Why choose the IT Governance Network?

Global leaders in the design and implementation of IT governance frameworks and mechanisms.

More than 10 years experience in the protection of personal information (POPIA).

Consulting services, software solutions and wide range of training available.

POPIA Compliance Framework and Monitoring System

POPI Compliance FrameworkThe Protection of Personal Information Act is technical and complex, it requires a wide range of technical and organisational measures to be implemented to protect the rights of natural and juristic persons to privacy.  To ensure compliance, the Information Regulator requires all organisations to develop and implement a compliance framework so that they can effectively monitor the protection afforded natural and juristic persons. 

A functionally rich POPIA Compliance Framework and Monitoring System supports small and large organisations effectively and efficiently achieve POPIA compliance. It enables organisations to jump start their POPIA programme by implementing an international standards-based POPIA compliance framework.   

More about the POPIA Compliace Framework and Monitoring System ...

Training

To download a demonstration copy of the IT Governance assessment tool for use with King IV, first register on this web site in the top right-hand corner. Once registered, a link on the left-hand menu will display the download option.

To learn more about the assessment and the requirements of each domain, attend one of our IT Governance seminars. Details of the training schedule are available on the SEMINAR SCHEDULE at the top of screen.  

Description of the Role of Information Officers Course

OVERVIEW

The Protection of Personal Information Act requires that the heads of public bodies and CEO’s of private bodies register with the Information Regulator the details of the postal and street address, phone and fax number and, if available, electronic mail address of their Information officers and any Deputy Information Officers so that data subjects and the Information Regulator may contact these individuals regarding access to information and compliance with the conditions for lawful processing of personal information set out in the Protection of Personal Information Act.

The purpose of this seminar is to assist Information Officers and Deputy Information Officers understand their role and responsibilities in terms the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act, including the extended duties and responsibilities contained in the Regulations issued by the Information Regulator.

It is the responsibility of the “Information Officer” to encourage the organisation’s responsible parties to process personal information lawfully and in a reasonable manner that does not infringe the constitutional rights of individuals to privacy. Processing of personal information must comply with the eight conditions imposed by the Protection of Personal Information Act. The Information Regulator has extended the responsibilities of the Information Officer to include ensuring a Compliance Framework is developed, implemented and monitored. 

SEMINAR OBJECTIVES

Participants will receive an overview of the POPI Act and obtain a specific understanding of the role and responsibilities of the “Information Officer”.

On completion of this seminar, participants will be able to:

  • Articulate the significance of the Protection of Personal Information Act
  • Demonstrate an understanding of the duties and responsibilities of information officers
  • Describe the role, responsibilities and legal obligations of the responsible parties.
  • Describe the roles and the responsibilities of the other parties concerned about the processing of personal information
  • Develop and implement a Compliance Framework
  • Explain the conditions for the lawful processing of personal information
  • Communicate the conditions for lawful processing personal information contained therein.

SEMINAR OUTLINE

Participants will learn through discussion and practical examples about the role of an Information Officer, the requirements of the Promotion of Access to Information Act and the Protection of Personal Information Act. Participants will discuss the issues that an Information Officer is expected to deal with in the course of discharging his/her responsibilities.

This seminar includes topics about:

  • Registering Information Officers with the Information Regulator
  • The duties and responsibilities of the Information Officer
  • Designation and delegation to Deputy Information Officers
  • Implications of the Companies Act 2008 for Information Officers
  • How to differentiate between personal information, special personal information and other data
  • Important content of the PAIA manual
  • The preparations required prior to updating the PAIA information manual about the processing of personal information
  • PAIA manual exemptions
  • Availability of the PAIA manual
  • Guidance available from the Information Regulator
  • Documentation to be prepared prior to the processing of personal information
  • Processing details to be maintained in the PAIA manual
  • Records available in accordance with other legislation
  • The Conditions for the lawful processing of personal information
  • Implications of the Conditions for lawful processing of personal information for business activities
  • Assistance that can be expected from the Information Regulator
  • Working with the Information Regulator to conduct investigations
  • Dealing with requests from Data Subjects
  • Ensuring compliance with the provisions of the POPI Act
  • Making use of a Compliance Framework
  • Handling requests for access to information
  • Receipt of complaints by information officers
  • Informing information officers prior to pre-investigation procedures
  • Requests to the Regulator by Information Officers to make an Assessment in the manner prescribed of whether the body complies with the provisions of the Act insofar as its policies and procedures are concerned
  • Information Notice served on an Information Officer
  • Enforcement Notice served on an Information Officer
  • Non-compliance with an Enforcement Notice by an information officer
  • Applications to Court regarding decisions of information officers
  • Examples from industry – local and international
  • An Action Plan for Information Officers
  • The job description of an information officer.

