South Africa's Protection of Personal Information Act (POPI), legislation designed to ensure the protection of personal information by private and public organisations, places a duty on those transferring information beyond the country's borders to ensure that it remains protected, according to a legal expert.

Nikki Pennel, attorney at KPMG in South Africa says, "Every time the information is being transferred from South Africa, one has to consider and assess the adequacy of the legal framework and determine whether the laws in place are sufficient to protect the personal information of the data subject. There are a couple of questions that we need to consider each time. Firstly it is whether the law is able to protect the information similar to what POPI requires? Is it a comprehensive data protection regime or is it just pockets of legislation in that country that deal with information in certain industries? Is there a legal framework for the protection of personal rights generally and does the country recognise the rule of law and freedom of contract?"

Pennel says the responsibility to study the laws and regulations in the country where the personal information is needed must be understood clearly and cannot be taken lightly.

"The most important point when looking at this issue is that you need to get local advice. It sounds like common sense but I've been surprised when a number of my clients have said to me "can't you just Google what the law is in that country and just tell us?"... the answer is always no! We are dealing with courts, legislative bodies and tribunals who will interpret the law in those countries and it is quite important to understand how that is done."

Pennel adds that POPI makes additional requirements when it comes to cross-border transfer of personal information. Among these are that the party transferring the information must obtain prior authorisation to do so from South Africa's Information Regulator if the personal information being transferred relates to children.

She recommends a mapping of where and how the information will be transferred in order to determine whether there is a need for additional safeguards.

"If a country does not have adequate protection we need to start looking at things like binding corporate rules or a binding agreement that upholds POPI that particular country or even whether any exemptions in section 72 of POPI apply."

Exemptions in Section 72 of POPI include instances where permission was obtained from the data subject to transfer the personal information.

Improving employee awareness

Pennel also warned that organisations need to educate their employees on the type of information that they can send outside the country.

"If you bear mind that 263 billion emails are sent out around the world every day how sure are you that your employees know where and when they are entitled to pass that information. Employee awareness is one of the key issues addressed in any POPI orientation programme because employees need to know the rules regarding when they can send information overseas and what measures they need to take to keep the information safe. These rules need to be recorded and implemented in the organisation."

Pennel cited Ghana as a leader on the continent when it comes to data protection followed by South Africa.

She says more need to be done across the continent to show greater care for privacy and recent ransomware attacks show the value of interventions to protect information flow because breaches have far-reaching consequences.