This paper aims to assess the Protection of Personal Information Act (No. 4 of 2013) (POPIA) in South African (SA) universities sector with the objective to formulate code of conduct to improve compliance.
The case study approach was used in this study. Data were collected using interviews with the SA universities’ representatives during the POPIA consultative workshop.
The results showed that most of the participants were not aware of the POPIA, lack of collaboration between the legal practitioners, records managers and archivist. Internal control systems with Information Communication Technology (ICT) need to be in in place to provide information integrity and the value of international integrity with regard to the international students and staff.
This paper is based on the first phase of the national consultative workshop with 25 SA public universities held between January and November 2018. The findings of the study are transferable to other sectors like health and infrastructure.
The findings are expected to be instrumental to the formulation of universities’ code of conduct in line with POPIA.
The POPIA, if not properly implemented, can contribute to the violation of information integrity of the international students with regard to research and cultural exchange programme. Furthermore, it can affect SA trade relations with the European countries as it is a requirement for non- European countries to comply with the European Union General Data Protection Regulations (GDPR).
This study is useful to ensure consultation of the POPIA. Is also essential for the POPIA to be aligned with the international norms and standards such as GDPR.
Netshakhuma, N.S. (2019), "Assessment of a South Africa national consultative workshop on the Protection of Personal Information Act (POPIA)", Global Knowledge, Memory and Communication, Vol. 69 No. 1/2, pp. 58-74. https://doi.org/10.1108/GKMC-02-2019-0026Download as .RIS
Emerald Publishing Limited
Copyright © 2019, Emerald Publishing Limited
This paper aims to assess the national consultative workshops organized by Universities South Africa (USAF) in collaboration with the Department of Higher Education and Training (DHET) to prepare for the implementation of POPIA. The POPIA aims to protect the privacy rights determined by Section 14 of the Constitution of the Republic of South Africa, (Act, No. 108 of 1996). The lack of significant time period for POPIA before the full compliance does not translate that universities have done full preparation for the implementation of POPIA.
POPIA introduces conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information regulator to exercise certain powers and to perform certain duties and functions in terms of POPIA and the Promotion of Access to Information Act 2 of 2000 (PAIA), to provide for the issuing of codes of conduct, to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of SA.
The Information regulator gives the universities to complete discretion in deciding whether or not to draft a code of conduct. Universities under the leadership of USAF cooperated with the information regulator to formulate a code of conduct for all universities in compliance with POPIA. It is the role of the Information regulator to provide guidelines to universities to develop codes of conduct or to apply codes of conduct.
Aim of the paper
The main goal of this article is to assess the readiness of SA public universities to implement POPIA with regards to awareness, collaborations, protection of information integrity and international integrity.
POPIA has been promulgated on the 26 November 2013 and all sectors including education were given grace period to implement processes and procedures internally to ensure that they comply with the requirement of the act. USAF embarked on the National Consultative Workshops with universities to prepare compliance with the POPIA. The Consultative Workshops aimed to develop a code of conduct for public universities to comply with POPIA. The universities sector was well represented by 25 attendees from 25 universities, including the DHET. The invitations to the National Consultative Workshops were targeted to legal practitioners and compliance officers. It was essential to engage the legal practitioners early before the implementation of POPIA because their involvement will give them a stake in the initiative’s success (Dederer and Swan, 2016). The author argued that even other professionals from the universities such as archivists, and records managers were supposed to be invited to the workshops. This is so because POPIA compliance requires involvement of everyone from universities.
USAF National Consultative Workshops were aimed at developing a code of conduct. USAf’s code of conduct Section 63 of the POPIA allows an educational sector to issue a code of conduct which must apply the principles of POPIA. Industry has the potential to self-regulate, to complement or supplement for individual-level privacy protection (Turri et al., 2017). The self-regulatory recommendations will lead to the information integrity. To regulate sector and organizations privacy, many legal arguments and standards were introduced (Ghorbel et al., 2017). The decision to embark on a process of developing a code of conduct was motivated by a desire to optimize how personal information is used in the Higher Education Industry (HEI), increase the level of the protection of privacy and level of compliance, ensure uniform and industry-appropriate implementation of the POPIA, and to align the Information Regulator and the Higher Education of South Africa approach to information governance.
The National Consultative Forum took place in Johannesburg, O.R Tambo International Airport on 5 January and 6 July 2018. The workshops were an opportunity to raise awareness to universities representatives and a forum for participants to discuss the need for changing policies, procedures on management of personal information. The POPIA has been a subject of much discussion in SA because of its impact on personal information and integrity. The introduction of the POPIA forms a key element to protect personal information.
The National Consultative Workshops were an achievement in that it represented the attempt to discuss the issue of protection of personal information (POPI) in SA, and it was successful in raising awareness and generating enthusiasm for protecting personal information. The National Consultative Forum was task to develop code of conduct for universities in line with the POPIA. The code of conduct is intended to build universities awareness and knowledge regarding the POPIA. South Africa universities are expected to develop protection of personal information guidelines in accordance with POIA.
