Michalsons – Sicelo Kula

Does complying with the Protection of Personal Information Act (POPIA) also mean that you must use email encryption when sending emails containing personal information? In other words, does sending unencrypted emails containing personal information potentially violate POPIA? The short answer is: It depends on a number of factors. One of those factors is the nature of the personal information contained in the unencrypted email you’re sending – is the personal information of such a nature that data subjects could suffer adverse harm if the emails are hacked?

Importantly, while the answer under POPIA depends on a number of factors, policies like the Minimum Information Security Standards (MISS) have more explicit requirements for both public and private bodies transmitting important government information.

Is Email Encryption a POPIA requirement?

As the commencement date for POPIA looms larger, you will need to know the various steps to take to comply. Many of the questions rest on the actions of the Information Regulator. POPIA gives the regulator extensive powers to enforce data protection, including creating codes of good practice. There are, however, no provisions explicitly dealing with email encryption in POPIA, but the codes of good practice might very well expressly require it.

Apart from that possibility, POPIA explicitly requires security measures that are appropriate and reasonable in relation to the nature of the personal information you process. Data protection authorities around the world recognise encryption as one of the generally appropriate and reasonable security measures that you must take.

Email encryption is one of the ways to protect data subjects from harm and further comply with PoPIA

Taken together, all of this points to the fact that email encryption will be a no-brainer in most cases. The regulator will not look kindly on you if you send unencrypted emails containing sensitive personal information (account numbers, special personal information, and children’s information being more important), and which subsequently get intercepted and read by an unauthorised third party (data breach). This will be more so in cases where you had the means to use email encryption, but did not.

Actions you can take

Regulate how employees use email in your organisation by implementing an Email Use Policy and Code of Behaviour (containing guidelines around acceptable use).