Check what information you send, to avoid contravening POPIA
If you accidentally share PII or are aware of such information being leaked, you must inform the UCT Computer Security Incident Response Team (CSIRT) as a matter of urgency.
You’re working on an event that is scheduled to take place next week and you get an urgent message from your colleague to send the latest list of registered delegates. You download the CSV file that contains personal identifiable information of each delegate and create a new email message. You quickly enter some text in the email body, add your colleague’s email address, click Send, then carry on with the many tasks that you were trying to manage when the request came in.
Thirty minutes later, your colleague calls you and asks for the list. You get agitated because you’re being interrupted again, for something that you already sent.
While you’re on the phone, you navigate to the Sent items folder, to say what time you exactly sent the email, and then notice that you sent it to Hilary (spelt with one “L”), who you dealt with the day before for a personal matter, instead of Hillary (spelt with two “L”s) who you work with. And now, the list containing delegate information has been sent externally.
You start to panic and explain what happened to Hillary – your colleague – who tells you to please phone the other Hilary and ask her to delete the email. Upon calling external Hilary, she tells you not to worry, she saw the email and realised it wasn’t for and just closed it. You ask her to please delete it as it contains confidential information. She promises she will.
You trust Hilary will do what she says, because she said so. How do you know that she will live up to her word and won’t open and/or share the file?
Unfortunately, these things happen and when they do, you need to follow the necessary process to ensure that the university does not get into trouble.
So, what is Personal Identifying Information?
Good question. Personal Identifying Information (PII) refers to any information that can be used to identify an individual. These include but are not limited to:
- Contact information (e.g. home address, telephone numbers, email addresses)
- Demographics (e.g. age, race, gender, relationship status)
- ID and passport numbers
- Tax details
- Banking details
Through the Protection of Personal Information Act (POPIA), we all have a responsibility to protect the sensitive information that we have access to. This includes not sharing any information that could be classified as PII, or your login details that would give external individuals unauthorised access to our systems and services.
Remember, if your details are associated to any suspicious activity, you will be held liable as it is your responsibility to keep your UCT details secure.
Accidents happen and these must be reported
If you accidentally share PII or are aware of such information being leaked, you must inform the UCT Computer Security Incident Response Team (CSIRT) as a matter of urgency. Send an email to csirt@uct.ac.za and provide a detailed description of the incident.
The team will conduct the necessary investigations and then provide their findings to the UCT Executive, who will then determine what steps must be taken – as was the case in a recent cybersecurity incident.
How do I learn about UCT’s approach to POPIA?
To learn about POPIA at UCT, read this article: https://uct.ac.za/protection-personal-information-act-popia
Should you have a question regarding POPIA at UCT, please send an email to popia@uct.ac.za.