Since January 2018, the National Consultative Forum has been assisting universities to develop procedures. The Consultative Forum has done this through the implementation of seminars, producing promotion materials and corresponding the message with universities vice chancellors. At present, the Consultative Forum has limited powers to compel universities to conform to its code of conduct as it is not yet approved. The national consultative forum can only implement the guidelines through the guidance of the Office of the South African Information Regulator.
The issues that were raised and discussed during the National Consultative Workshops were about protection of personal information (POPI) and information integrity. The issues discussed were linked to the points listed on the POPIA questionnaire which served as a checklist to be attended to ensure compliance thereof. The issue highlighted aspects of the lack of access to information and information integrity. One of the key areas of POPIA in SA is the data subject access right incorporated in the legislation. The issue discussed during the national consultative workshops includes the following topics:
Why is a university code of conduct necessary?
The status of POPIA.
The European Union GDPR: When does it apply to South African organizations?
Developing the HEI Code of conduct.
The binding of code after accreditation by the Office of regulator.
The principles guiding the drafting of the Code of conduct.
Many of the aforementioned aspects discussed were new to delegates, and this made it difficult for them to go much beyond identifying key policy and defining practical steps to address some problems further.
The challenges experienced by universities during the national consultative workshops are the lack of participation, engagement or inputs on the draft code of conduct. Some of the universities purposefully ignored regulations or interpret/implement the regulations differently than is intended to achieve. According to Turri et al. (2017), self-regulation is ideal if all universities are resolute about complying with agreed upon code of conduct. To ensure effective implementation of POPIA, gaps in the act must be identified and addressed.
Education sector is faced with the challenges of managing personal information (Borgman, 2018). Lack of POPI by universities compromises the individual constitutional rights to privacy. Most of the students and staff complains about the violation of privacy of information and information integrity which is not protected by universities. While educational sector like other sectors have a legal and ethical responsibility to protect university community privacy, they are challenged to meet all stakeholders’ expectations in terms of managing personal information. Universities acquire kinds of data and need sophisticated, layered approaches to personal information management. According to (De Bruin, 2014), the POPIA will impact universities because they collect, store, process and or disseminate personal information related to universities communities and external stakeholders as part of their business activities.
Universities functions are teaching and learning, research and community engagement. In all functions of universities, data privacy, information integrity, data collection and stewardship are to be taken into consideration Borgman (2018). All universities functions require the handling of personal information. Universities are steward of data created (Borgman, 2018). Data created by universities are used for research, teaching, administration, partnership and strategic planning.
The POPIA was passed to promote the POPI processed by public and private bodies, provide minimum requirements for processing of personal information across SA. The POPIA rests upon the foundation of a set of data protection principles which indicate in general terms what is regarded as acceptable in the collection, treatment and use of personal information (Davies, 1997). The act is based on the principle that protecting personal information is integral to maintaining the dignity of the individual. Protecting privacy by maintaining confidentiality is among the concerns of universities (Borgman, 2018). The institutions collecting and maintaining this data are required to be held publicly accountable (Neufeldt, 2009).
The POPIA provides an opportunity for records managers, legal practitioners and compliance officers to review internal control to improve information integrity (Procter, 2002). The DHET is to consider the extent to which personal information holdings are computerized or manual. This is so because universities outsource more computing systems and service to the commercial organisations (Borgman, 2018). The commercialization of information at SA universities contributes to loss of control over the data collected through online systems. Universities are sophisticated about constructing privacy, security protections and information integrity. The author recommends that universities should not rely on third parties alone to address the privacy, confidentiality of information and information integrity.
The POPI promotes a sense of confidence and information integrity. The prominent feature of universities is keeping and maintaining personal information (Hassan, 2011). POPIA requires organizations to protect personal information from the unauthorized disclosure.
Universities are confronted with the growing privacy concerns by university communities including students, faculty officers and staff expect the institutions to comply with the POPIA. Universities collect personal information on students, staff, faculty, management and alumni during application, registration and graduation of students and employment of staff.
The rationale for the protection of personal information is rooted in the concept of privacy and information integrity. Universities are required in terms of the POPIA to reveal the physical location of the records, the legal authority for maintain them, the type of information held, the use of the information and who has access to it, the records retention and disposition schedules are to be indicated (Neufeldt, 2009). The personal information occupies a strategic position in the efficient and effective management of university systems (Egwunyenga, 2009). Some of the personal information can be used on the university strategic plans.
The importance of legal and policy framework on POPIA in the successful creation, processing, storing, and preserving records and archives materials cannot be taken for granted. The Constitution of the Republic of SA, (Act 108 of 1996) guarantees information privacy. SA recognizes the protection of personal information as a basic human right in line with the international trends. Privacy is the fundamental human right that was included in the United Nations Declaration of Human Rights Since 1948 (Ghorbel et al., 2017). POPI is also recognized as an aspect for accountability, transparency, and openness. This is so because universities are required to keep personal information records for all activities. Laws that protect the right of citizens to administrative records are of little use if official records lack integrity or cannot be accessed.