Description of the King IV - Information and Technology Governance course

King IV defines South Africa’s requirements for information and technology governance. The King IV Principle 12 recommends practices for the governance of information and technology that align with governance principles and governance outcomes. COBIT® is an IT governance and management framework from ISACA. It provides practical guidance for the implementation of IT governance in accordance with King IV.

Governance systems should be designed to reinforce and govern a holistic and inter-related set of arrangements that can be understood and implemented in an integrated manner using organisational structures, processes and ethical, conscious behaviour.

SEMINAR OBJECTIVES

This seminar will assist participants understand the King IV requirements for information and technology governance and learn how to improve their current capability to govern technology and information.

On completion of this seminar, participants will be able to:

  • Demonstrate an understanding of King IV corporate governance framework, the applicable principles and practices for information and technology governance
  • Articulate a plan of action to address the requirements of King IV and assist the Board and CIO fulfil their governance responsibilities as set out in King IV
  • Design and implement a governance framework and management system for the information and technology governance practices of King IV
  • Develop an accountability framework
  • Perform reviews and report on the information and technology governance framework.

COURSE CONTENT

  • The role of the board and CIO in governing the way information and technology supports the organisation
  • Developing policy for the articulation of strategic direction and adoption of appropriate standards and frameworks
  • Implementing policy for enterprise-wide information and technology management, long and medium-term decision-making and day-to-day operations
  • Techniques for establishing adequacy and effectiveness of information and technology management
  • Governance of cyber-security risk and opportunity
  • Performing formal reviews of the adequacy and effectiveness of an organisation’s information and technology function
  • Minimum requirements for the disclosure of structures and processes for information and technology management.

Description of the Obligations of responsible Parties Course

OVERVIEW

The Protection of Personal Information Act has been finalised. Heads of public bodies, CEO’s of private bodies and the business leaders identified as “responsible parties” who control the purpose and means for processing information are required to ensure compliance with the conditions of lawfully processing personal information set out in the Act.

Business leaders and information officers who fail to fulfil their obligations defined in this Act may be charged with a criminal offence and face civil claims for damages.

It is the responsibility of the “Responsible Parties” identified by the CEO and listed in the PAIA to ensure that personal information is processed lawfully and in a reasonable manner that does not infringe the constitutional rights of individuals to privacy. Processing of personal information must comply with the obligations imposed by law and this processing must be necessary for legitimate interests of the body.

SEMINAR OBJECTIVES

Participants will obtain a general understanding of the legal obligations placed on “Responsible Parties”. On completion of this seminar, participants will be able to:

  • Articulate the requirements of the Protection of Personal Information Act
  • Demonstrate an understanding of the conditions for the lawful processing of personal information
  • Describe the role, responsibilities and legal obligations of the responsible parties
  • Describe the roles and the responsibilities of the other parties concerned about the processing of personal information
  • Communicate the design of a suitable compliance framework
  • Identify the effort required to meet the requirements of the Protection of Personal Information Act and the conditions for lawful processing personal information contained therein.

SEMINAR OUTLINE

Participants will learn through discussion and practical examples how to prepare for and address the obligations placed on responsible parties by the Protection of Personal Information Act.

This seminar includes topics about:

  • Recording details about Responsible Parties in the PAIA Manual
  • The duties of the Responsible Party
  • Implications of the Companies Act 2008
  • Controlling the activities of Operators
  • How to differentiate between personal and other data
  • The preparations required prior to updating the PAIA information manual about the processing of personal information
  • Mitigating risks
  • Documentation to be prepared prior to the processing of personal information
  • Processing details to be maintained in the PAIA manual
  • Designing a compliance framework
  • Communicating with data subjects
  • Implications of the conditions for lawful processing of personal information for business activities
  • Working with the Information Regulator
  • Working with the Information Officer
  • The role of Risk Management and Compliance
  • Trans-border exchanges of personal data
  • Consequences of failing to comply
  • Challenges – collection, profiling, cross-marketing, unstructured data, third party processing, secondary use
  • Case studies from industry – local and international
  • An Action Plan to fulfil the obligations of Responsible Parties.

Description of the King IV - Compliance Governance course

King IV defines South Africa’s requirements for compliance governance. The King IV Principle 13 recommends 8 practices for compliance governance that align with governance principles and governance outcomes. The recommended practices include strategic direction and policy on compliance from the governing body and the adoption of the appropriate standards and framework to give effect to the policy.

King IV recommends that the governing body delegate to management responsibility for implementing policy on enterprisewide compliance management and for embedding it into the day-to-day, medium and long-term decision making, activities and culture. The governing body is to oversee management of compliance with laws and adherence to non-binding rules, codes and standards.

King IV requires practices that align with principles, and principles that align with governance outcomes. Governance systems should be designed to reinforce and govern a holistic and inter-related set of arrangements that can be understood and implemented in an integrated manner using organisational structures, processes and ethical, conscious behaviour.

