understandable language
- well structured
- in accordance with and inline with the latest laws and rules
- clear on what is permitted and what is not
- specific, relevant and applicable to the target audience
We can help you to formulate, draft or revise your protection of personal information policies, procedures, and practises.