The Information Regulator is an independent body established in terms of Section 39 of POPIA. Though the POPIA was passed in 2013, its full force did not come into effect for some time. This allowed time for all ministries’ data users and the general public to familiarize themselves with the act and develop the implementation plan and code of conduct. The date for the implementation of POPIA is not yet set. All sectors in SA are given grace period to develop a code of conduct to comply with POPIA.
Some of the aspects covers by the POPIA include the lawful processing of the personal information across SA, exclusion for journalistic, literacy or artistic purposes; personal information processing limitations; retention and restriction of records; security safeguards, processing of special personal information; prior authority and transfer of personal information outside the borders of the country.
Universities are to develop archives and record Management programmes (ARMP) to manage personal information. Record keeping must be guided by level of confidentiality, proper maintenance, security; preservation of the content (Egwunyenga, 2009). Universities are to develop internal control to manage personal information. The distribution of personal information should be considered as an essential part of universities.
POPI is requirement for good governance. In turn, good governance requires participation of citizens. Legislations are being introduced to inform citizens about the availability, allocation and utilization of public resources. There must be fair, transparent and accountability when officers deal with resources.
There is reason to believe that general university public lacks awareness of the nature of POPIA. The lack of preparation and potential creates an environment to raise awareness on POPIA.
According to Marutha (2018), legislative framework is the heart of the achievement of business goals in all business sectors, the education sector included. Non- compliance with POPIA leads to the loss of institutional memory. The statement is alluded to by Prince (2017) who said that many institutions experienced poor custodians of corporate memory which led to the loss of organizational memory.
The lack of code of conduct as to what information to protect has created a challenge for the university community to find it safer to refuse access to information (Adams, 2006).
Why the national consultative workshops?
A passing of the POPIA in SA was followed by the National Consultative Workshops of various sectors which deal with personal data. The POPIA National Consultative Workshops initiative was developed to prepare universities to implement POPIA. Most of the records which need to be protected are student’s records. Students are important components of the university and they are entitled with the rights of privacy protection (Fang and Chen, 2013). Personal information of students is related to their names, genders, grades, health status and families. Although records are essential for the POPI and efficient administration, the forum has not paid much attention to records management, nor has it made much investment in this area. The Consultative Workshops were also necessary to verify the availability of internal controls such as policies and governance framework, the appropriateness of the control systems at universities, determination of the level of personal information security of universities.
In terms of Chapter 3 of POPIA, SA universities are to revisit their security management systems to ensure satisfaction about preservation of confidential information, the integrity of information, and the availability of information in a timely manner. According to Singh and Ramutsheli (2016), all institutional database systems are to be aligned with technological advances.
The workshops began with a preliminary assessment using high level questions. The discussions of the recommended content of a code of conduct for universities was structured around a list of some of the questions a university will have to answer in the process of becoming POPIA compliant. These questions were included in the presentation:
Management of applications forms:
Can the university justify all the information required in an application form?
How long do we keep these application forms which have personal information and where do we keep them?
We need to make sure that these are not kept for longer than necessary.
Who keeps the personal information at the university?
What is the greatest challenge facing POPI in the university?
What needs to happen to deal with this challenge?
Are university staff aware of the POPIA?
These questions were distributed by email to all participants to all SA universities.
What follows are summaries of the responses received.
Participants were aware that application forms contain personal information which needs to be kept and preserved. The universities are to determine the retention schedule of the application forms inform by the POPIA.
Who holds records with personal information in our university? What is that information used for? Who has access to it?
It was suggested that audit should be done to identify records that have personal information and thereafter try to answer the questions above. Internal audit will provide information where records are preserved. An audit will assist the university in determining the current status of personal records, scope of the work ahead in terms of complying with POPIA, the location of the records with personal information and ultimately help to determine how these records can be managed in future.
What is the greatest challenge facing Protection of Personal Information Act in your university?
The POPIA is not recognized as an important act within the universities. This may be because there was no legislation guiding the protection of personal information before in SA.
What needs to happen to deal with this challenge?
Universities staff need continuous awareness and training on the POPIA. It is necessary to state, that the anecdotal evidence suggests that improved compliance with the POPIA requires continuous workshops, training and assessments and evaluation of universities’ staff members. Compliance with the POPIA Act requires universities to link the act with their business strategic objectives. The inherent assumptions in the code of conduct were the ARMP to be helpful in implementing POPIA.
How do you think on organizations like Universities South Africa should intervene to improve the situation?
USAF to work with SA public universities to advocate the management and protection of personal information. USAF should also continue to work with universities to raise awareness. USAF should continue to support staff capacity building and encourage the adoption of a code of conduct on management of personal information.
The workshop methodology developed to enable university stakeholders to articulate their information needs to public sector stakeholders. It provides a mechanism to assist universities to gain a better understanding of the university sectors on protection of personal information. The practice of provision of protection of personal information within SA universities has historically lacked uniformity. Management of personal information was not generally seen to have a strategic role in the university sectors.
The population of the study was sampled using some of the representative members who attended POPIA consultative workshops organized by USAF. The total population identified from all the universities was 25. The universities representatives who attended the national consultative workshops (Table I).
