The Protection of Personal Information Act (POPIA) goes live on 1 July 2021. It places a huge burden on all organisations — from the one-person accountant firm to the big banks.
All about protection
POPIA is about what personal data we collect, why we collect it, and how we use it. But even more than that, it is about how we protect that data.
There's a data breach in the news almost daily — and many more that aren't made public.
I expect that many companies have appointed a team to understand what POPIA requires of them. And there will be developers working overtime to make changes to the systems. Although we are a small company, POPIA is a big item on my to-do list right now.
When will DoL WAKE UP?
This makes my recent experience on the Department of Labour website even more horrifying.
Every employer must register with the Compensation Fund and pay annual assessment fees. Last week I wanted to get our Return of Earnings submission in. (FYI: That didn't work. Although the deadline used to be 31 March, the system isn't open for submissions yet.)
It happened last year. It happened the year before. It happened again this year. The DoL site rejected my username and password combination — which I know is correct, because I use a password manager. So I had to reset my password. And guess what? DoL emailed me the old password in PLAIN TEXT!
And then I, like a careful user, reset my password. And guess what? DoL emailed me the new password in PLAIN TEXT! And not only my password: it also sent my full name and ID number.
I am ... Angry. Bothered. Confounded. Disconcerted. Enraged. Furious. Pick any letter of the alphabet, and I'll find a suitable adjective to describe my horror. Hence my use of uppercase in the heading above.
And this is not new. The labour.gov.za site has been on the list of plain-text offenders since 2013. I posted a complaint about this on our FaceBook page in 2018. If DoL hasn't addressed this for the past 8 years, will POPIA make a difference?
Security is not just for specialists
We all have to do some retro-fitting to make our processes and systems more secure. But security and privacy really need to be built into the entire development process.
Not everyone needs to be a security (or a POPIA) expert. But I believe that everyone involved in software development needs some basic understanding of security concepts. That includes the users and the system owners and the business analysts. (You can read more about this in our blog post about secure analysis. )
That's why we created the Introduction to Web Application Security course. Because you don't want to make the news because of a data breach.
Any suggestions for waking up DoL? Any plans to train your team in basic security concepts? Please share your thoughts and experiences.