ISO 19600 is an international stardard provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organization.

ISO 19600 requires that the governing body and top management demonstrate leadership and commitment with respect to the compliance management system by establishing and upholding the core values of the organization, ensuring that the compliance policy and compliance objectives are established and are consistent with the values, objectives and strategic direction of the organization and ensuring that policies, procedures and processes are developed and implemented to achieve compliance objectives.

SEMINAR OBJECTIVES

This seminar will assist participants understand the King IV requirements for compliance governance and learn how to improve their current capability to fulfil compliance obligations and achieve compliance objectives.

On completion of this seminar, participants will be able to:

  • Demonstrate an understanding of King IV corporate governance framework, the applicable principles and practices for compliance governance
  • Articulate a plan of action to address the requirements of King IV and assist the governing body and top management fulfil their compliance governance responsibilities as set out in King IV
  • Design and implement a compliance governance framework and management system using the guidance of ISO 19600
  • Develop a suitable accountability framework, organisational structures, policies, processes and practices
  • Perform reviews and report on the compliance governance framework.

COURSE CONTENT

  • The role of the board and top management in governing how compliance supports the organisation
  • Developing policy for the articulation of strategic direction and adoption of appropriate standards and frameworks
  • Implementing policy for enterprise-wide compliance management, long and medium-term decision-making and integration into day-to-day operations
  • Managing compliance with laws and adherence to non-binding rules, codes and standards
  • Mechanisms for monitoring and assessing adequacy and effectiveness of compliance
  • Undertaking formal reviews of the adequacy and effectiveness of the organisation’s compliance function.

Description of the Complying with the Act Course

OVERVIEW

The Protection of Personal Information Act has been finalised. All public and private bodies are required to record their processing of personal information in their PAIA Information Manual prior to actually processing it.

All public and private bodies are required to ensure that the processing of personal information is lawful and that personal information in their possession is always secure. Failure to do so will have serious consequences and may result in criminal proceedings and civil claims for damages.

The Protection of Personal Information Act specifies eight conditions for the lawful processing of personal information. Regardless of whether the organisation is a large corporate, government department, school or research organisation, it will have to ensure that the processing of personal information is lawful and all personal data in its possession is properly acquired, secured and destroyed when obsolete.

SEMINAR OBJECTIVES

Participants will obtain an understanding of the legislative requirements for the processing of personal Information. On completion of this seminar, participants will be able to:

  • Demonstrate an understanding of the requirements of the Protection of Personal Information Act
  • Be able to communicate the key aspects of the Protection of Personal Information Act
  • Articulate the activities necessary to address the legal requirements for the Protection of Personal Information
  • Clarify the roles and responsibilities of all parties required to be involved in the protection of personal information
  • Develop a compliance framework for the protection of personal information
  • Update the PAIA information manual
  • Perform a privacy impact assessment
  • Manage the privacy initiative in their organisation.

SEMINAR OUTLINE

Participants will learn through discussion and practical examples how to prepare for and address the organisational, procedural, technical and legal requirements of the legislation for the Protection of Personal Information.

This seminar includes topics about:

  • Overview and key components of the Protection of Personal Information Act
  • Accountability for the processing of personal information
  • Conditions for lawful processing of personal information
  • Identifying personal information and the category of special personal information
  • Processing that is subject to prior authorisations
  • Trans-border exchanges of personal data
  • Developing a Privacy Policy and educating staff
  • Conducting a Privacy Impact Assessment
  • Contracting with Operators and verifying compliance
  • Developing a compliance framework
  • Building capability to manage Privacy
  • Privacy by Design
  • Managing information throughout its life-cycle
  • The responsibilities of the CEO, the appointed “responsible parties” and appointed “information officer”
  • Records to be maintained in the PAIA information manuals regarding the processing of personal information
  • Handling requests for information and complaints from data subjects
  • The role and responsibilities of the Information Officer
  • The role of the Information Regulator
  • Assessments undertaken by the Information Regulator
  • Civil remedies, enforcement and criminal offences
  • The information security requirements
  • The need for records management and a legal register
  • Maintaining the information quality of personal data
  • Avoiding secondary use and unlawful processing
  • Developing an Action Plan to address the requirements for the lawful processing of personal information.

View the SEMINAR SCHEDULE at the top of this page for details of these King IV courses.

Description of the POPI Act Overview Course

This course provides delegates with an overview of the new Protection of Personal Information legislation and the significant obligations placed on those business leaders identified as the “responsible parties” and “information officers”. All public and private bodies will be affected by the requirements of this legislation. Various technical and organisational arrangements will be necessary.

The collection of personal information must be for a specifically defined, lawful purpose related to a function of the responsible party. The processing of data must be for a legitimate purpose. Data subjects must be aware of the collection of the data. Adequate business controls are required to maintain data integrity and information security must meet international standards. Data must be retained only for as long as necessary and the it must be destroyed.