The researcher supplemented the questionnaire data with observations about the state of personal information in all universities.
The researcher supplemented the questionnaire data with observations about the state of personal information at various public universities in SA.
An essential element is the use of a case study to move from a discussion of broad concepts to a focus on practical outputs. The case study provides an opportunity for participants to work through the methodology within their own context.
The workshops were designed as an interactive event to identify user requirements on POPI. The workshops were facilitated through presentations by legal experts from USAF. The workshops were facilitated to ensure that participants are familiar with the aspects of POPI. These discussions provide opportunities for lawyers to be involve in the following:
determine areas of agreement and disagreement over POPI;
prioritize information requirements according to university needs;
agree what information should be made available, to whom, and under what conditions;
identify priorities for improving university services to citizens;
improve the dissemination of information that satisfies universities; and
develop a sustainable programme of action to address shortcomings identified in existing information systems.
The literature was reviewed based on the assessment of the readiness of SA universities with regards to POPIA awareness, collaborations, protection of information integrity and international integrity.
Protection of Personal Information Act awareness
The assessment on the readiness on the implementation of POPIA requires universities to develop ARMP and be aware of the legislations managing personal information (Table II). It is imperative for SA universities to develop and implement a legislative framework that will assist in guiding educational sector processes (Katuu, 2015)
The review of literatures shows lack of awareness on information integrity, international integrity. This statement is alluded by Slade and Prinsloo (2013) who raise information integrity associated with social interaction, dialogue and networking. According to Fang and Chen (2013) awareness is to be conducted on principles of information integrity. Cheng and Lai 2012) said that mechanism of accountability to put privacy policies into effect, including training and education on information integrity need to be in place. The awareness is to be targeted to both students and university administrators to improve their legal consciousness of the integrity and privacy protection. An awareness on POPIA is a positive first step in institutions keen to introduce formal ARMP (Procter, 2002).
The review of literature shows that the successful implementation of POPIA compliance requires collaboration between legal practitioners and university archivists and records managers (Swain, 2004). Records Management is seen as key business partners with legal Division in helping university protect itself from litigation (Khan and Akhter, 2017). This statement is alluded to by Thurston (2015) who said that information laws including records management are inseparable because all professions stressed information integrity and governance.
The review of literature shows lack of collaboration between archivists and legal practitioners. Information is managed by neither legal, ICT Department or records management depends on university structure (Mojapelo, 2017; Ngoepe and Van der Walt, 2009; Mullon and Ngoepe, 2019). According to Ngoepe and Ngulube (2014), records management practitioners should consider working together with other professionals. The important ally in this regards is Legal and compliance professionals. Collaboration among relevant professionals will enable information integrity to be approached from different aspects. IRMT (1999) promote a need for expertise from different professions to collaborate to improve organisation information integrity.
Protection of information integrity
Information integrity is defined as the quality of correctness, completeness wholeness soundness and compliance with the intention of creators (Flowerday and Von Solms, 2005). Universities have a duty to protect privacy of students to external stakeholders. The personal and integrity of information is supposed to be protected (Sotto et al., 2010). Safeguarding student personal information is essential for the information integrity. The practical significance of data protection laws serves to emphasize the ethical standards that should be in place by focusing conduct on normative and appropriate standards (Singh and Ramutsheli, 2016).
Universities’ records should be managed to comply with regulatory, legal, and ethical requirements (Chachage and Ngulube, 2006). Compliance is supposed to be in line with information integrity, privacy, and records retention. Compliance with legislations and standards has implications on how records and information are captured or created. Students are required to complete applicable personal information in full in their enrolment (Fang and Chen, 2013). The information completed on the enrolment include privacy issues. Such collection of personal information must be lawful. To have information integrity, a university need to have internal controls with IT at its core (Flowerday and Von Solms, 2007)
The POPIA is based on the integrity, reliable and trustworthy records for universities sector to be accountability and effectiveness (Thurston, 2015). The records profession can make an important contribution to protection of personal information if it is empowered to do so (Thurston, 2015). Records and Archives management profession play an essential role to protect the integrity of records as evidence. According to Duranti (2010), consideration should be done to preserve trustworthiness of records by developing procedures to preserve both electronic and manual records.
The author argued that the development of ICT has impact on the protection of integrity of the POPIA. The researcher statement is supported by Maseh (2015) who said that the challenges brought by ICT requires personal dealing with information integrity to be equipped with new skills and competencies.
