Protection of Personal Information Act (PoPIA) Compliance Report
This report displays the Protection of Personal Information Act (PoPIA) Compliance issues in your application. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered a regulation violation.
Summary
The Protection of Personal Information Act (PoPIA) is South Africa's data protection and privacy law, established by the Constitution of South Africa on 19 November 2013. It works alongside the Promotion of Access to Information Act and is overseen by the independent Information Regulator responsible for ensuring PoPIA compliance in both public and private sectors.
Jurisdiction
The PoPI Act applies to all persons and organizations within the borders of South Africa and extends to visitors and illegal immigrants.
Compliance penalties
Violations of this act can lead to penalties, including fines or imprisonment. For violations of sections 100, 103(1), 104(2), 105(1), 106(1), (3), or (4), penalties may include up to 10 years' imprisonment, a fine, or both. For violations of sections 59, 101, 102, 103(2), or 104(1), penalties may include up to 12 months imprisonment, a fine, or both.
Compliance required by
The Protection of Personal Information Act (PoPIA) became effective on 1 July 2020 and introduced a one-year grace period for all South African entities to comply with its requirements. The grace period ended on 30 June 2021, with the act taking full effect on 1 July 2021.
AppScan and the PoPI Act
Section 19 of Condition 7, Chapter 3 of the PoPI Act states that personal information needs to be safeguarded with appropriate security measures. The responsible party must follow industry-accepted information security practices and procedures.
AppScan uses the ISO27001 data security framework to ensure the correct implementation of data security controls. AppScan detects existing web application vulnerabilities that may indicate improper implementation of ISO27001 required controls. This approach helps identify violations of Section 19 and Condition 7 of the PoPI Act.
| Sections | Description |
|---|---|
| Chapter 3, Condition 7 - Sec. 19.1.a |
A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss of, damage to, or unauthorized destruction of personal information. |
| Chapter 3, Condition 7 - Sec. 19.1.b |
A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent unlawful access to or processing of personal information. |
| Chapter 3, Condition 7 - Sec. 19.2.a |
The responsible party must take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control. |
| Chapter 3, Condition 7 - Sec. 19.2.b |
The responsible party must take reasonable measures to establish and maintain appropriate safeguards against the risks identified. |
| Chapter 3, Condition 7 - Sec. 19.2.c |
The responsible party must take reasonable measures to regularly verify that the safeguards are effectively implemented. |
| Chapter 3, Condition 7 - Sec. 19.2.d |
The responsible party must take reasonable measures to ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. |
| Chapter 3, Condition 7 - Sec. 19.3 |
The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations. |
| ISO Control A.6.2.1 |
The risks to the organization's information and information processing facilities from business processes involving external parties should be identified and appropriate controls implemented before granting access. |
| ISO Control A.6.2.2 |
All identified security requirements shall be addressed before giving customers access to the organization's information or assets. |
| ISO Control A.8.3.3 |
The access rights of all employees, contractors, and third-party users to information and information processing facilities should be removed upon termination of their employment, contract or agreement or adjusted upon change. |
| ISO Control A.10.3.1 |
The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. |
| ISO Control A.10.8.1 |
Formal exchange policies, procedures, and controls should be in place to protect the exchange of information through the use of all types of communication facilities. |
| ISO Control A.10.9.1 |
Information involved in electronic commerce passing over public networks shall be protected from fraudulent activity, contract dispute, and unauthorized disclosure and modification. |
| ISO Control A.10.9.2 |
Information involved in online transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication, or replay. |
| ISO Control A.10.9.3 |
The integrity of information being made available on a publicly available system should be protected to prevent unauthorized modification. |
| ISO Control A.11.2.2 | The allocation and use of privileges should be restricted and controlled. |
| ISO Control A.11.2.3 | The allocation of passwords should be controlled through a formal management process. |
| ISO Control A.11.2.4 | Management should review user's access rights at regular intervals using a formal process. |
| ISO Control A.11.4.2 | Appropriate authentication methods should be used to control access by remote users. |
| ISO Control A.11.5.2 |
All users should have a unique identifier for their personal use only, and a suitable authentication technique should be chosen to substantiate the claimed identity of a user. |
| ISO Control A.11.5.5 | Inactive sessions should shut down after a defined period of inactivity. |
| ISO Control A.11.5.6 | Restriction on connection times should be used to provide additional security for high-risk applications. |
| ISO Control A.11.6.1 |
Access to information and application system functions by users and support personnel should be restricted in accordance with the defined access control policy. |
| ISO Control A.12.2.1 | Data input to applications should be validated to ensure that this data is correct and appropriate. |
| ISO Control A.12.2.2 |
Validation checks should be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. |
| ISO Control A.12.2.3 |
Requirements for ensuring authenticity and protecting message integrity in applications should be identified and appropriate controls identified and implemented. |
| ISO Control A.12.3.1 |
A policy on the use of cryptographic controls for the protection of information should be developed and implemented. |
| ISO Control A.12.4.3 | Access to program source code should be restricted. |
| ISO Control A.12.5.4 | Opportunities for information leakage should be prevented. |
| ISO Control A.15.1.3 |
Important records should be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. |
| ISO Control A.15.1.4 |
Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses. |