SEMINAR OBJECTIVES

Participants will obtain an overview of the Protection of Personal Information Act and its implications. On completion of this seminar, participants will be able to: 

  • Articulate the requirements of the Protection of Personal Information Act
  • Demonstrate an understanding of the conditions for the lawful processing of personal information
  • Identify the technical and organisational measurements necessary for protecting personal information
  • Describe the various roles and the responsibilities of the personnel who should be concerned about the protection of personal information
  • Identify the effort required to meet the requirements of the Protection of Personal Information Act and the conditions for lawful processing personal information contained therein.

 SEMINAR OUTLINE

Participants will learn through discussion and practical examples how to address the organisational, procedural, technical and legal requirements for the Protection of Personal Information.

This seminar includes topics about:

  • Overview of the legislation for the Protection of Personal Information
  • The duties of the Responsible Party and Information Officer
  • The role of Risk Management and Compliance
  • Working with the Regulator
  • Communicating with data subjects
  • The eight conditions for the lawful processing of personal information
  • How to differentiate between personal and other data
  • How to update the PAIA manual and what records to keep about the processing of personal information
  • Identifying and mitigating privacy related risks
  • Identifying the organisational and technical arrangements necessary for the protection of personal information
  • Controlling the activities of Operators
  • Trans-border exchanges of personal data
  • Building organisational capability to manage Privacy
  • Challenges from the collection, profiling, cross-marketing, unstructured data, third party processing, secondary use.

OVERVIEW

The Protection of Personal Information Act requires that responsible parties ensure that any processing of personal information conforms with the eight conditions for the lawful processing of personal information. The processing of human resources (HR) information of job applicants and workers is an area of high-risk.

SEMINAR OBJECTIVES

Participants will obtain an understanding of the legislative requirements for the processing of personal Information that apply to Human Resource management. On completion of this seminar, participants will be able to:

  • Demonstrate an understanding of the impact of the Protection of Personal Information Act on the processing of HR information.
  • Be able to communicate the key aspects of the Protection of Personal Information Act that impact HR
  • Articulate the HR activities that require attention as a result of the Protection of Personal Information Act
  • Clarify responsibilities of HR personnel involved in the processing of personal information
  • Develop and implement a compliance framework for the protection of personal information in the HR function
  • Perform a privacy impact assessment
  • Develop a privacy plan for HR information
  • Monitor the compliance framework for privacy in HR.

SEMINAR OUTLINE

Participants will learn through discussion and practical examples how to prepare for and address the organisational, procedural, technical and legal requirements of the legislation for the Protection of Personal Information that impact Human Resources.

This seminar includes topics about:

  • Overview and key components of the Protection of Personal Information Act
  • Accountability for the processing of personal information
  • Conditions for lawful processing of personal information
  • Identifying personal information and the category of special personal information
  • HR practices that do not comply with the Protection of Personal Information Act
  • Good privacy practices of the HR staff
  • The development, implementation and monitoring of the HR function's compliance.

The Corporate Governance of ICT Policy Framework (Framework) was developed by the Department of Public Service and Administration in cooperation with the Government Information Technology Officer Council. Cabinet approved the Framework on 21 November 2012 and its applicability to all National and Provincial Departments, Provincial Administrations, Local Government, Organs of State and Public Entities.

The head of department is responsible for the implementation of good ICT governance.

Purpose

The purpose of ICT governance is to ensure that the acquisition, management and use of information technology by departments improves:

  • direct or indirect service delivery to the public, including but not limited to, equal access by the public to services delivered by the department
  • productivity of the department
  • cost-efficiency of the department.

The lack of a governance-wide IT governance framework has resulted in a fragmented approach to the implementation of and adherence to policies and standards, and unlocking the value that ICT could contribute  to business enablement.

Compliance 

To ensure compliance departments are required to annually report to the  Department of Public Service and Administration in accord with the Corporate Governance of ICT Assessment Standard as part of the Management Performance Assessment Tool of the Department of Performance Monitoring and Administration.

Non-Compliance

Non-compliance will be managed in terms of Section 16A of the Public Service Act.

Read more about ICT Governance ... 

 

COBIT 5 Assessor mistakes!

Common mistakes by COBIT 5 assessors.

View video

King IV Corporate Governance Assessment

King IV assessmentAssess the current level of your organisation's corporate governance using this King IV assessment tool.

Read more...

COBIT Assessment as a Service

COBIT 5 AssessmentConduct a COBIT assessment using this COBIT Assessment-as-a-Service.

Read more...

POPIA Preliminary Assessments

it governance oversightPOPIA preliminary assessments provide an efficient and effective approach to determining the extent to which the requirements of the Protection of Personal Information Act have been addressed.

Read more...

Go to top