The review of literature shows that digital information integrity depends on the computer hardware and software (Thurston, 2015). Development of ICT provided opportunities for universities to collect, store, process and distribute integrated personal information (Borking and Raab, 2001). Most of the universities use cloud services to take advantage of the benefit offered like increased operational efficiencies, accessibility, collaboration, security, reliability and integrity (Frank, 2015). Technology which includes cloud computing posed challenges on how universities deal with information integrity. This is so because most of student data are served and preserved in the cloud computing. According to Singh and Ramutsheli, 2016), when university makes use of cloud computing, the cloud customer will be the university to determine how personal information is processed and for what purposes. The technology of cloud computing is based on the concept that all the data processing will not happen in the end user (Cheng and Lai, 2012). The risk associated with cloud computing is unauthorized access to data, compromise on information integrity and security of information, users may lack awareness regarding the location, which causes jurisdiction and legal compliance challenges. Some of the sensitive personal information such as student records are no longer protected, fraud risk and data may be stored and processed in different geographical locations with different regulations (Cheng and Lai, 2012). Digital data are useful only through investments in curating, documentation and migration to new formats and systems (Borgman, 2018). The author recommends for an organization to embark on security audit to test the level of security of the cloud system for information integrity.
Good governance requires public participation, accountability and transparency (Khan and Akhter, 2017). There is an assumption that university students, faculty, officers are less concerned about the privacy and security of their information (Pereira, 2017). Some of the universities breach privacy because of data containing sensitive and confidential information through deleting. Sensitive and confidential information are classified as membership information, demographic data include nationality, gender, educational level; job position, criminal records, finance records which present account balances, financial transactions such as credit cards numbers, health information regarding medical records, diseases, diagnostics, prescriptions and other related information and intellectual production which is information related to the data subjects ideas and inventions before publications or validations (Ghorbel et al., 2017).
Information professionals are confronted with the issue of selecting certain information for preservation without compromising the information integrity. The determination of value of information can be processed through appraisal of records. Appraisal appears at the centre and front of the records creation and maintenance processes (Duranti, 2010). Appraisal of records is supposed to be conducted without affecting personal information and information integrity.
Teaching and learning in the university is almost facilitated in the electronic environment which posed risks of information integrity. Building a credible information society is dependent on the information integrity (Abdulrauf and Fombad, 2016). It takes more active role in promoting digital authentication and information integrity assurance techniques that organisations can use to safeguard the records the create. According to Singh and Ramutsheli (2016), the most critical stakeholder of SA universities are students. The computerized information may be duplicated and shared. The review of literature showed that there is an increasing need for sharing data containing personal information (Goryczka et al., 2014).
The information arises from student disciplinary hearings and information requests from the media are some personal information required to be included in a code of conduct for the universities. Such information is supposed to be handled with integrity. According to Singh and Ramutsheli (2016), student disciplinary hearings and information requests from the media are issues which will need to be determined by the regulator as a matter of priority to ensure that current practice at universities does not contravene the requirement of POPIA. The disclosure of any information is to be handled without violating privacy of students.
Collection of international students’ private information is not supposed to be contrary to European Union GDPR data privacy legal requirements. Internalization of universities promote the exchange of students and staff to conduct research, teaching and learning. According to Singh and Ramutsheli (2016), what is increasingly relevant is the transmission of private staff and student information across geographic borders. There should be protection of trans-border data flow of the transfer of personal data to another country (Ghorbel et al., 2017). Storing data in other countries can lead to a violation of legislation and users’ preferences. The remedial action is taken when there is violation of personal information.
Despite the protection of information, there are certain student data that is essential for the student of enrolment, teaching and facilitation of learning, assessment and graduation (Singh and Ramutsheli, 2016).
Data were analysed based on POPIA awareness, collaborations, protection of information integrity and international Integrity
Protection of Personal Information Act awareness
The study revealed that 20 (80 per cent) participants were aware of POPIA as a regulatory tool for records in South Africa, while 5 (20 per cent) participants are aware of some of the legislations governing records management in SA. Some of the participants mentioned the POPIA and PAIA.
The participants were asked if the POPIA national consultative workshops contributed to the awareness of the integrity of privacy and personal information. The 20 (80 per cent) participants acknowledged that the POPIA consultative workshop enhanced them to understand the importance of the POPIA. Five participants said the following “I was not aware that I can be fined R10 Million if I do not comply with the act”. Some of the participants said that “understanding the principles of personal information is key to improve compliance with POPIA”.
The participants were asked if they were aware of the existence of compliance guidelines of POPIA. As reflected in the above diagram 20 (80 per cent) participants said that they were not aware of the implication of non-compliance with the POPIA. The participants acknowledged and appreciated the National Consultative Workshop as they assisted them to understand the baseline of POPIA.
The participants were asked the importance of a code of conduct which is required by USAF. Some of the participants said that they appreciated code of conduct for universities. They said that code of conduct will assist the universities to exercise control throughout, acts as an invitation for improvement, coordination of activities, facilitate communication throughout universities and standardization of all operations of universities.
The participants were asked about the level of collaboration between records management and legal division (Table III).
From Table III, the majority of respondents 23 (92 per cent) acknowledged that there is no collaboration between records management division and legal division in terms of provision of POPIA. Some of the participants said “records management is not recognized as part of the global information integrity”. Only two (8 per cent) participants acknowledged that there is level of cooperation between legal practitioners and records managers in terms of providing information to universities. Two (8 per cent) participants said that records managers are able to identify personal records suitable for the long term storage, pending a decision on destruction and archiving of records. Records managers can also play a critical role by ensuring that records containing short term values are destroyed within a short period. The two (8 per cent) said the adoption of the ARMP by universities will enable to understand the type of records the university possessed; the allocation of such records, the volume of records that the university has, the status of these records. This showed that there is a relationship between records and archives management profession and protection of personal information.
