From CompliNEWS | Financial Service Intelligence Watch
South African and UK authorities are taking action against employers who breach personal information through apps, to prevent any ‘app’cidents from occurring
ENSafrica reports that with the increasing prevalence of data breaches, the need to protect personal information has become a critical issue globally. The consequences for businesses that fail to do so are becoming increasingly stringent. Two recent examples include the reprimand of the Surrey and Sussex Police in the UK and the enforcement notice issued against the South African Police Service (SAPS).
In the UK, the Information Commissioner’s Office (ICO) investigated data protection breaches that resulted from using cell phone apps that recorded all incoming and outgoing telephone conversations, saved onto staff members’ mobile devices. The ICO found that an excess of 202 000 telephone conversations had been recorded and downloaded from the app. The app had initially been intended for use by a certain level of police officers, but was later made available to all staff, resulting in it being downloaded by 1 015 staff members. The ICO found that the app captured a variety of data, including sensitive personal data, and that the collection of the data breached the Data Protection Act, 2018 (DPA) and the General Data Protection Regulation (GDPR). The ICO recommended that the police take specific actions to ensure compliance with the DPA 2018.
Similarly, in South Africa, the Information Regulator issued an enforcement notice against the SAPS for disclosing the personal information of eight rape victims, including their names, ages, home addresses, and the nature of the violations against them, via WhatsApp. The Information Regulator found that the disclosure of this information constituted interference with the protection of personal information of the data subjects (the victims) by the SAPS, as it breached the conditions for the lawful processing of personal information in terms of the Protection of Personal Information Act (POPIA).
The Information Regulator ordered that the SAPS notify the data subjects of the security compromise of their personal information, publish a prominent apology to the data subjects, investigate the conduct of the SAPS members responsible for the unlawful processing of the personal information, and include POPIA training in all SAPS training programmes.
The UK’s ICO and South Africa’s Information Regulator demonstrate the importance of protecting personal information and ensuring compliance with applicable data protection laws. These cases also highlight the need for adequate training and guidance for employees who handle personal information, and the importance of ensuring that technological tools used by employees meet data protection requirements. Failing to comply with such requirements could result in significant penalties and consequences for businesses and individuals.