All of these will need to be compliant by year-end, ahead of the scheduled Protection of Personal Information (POPI) Bill or face legal repercussions.
Jana van Zyl from Dommisse Attorneys foresees that call centres will need to review their current business operations. "Very simplistically put, the bill will change how call centres use, share and retain their customers' and prospects' information. This will include operations for specific campaigns on behalf of clients."
In terms of POPI, companies responsible for the use of the personal information are obliged to secure the personal information of their customers and prospects or their clients' customers or prospects (depending on whether it is an in-house call centre or a third party service provider).
This means that call centres have to log, store and transfer personal information securely. Third party suppliers to call centres with access to the personal information, for example third parties that provide IT support services to call centres, will have to enter into formal, written agreements to regulate the relationship and would have to implement security measures accordingly.
"There are physical security measures and technical security measures that need to be addressed. Access control, for example, is crucial. This process in its basic form will mean that companies will need to implement formal policies to regulate access to the network, or the control rooms through a key or tag.
Technical security measures should be implemented in accordance with internationally accepted standards. All personal information that qualifies for protection in terms of POPI needs to be protected using technical means. These may for example include encryption, firewalls, antivirus, back-ups, disk encryption for mobile hard drives and devices," says Van Zyl.
"If there is a breach of data - even if you can hold your IT service provider contractually accountable - it will still not rid you of your own responsibilities and accountability towards the individual under the law. Ultimately you will remain responsible if you are the 'Responsible Party' in terms of the law."
Bruce von Maltitz, director of 1Stream, a hosted call centre technology provider says that although hosted service providers cannot advise call centres on whether or not they are compliant from a legal perspective, they are able to provide expert advice on crucial technical aspects, such as data storage and encryption. Hosted providers are also able to relieve some of the implementation headaches surrounding compliance and are much better suited to securing sensitive information than call centre managers themselves.
"Cloud-based suppliers tend to have better security systems and processes in place than a private call centre would typically have, particularly small or mid-sized operators," he states. "By operating in the cloud, we have access to economies of scale that allows us to buy the best systems available, and we assume responsibility for management of those systems."
The law also states that the responsibility rests with the 'Responsible Party' to prove or disprove the claims made against them. It is therefore imperative that the call centre must be able to prove that it has implemented 'reasonable organisational measures. This would include a set of business processes that the firm would have to follow to ensure that it has - to be the best of its ability - protected the confidentiality, integrity and availability of information at all times.
Von Maltitz emphasises that making use of a hosted provider simply enables one to buy the services one needs to keep one's operations running financially, effectively and securely. Its job has always been to keep data safe and services running optimally. One's data stays one's own, but the burden of technical maintenance is taken away from one.
It is like making use of a bank - one's money is less safe under the bed than in a bank account. If one makes use of a bank, there are benefits. One is still in control of one's money - but it's easier and more convenient because the burden of protecting and managing it lies with a third party.
POPI states that call centres are also obliged to use information only for the purposes for which it was collected. For example, if a person signed up for a specific campaign only, and the call centre collected the data to use for that campaign only, the person should not be contacted for a different campaign. Going forward if someone only opted in to receive SMS communication, the call centre should use that channel and that channel only.
This principal will be supported by the Consumer Protection Act's national opt out register (once in operation). In terms of POPI, a person also has a right to obtain a copy of the record of personal information that a call centre might have on him or her and, if the company is not by law entitled to have that information, may ask for it to be deleted.
Moreover, companies will need to disclose security breaches, for example, where personal information has been hacked or lost. Van Zyl cites that in the UK a fine was imposed where sensitive information was sent to the wrong person.
"This is something that can easily happen: one intends to send the information to John X and one sends it to John Y." In terms of POPI, one will need to take caution for this not to happen. Another reported incident was a laptop being lost with personal information not encrypted. "In South Africa, companies generally do not always have the mind-set that the above examples are critical. POPI will change that mind-set."
Von Maltitz advises call centres not to attempt to run their own security, but to rather collaborate with a consultative-hosted provider. "The levels of service provided under an SLA are invariably better than what a business can offer itself. For example, the company can offer encrypted voice recordings stored in secure archives that are properly backed up and provide a full audit trail. Some companies we have seen, who do it in-house, rely on a server in the corner of the office that's recording WAV files than anyone can access - and that is in complete contravention of the Act."
Companies who are not compliant with the Act may face fines of up to R10 million - as well as civil action. "If a person feels that his or her right to privacy has been breached, he or she can take action against the company."
Van Zyl advises that companies should start taking steps immediately to prepare for POPI. "There is no quick fix for POPI compliance. Start by meeting with an attorney that specialises in privacy law. Companies should complete a GAP analysis and start implementing action plans based on unique organisational needs in order to ensure compliance with POPI."