Protection information integrity
The participants acknowledged the importance of protection of individual information integrity (Table IV).
The majority of respondents 16 (64 per cent) stated that they put internal control in place such as policies and procedures to ensure the protection of information integrity. They further indicated that the information audit was conducted in their institutions. Participants acknowledged that integrity of information is essential for protecting integrity of institutions. Nine (36 per cent) participants said that they have not yet developed internal control. The nine (36 per cent) participants felt that they had little control to no control over the information distributed at all platforms of the university. These participants raised a concern that the national consultative workshops need to be extended to other staff members at university. The participants said that the fact that information is preserved in the cloud system posed a challenge of protecting information integrity.
When asked how their level of concern has changed over the past five years, the nine (36 per cent) respondents reported that they are more concerned now about their level of personal information security.
The participants were asked to comment on the implication of GDPR for SA (Table V).
The table shows that GDPR has influence on the implementation of POPIA in SA. The comments demonstrated that South African laws must be in accordance to the international standards to be accepted. The majority of participants 10 (40 per cent) acknowledged that GDPR has implications on global information integrity and compromise of international students. This was also further commented by another 40 per cent who said that South African universities will be affected in terms of networks, collaboration and international relations. Only five (20 per cent) emphasize the challenge of POPIA with regard to transferring international exchange and partnerships.
Findings and its implications
The findings were based on the POPIA awareness, collaborations, protection of information integrity, and international integrity.
Protection of Personal Information Act awareness
The results showed that most of the participants were not aware of the POPIA. The lack of compliance with the POPIA was not surprising, given that the act is relatively new.
Besides the POPIA consultative workshops, there are ongoing training activities which included POPIA as a feature of fewer universities. There are a number of institutions involved in PAIA manual. Some universities used POPIA to promote access to information and information integrity. Some of the participants attended formal training on promotion of access to information act which is linked to POPIA. This implies that organizations are to put in place clear governance and accountability structures that assign clear roles and responsibilities. This implies commitment from top management to implement POPIA.
Training, consulting sources and obtaining reliable advice all contribute to aligned protection of personal information with legislation. Effective guidelines and procedure manuals represent a valuable asset in management of information and data.
It was found that there was lack of internal cooperation between the legal practitioners and records managers and archivist. This implies non-compliance with POPIA. Lack of collaboration creates opportunities for lack of information integrity and information governance. These weaknesses of lack of collaboration have implications for information management in Africa.
The ARM profession can contribute to protect information integrity as evidenced through time and across technology.
Protection of information integrity
Internal control systems with ICT control needs to be in place to provide integrity to personal information. The control needs to be audited to ensure operational efficiency and effectiveness. A process of continuous information auditing is needed to provide information integrity assurance on demands. The implication of protection information integrity provides a comprehensive framework and the start for internal auditors to identify any threat or risk to personal information. Information integrity risk has relevance to preventive, detective and corrective control.
The development of electronic environment presents archivists with a series of dilemmas that will demand rethinking of archivist and record managers to preserve integrity of personal information in the digital world. Electronic records management systems have been designed and implemented using the concept of information integrity. This is because of the inability of the law to keep up with technological change.
Many organisations and development planners are unaware that ICT system, if not fully planned can compromise the information integrity of individuals.
From the data analysis, it seems that there will be a negative impact on international students and staff exchange programmes specifically European countries. This implies that POPIA act is supposed to comply with to GDPR because of the level of universities’ engagement with the European Union (EU). If universities are not prepared to be compliant to do business with the European universities, they might be seen as high-risk universities from a personal information protection perspective in the case of the universities who need to be compliant. The GDPR is viewed as the international standard for protecting integrity of personal information and will impact on compliance obligations and monitoring and also advise all international stakeholders. Considering that EU is SA biggest trade partners, POPIA must not be in conflict with GDPR.
The implication of international integrity also includes the challenges for hiring the best academic and international research collaborations. The environment surrounding POPIA has international implications, and even weaken the competitive edge within a global business environment where European countries value in relation to privacy demand information integrity on personal information.
POPIA awareness, compliance audit and commitment from all staff is supposed to be a norm. Universities are to establish a data governance system to manage all universities’ personal information. All universities’ policies, procedures and processes are to comply with POPIA requirements.
Assuring the integrity of information in organizations is the responsibility of the organization. To remain compliant and uphold integrity organizations should consider collaboration between records managers, legal practitioners and IT personnel.
Archives and records management programme is supposed to be recognized as an essential part of POPIA.
Further studies on the impact of ARMP on information integrity can be done.
USAF has made good progress during the one year of consultation. The progress in the area of the national consultative workshop is characterized by coordination of all universities’ activities. This is significant given the diverse activities and priorities of USAF and its components parts. Their activities and participation are driven by the participation and enthusiasm of individual members with varying levels of institutional support. The USAF is to continue to collaborate with other activities. A framework of privacy – preserving collaborative ensembled learning based on differential privacy is proposed to provide personalized privacy protection over distributed data sets (Xiang et al., 2018).
