AUTHORITY TO PROCESS Examples of appropriate measures may include: Section 17 of the Act requires that processing of personal information is done only as the controller instructs. This means that data processor, or their representatives must not process if not under instruction to do so by the controller. Authority to process constitutes part of security and safeguards for personal data. • minimising the processing of personal data. This does not mean, not processing, but processing data which is required and necessary • pseudonymisation48 of the personal data to make identification impossible without additional information • allowing the data subject to monitor the data processing through invoking any of their data subject rights • use of preventative concepts such as privacy by design or privacy by default o Privacy by design is an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle 49 . o Privacy by default compels the data controller to ensure that the data processes is necessary to achieve specific purpose; data minimisation and purpose limitation are consistent with privacy by default. SECURITY Section 18 of the Act provides for the security measures that must be implemented to safeguard personal data46. Security, integrity and confidentiality of data is the responsibility of the data controller or data processor or their representative. For POPIA, this is the safeguard principle which the data controller or the responsible party must comply with47. Section 18 (4) of the Act requires that appropriate technical and organisational measures are taken to protect data. The Act requires under Section 18 (5) that appropriate measures be implemented. The Section does not define what constitutes appropriate measures, and there are several, as long as they can satisfy that sufficient safeguard where and are in place. • Encryption of the data and making sure that the data is easily available when a technical incident occurs 50. • Physical measures such as building of secured rooms for data servers or use of strong access passwords, and two factor authentication. When deciding on the appropriate technical measures, the Act requires under Section 18 (5) that the data controller takes into account costs, state of technology, nature of data, and any potential risks to processing. The Authority can under Section 18 (6) issue guidance on appropriate standards for certain types of data or data categories. This guidance might also be issued as industry wide guidance for certification purposes for instance to banks, or insurance or medical institutions. Every data controller must satisfy themselves that the data processor they have appointed have sufficient technical and organisational measures to protect the data and that such policies are being adhered to. 46 There are drafting numbering errors on this section. Its starts from 18 (4) to 18 (8). For purposes of this commentary POPIA s19(2) 48 GDPR Article 4 (5) ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information provided that additional information is kept separately and is subject to technical and organisational measures…’. 49 GDPR Article 25 (1)-(2) 50 Availability of information on demand is important and can be ensured if there are sufficient technical measures at appropriate levels. 47 M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 25