Abstract:
Privacy entails controlling the use and access to place, location and personal information. In South Africa, the first privacy legislation in the form of the Protection of Personal Information (POPI) Act (Act 4 of 2013) was signed into law on 26 November 2013. The POPI Act promotes the protection of personal information by South African institutions and specifies the minimum requirements in 12 Chapters, which includes 8 Conditions for lawful processing of personal information. Condition 7 of the POPI Act makes specific provision for security safeguards to ensure the confidentiality and integrity of personal information. While the legislative requirements of Condition 7 of the POPI Act are spelt out in Sections 19, 20, 21 and 22, the requirements are not supported by specific guidance in terms of how these should be satisfied. There is also no specific guidance on the security safeguards, as required in Section 19, to ensure the confidentiality and integrity of personal information. Hence, this thesis - which focuses on electronic personal information - proposes a framework that includes a selection of security safeguards that may serve as a frame of reference and be used by South African institutions that store, process and transmit electronic personal information, to achieve and maintain compliance with Condition 7 of the POPI Act. As part of this study, a POPI research survey is used to assess the current state of security safeguards in South African institutions and to validate the selection of security safeguards of the proposed framework. In addition, a model of operation of security safeguards is proposed to guide one on how the selection of security safeguards should be implemented to achieve and maintain confidentiality and integrity of electronic personal information as required by Condition 7 of the POPI Act. Furthermore, this thesis explores the concept and principles of privacy as well as the importance of privacy and provides an overview of the global privacy legislative landscape, including South African privacy legislation. An analysis is also conducted to assess the extent to which the privacy legislation of the European Union (EU) and South Africa addresses the international 2013 Organisation for Economic Co-operation and Development (OECD) guidelines. The POPI research survey is also used to assess the level of compliance with the POPI Act and specifically Condition 7 of the Act. In addition, the POPI research survey is used to assess the financial value associated with electronic personal information and the potential impact of a data breach of electronic personal information.