Below are some of the issues that were raised and discussed during the national consultative workshops which universities need to take into consideration when implementing POPIA Principles. These issues are linked to the points listed on the POPIA questionnaire attached which is used as a checklist which needs to be attended to ensure compliance thereof:
The SA universities need to work on a compliance plan to determine compliance with the POPIA principles. Once the audit is conducted, it will be easy to start working on compliance plan. The audit can also be guided by USAF code of conduct once it has been adopted.
There are conditions the university must meet to be compliant with the POPIA. The university needs to work through the POPIA compliance checklist to ensure information integrity such as accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, data subject participation and completeness.
This article has reported on the progress made in the first year of the national consultative workshops on POPIA. SAF has chosen to work through collaboration with the DHET. Currently in SA, the implementation of POPIA in most universities is in a very early stage. Hence, there is a need for the university sector to continue to embark on awareness. It is clear from the analysis that all SA universities that manage personal information must ensure that internal controls are in place to ensure compliance with the POPIA. The consultative workshops facilitated by USAF provide an effective platform for the implementation of POPIA.
This article addressed the uncertainty that awaits the SA universities about what can be expected after the adoption of the code of conduct by all universities.
In conclusion, I suggest that once the audit is completed and the compliance gaps are identified, the university can thereafter identify high risk areas to be attended to urgently and add those as part of the risk management document so that mitigation strategies/preventive plans/contingency plans are developed and treatment measures are monitored consistently.
This article has suggested next steps for taking implementation of POPIA forward. Although we are yet to see the results of the first phase of consultative workshops, it is already apparent that the PAIA is bringing co-ordination to POPIA.
South Africa Universities representatives
|Cape Peninsula University of Technology||Legal practitioners 1 x 23 (92%)|
|Central University of Technology|
|the Free State|
|the Durban University of Technology|
|Mangosuthu University of Technology|
|Kwazulu – Natal|
|Vaal University of Technology|
|Walter Sisulu University|
|Mpumalanga||2 (8%) (Records Managers and Librarian)|
Level of POPIA awareness
|20 (80%)||5 (20%)|
Level of collaboration
|02 (8%)||23 (92%)|
|16 (64%)||In place|
Comments on GDPR
|10 (40 %)||“GDPR has implications on global information integrity, compromise of international students will put SA on high alert|
|10 (40%)||South African universities will be affected in terms of networks, collaboration, international relations|
|5 (20%)||“it is the end of transferring international exchange and partnerships”|
Abdulrauf, L.A. and Fombad, C.M. (2016), “The African union’s data protection convention 2014: a possible cause for celebration of human rights in Africa?”, Journal of Media Law, Vol. 8 No. 1, pp. 67-97.
Adams, M. (2006), “Freedom of information and records management in Ghana”, African Journal Libraries, Archives, and Information Science, Vol. 16 No. 1.
Borgman, C.L. (2018), “Open data, grey data, and stewardship: universities at the privacy frontier”, Berkeley Technology Law Journal, Vol. 33.
Borking, J. and Raab, C. (2001), “Laws, PETS and other technologies for privacy protection”, The Journal of Information, Law, and Technology, Vol. 1.
Chachage, B. and Ngulube, P. (2006), “Management of business records in tanzania: an exploratory case study of selected companies”, South African Journal of Information Management, Vol. 8 No. 3.
Cheng, F.C. and Lai, W.H. (2012), “The impact of cloud computing technology on legal infrastructure within Internet- Focusing on the protection of information privacy. 2012 international workshop on information and electronics engineering”, Procedia Engineering, Vol. 29, pp. 241-251.
Davies, E. (1997), “Data protection management in university libraries in the UK”, Journal of Information Science, Vol. 23 No. 1, pp. 39-58.
De Bruin, M. (2014), “The protection of personal information (POPI) Act- Impact on South Africa”, International Business and Economics Research Journal, Vol. 13 No. 6, pp. 1315-1340.
Dederer, M.G. and Swan, A. (2016), “3 Keys to managing change for a successful RIM program implementation”, Information Management, Vol. 1.
Duranti, L. (2010), “Concepts and principles for the management of electronic records, records management theory is archival diplomatic”, Records Management Journal, Vol. 20 No. 1, pp. 78-95.
Egwunyenga, E.J. (2009), “Record keeping in universities: associated problems and management options in South West Geo-Political zone of Nigeria”, International Journal of Education Science, Vol. 1 No. 2, pp. 109-113.
Fang, H. and Chen, Z. (2013), “Study on Chinese university students’ privacy protection from intercultural perspective”, International Conference on Education Technology and Management Science (ICETMS 2013): Atlantis Press, Singapore.
Flowerday, S. and Von Solms, R. (2005), “Real time information integrity –system integrity+data integrity = continuous assurances”, Computers and Security, Vol. 24 No. 8, pp. 604-613.
