Guidelines for call centres on preparing for POPI

According to the CCMG, there are close to 1900 call centres in South Africa, with 21% of corporate/captive call centres and 40% of outsource call centres dedicated to outbound sales and telemarketing. Jana van Zyl from Dommisse Attorneys foresees that call centres will need to review their current business operations: "Very simplistically put, the bill will change how call centres use, share and retain their customers' and prospects' information. This will include operations for specific campaigns on behalf of clients."

Effects of the bill

In terms of POPI, companies responsible for the use of personal information are obliged to secure the personal information of their customers and prospects or their clients' customers or prospects (depending on whether it is an in-house call centre or a third party service provider). This means that call centres have to log, store and transfer personal information securely. Third-party suppliers to call centres with access to the personal information, for example third parties that provide IT support services to call centres, will have to enter into formal, written agreements to regulate the relationship and would have to implement security measures accordingly.

"There are physical security measures as well as technical security measures which need to be addressed. Access control, for example, is crucial. This process in its basic form will mean that companies will need to implement formal policies to regulate access to the network, or the control rooms through a key or tag. Technical security measures should be implemented in accordance with internationally accepted standards. All personal information that qualifies for protection in terms of POPI needs to be protected using technical means. These may for example include encryption, firewalls, antivirus, back-ups, disk encryption for mobile hard drives and devices," says Van Zyl. "If there is a breach of data - even if you can hold your IT Service Provider accountable contractually - it will still not rid you of your own responsibilities and accountability towards the individual under the law. Ultimately you will remain responsible if you are the 'Responsible Party' in terms of the law."

Bruce von Maltitz, director of 1Stream, a hosted call center technology provider says that although hosted service providers cannot advise call centers on whether or not they are compliant from a legal perspective, they are able to provide expert advice on crucial technical aspects, such as data storage and encryption. Hosted providers are also able to relieve some of the implementation headaches surrounding compliance, and are much better suited to securing sensitive information than call centre managers themselves.

"Cloud-based suppliers tend to have better security systems and processes in place than a private call center would typically have, particularly small or mid-sized operators," Von Maltitz states. "By operating in the cloud, we have access to economies of scale that allows us to buy the best systems available, and we assume responsibility for management of those systems."

Reasonable measures

The law also states that the responsibility rests with the "Responsible Party" to prove or disprove the claims made against them. It is therefore imperative that the call centre must be able to prove that they have implemented "reasonable organisational measures". This would include a set of business processes that the firm would have to follow to ensure that they have, to be the best of their ability, protected the confidentiality, integrity and availability of information at all times.

Von Maltitz emphasises that making use of a hosted provider simply enables you to buy the services you need to keep your operations running financially effectively, and securely. "Our job has always been, in a nutshell, to keep data safe and services running optimally. Your data stays your own, but the burden of technical maintenance is taken away from you. It's like making use of a bank - your money is less safe under the bed than in a bank account. If you make use of a bank, there are benefits. We're still in control of our money - but it's easier and more convenient because the burden of protecting and managing it lies with a 3rd party."

POPI states that call centers are also obliged to only use information for the purposes for which it was collected. "For example, if a person signed up for a specific campaign only, and the call centre collected the data to use for that campaign only, the person should not be contacted for a different campaign. Going forward if someone only opted in to receive SMS communication, the call centre should use that channel and that channel only. This principle will be supported by the Consumer Protection Act's national opt-out register (once in operation). In terms of POPI, a person also has a right to obtain a copy of the record of personal information that a call center might have on him, and if the company is not by law entitled to have that information, they may ask for it to be deleted," says Von Maltitz.

Moreover, companies will need to disclose security breaches, for example where personal information has been hacked or lost. Van Zyl cites that in the UK a fine was imposed where sensitive information was sent to the wrong person: "This is something that can easily happen: you intend to send the information to John X and you send it to John Y." In terms of POPI you will need to pay caution for this not to happen. Another reported incident was a laptop being lost with personal information not encrypted. "In general in South Africa companies do not always have the mind-set that the above examples are really problematic. POPI will change that mind-set," says Van Zyl.

Von Maltitz advises call centers not to attempt to run their own security, but to rather partner with a consultative hosted provider. "The levels of service we provide under an SLA are invariably better than what a business can offer to itself," says Von Maltitz. "For example, we can offer encrypted voice recordings stored in secure archives that are properly backed up and provide a full audit trail. Some companies we have seen who do it in-house rely on a server in the corner of the office that's recording WAV files that anyone can access - and that is in complete contravention of the Act."

Consequences of non-compliance

Companies who are not compliant with the Act may face fines of up to R10 million, as well as civil action. "If a person feels that their right to privacy has been breached, they can take action against the company," says Van Zyl.

Van Zyl advises that companies should start taking steps immediately to prepare for POPI. "There is no quick fix for POPI compliance," says Van Zyl. "Start by meeting with an attorney that specialises in privacy law. Companies should complete a GAP analysis and start implementing action plans based on unique organisational needs in order to ensure compliance with POPI."

For more information, go to www.dommisseattorneys.co.za or www.1stream.co.za.