FLowerday, S. and Von Solms, R. (2007), “What constitutes information integrity”, South Africa Journal of Information, Vol. 9 No. 4.
Frank, P.C. (2015), “New technologies, new challenges: records retention and disposition in a cloud environment”, The Canadian Journal of Information and Library Science, Vol. 39 No. 2.
Ghorbel, A., Ghorbel, M. and Jmaiel, M. (2017), “Privacy in cloud computing environments: a survey and research challenges”, The Journal of Supercomputing, Vol. 73 No. 6, pp. 2763-2800.
Goryczka, S., Xiong, L. and Fung, B.C.M. (2014), “M-Privacy for collaborative data”, IEEE Transactions on Knowledge and Data Engineering, Vol. 26 No. 10.
Hassan, K.H. (2011), “Personal data protection in the business of higher education Malaysian law”, International conference on Sociality and Economic Development IPEDR 10. IACSIT Press, Singapore.
International Records Management Trust (IRMT) (1999), The Management of Public Sector Records: Principles and Context, IRMT.
Katuu, S.A. (2015), “Managing records in South African public health care institutions – a critical analysis”, PhD thesis, University of South Africa.
Khan, N.U. and Akhter, S. (2017), “Rights to information as an instrumental force of good governance in South Asia. South Asian studies”, A Research Journal of South Asian Studies, Vol. 32 No. 1, pp. 151-160.
Marutha, N. (2018), “The application of legislative frameworks for the management of medical records in Limpopo province, South Africa”, Information Development, pp. 1-13.
Maseh, E. (2015), “Managing court records in Kenya”, Africa Journal of Library, Archives, and Information Science, Vol. 25 No. 1, pp. 77-87.
Mojapelo, M.G. (2017), “Contribution of selected chapter nine institutions to records management in the public sector in South Africa”, MINF dissertation, University of South Africa.
Mullon, P.A. and Ngoepe, M. (2019), “An integrated framework to elevate information governance to a national level in South Africa”, Records Management Journal, Vol. 29 Nos 1/2, pp. 103-116.
Neufeldt, T. (2009), “Formalizing privacy protection: FIPPA, Ontario universities, and unsupervised records management”, Faculty of Information Quarterly, Vol. 1 No. 1, pp. 1-12.
Ngoepe, M. and Ngulube, P. (2014), “The need for records management in the auditing process in the public sector in South Africa”, African Journal Libraries, Archives, and Information Science, Vol. 24 No. 2, pp. 135-150.
Ngoepe, M. and Van der Walt, T. (2009), “An exploration of records management trends in the South African public sector”, Mousaion, Vol. 27 No. 1, pp. 116-136.
Pereira, S. (2017), “Do privacy and security regulations need a status update? perspectives from intergenerational survey”, PLos One, Vol. 12 No. 9.
Prince, C. (2017), “Big data and privacy: why public organizations adopt big data”, The Canadian Journal of Information and Library Science, Vol. 42 No. 4, pp. 233-244.
Procter, M. (2002), “One size does not fit all: developing records management in higher education”, Records Management Journal, Vol. 12 No. 2, pp. 48-54.
Singh, D. and Ramutsheli, M.P. (2016), “Student data protection in a South African ODL university context: risks, challenges and lessons from comparative jurisdictions”, Distance Education, Vol. 37 No. 2, pp. 164-179.
Slade, S. and Prinsloo, P. (2013), “Learning analytics: ethical issues and dilemmas”, American Behavioral Scientist, Vol. 57 No. 10, pp. 1510-1529.
Sotto, L.J. Treacy, B.C. and McLellan, M.L. (2010), “Privacy and data security risks in cloud computing. Electronic commerce and law report, 15 ECLR 186”, available at: www.Presentation/publicationAttachment/6f52b2fd-2973-48cc-9f23-c941f1e19358/privacy-Data_Security_Risks_in_Cloud_Computing_2.10.pdf (accessed 28 January 2019).
Swain, D.E. (2004), “Connecting students of the present, past and future: an activist approach to the collection and use of student documents in the university archives”, Journal of Archival Organization, Vol. 2 Nos 1/2.
Thurston, A. (2015), “Access to reliable public records as evidence for freedom of information in commonwealth Africa”, The round Table, Vol. 104 No. 6, pp. 703-713.
Turri, A.M., Smith, R.J. and Kopp, S.W. (2017), “Privacy and RFID technology: a review of regulatory efforts”, Journal of Consumer Affairs, Vol. 51 No. 2, pp. 329-354.
Xiang, T., Li, Y., Li, X., Zhong, S. and Yu, S. (2018), “Collaborative ensemble learning under differential privacy”, Web Intelligence, Vol. 16 No. 1, pp. 73-87.
About the author
Nkholedzeni Sidney Netshakhuma is a Deputy Director Records and Archives at the University of Mpumalanga in South Africa. Prior to this position, Netshakhuma worked for South Africa National Parks as the Records Manager and the African National Congress as the archivists. Netshakhuma holds Masters of Information Science from the University of South Africa, and he is currently enrolled for doctoral programme in archives and records management at UNISA.