Content area
The recent adoption of the privacy law, Protection of Personal Information (PoPI) Act in South Africa, mandates notable changes from both government departments and the public sector when dealing with personal identifiable information (PII). Recent research has shown that the level of change still required to comply with the new Act is significant. Surveys indicated that approximately only forty percent of organisations in South Africa have started with the compliance process. Private empirical research has found widespread leakage of PII within South African cyber infrastructures. The leaked information affected well over two million South African citizens in some or other manner and with penalties instituted by the PoPI of up to R10 million, it is crucial for organisations to clean up these incidents of non-compliance. Even without the monetary incentive, leaked PII holds a significant threat, not only for individuals but also for companies and governmental organisations alike. Several documented instances exist where targeted phishing attacks, that has a 70% success rate once PII is included, has been successfully used against organisations. While technical controls may limit the leakage of PII, significant security vulnerabilities exist that allows for the circumvention of these controls. Cyber security awareness is still the primary defence against these technical control failures, but the notable challenge remains in educating users and responsible personnel. As with any cyber activity, there is a human factor that requires a significantly diverse skill set to understand the infrastructure that comprises an organisation. With cyber security education a continuous developing field, there is a dire need for additional research to supplement this knowledge base. This paper examines online resources available for individuals, organisations and governmental departments to comply with the PoPI Act. The approach used will be to examine content made available through popular social media platforms such as YouTube (YouTube, N.D.), Facebook (Facebook, N.D.), Twitter (Twitter, N.D.) and search engines. These data sources were chosen since it may be the most likely common route individuals will take to gain fundamental understanding of the requirements the PoPI Act places on them. Identified resources will be evaluated for the audience they serve (e.g. business owners, privacy officers, managers and employees), technical content (e.g. informative, guidelines or step by step instructions) and finally the cost involved to access or download resources (e.g. free or commercial).
Abstract: The recent adoption of the privacy law, Protection of Personal Information (PoPI) Act in South Africa, mandates notable changes from both government departments and the public sector when dealing with personal identifiable information (PII). Recent research has shown that the level of change still required to comply with the new Act is significant. Surveys indicated that approximately only forty percent of organisations in South Africa have started with the compliance process. Private empirical research has found widespread leakage of PII within South African cyber infrastructures. The leaked information affected well over two million South African citizens in some or other manner and with penalties instituted by the PoPI of up to R10 million, it is crucial for organisations to clean up these incidents of non-compliance. Even without the monetary incentive, leaked PII holds a significant threat, not only for individuals but also for companies and governmental organisations alike. Several documented instances exist where targeted phishing attacks, that has a 70% success rate once PII is included, has been successfully used against organisations. While technical controls may limit the leakage of PII, significant security vulnerabilities exist that allows for the circumvention of these controls. Cyber security awareness is still the primary defence against these technical control failures, but the notable challenge remains in educating users and responsible personnel. As with any cyber activity, there is a human factor that requires a significantly diverse skill set to understand the infrastructure that comprises an organisation. With cyber security education a continuous developing field, there is a dire need for additional research to supplement this knowledge base. This paper examines online resources available for individuals, organisations and governmental departments to comply with the PoPI Act. The approach used will be to examine content made available through popular social media platforms such as YouTube (YouTube, N.D.), Facebook (Facebook, N.D.), Twitter (Twitter, N.D.) and search engines. These data sources were chosen since it may be the most likely common route individuals will take to gain fundamental understanding of the requirements the PoPI Act places on them. Identified resources will be evaluated for the audience they serve (e.g. business owners, privacy officers, managers and employees), technical content (e.g. informative, guidelines or step by step instructions) and finally the cost involved to access or download resources (e.g. free or commercial).
Keywords: cyber security awareness, education, online resources, PII disclosure, PoPI
1. Introduction/background
South Africa has recently adopted a new privacy law, the Protection of Personal Information (PoPI) Act (South African Government Gazette, 2013). This places the country on par with international legislation that has long existed. Europe, for example, adopted the EU Data Protection Directive in 1995 (Birnhack, 2008) and the UK adopted the Data Protection Act (DPA) in 1998 (United Kingdom Government Gazette, 1998). The United States has a number of privacy laws incorporated since 2001 (Information Shield, N.D.). When dealing with personal identifiable information (PII), PoPI mandates significant changes in both governmental departments and commercial organisations alike. According to a survey conducted by Cibecs (Cibecs, 2012), only 40% of South African organisations are in the process of PoPI compliance. This points to a need for raising awareness in the South African community towards the privacy implications when data breaches of PII occur. Companies failing to comply will potentially be confronted with immense penalties as prescribed by the PoPI Act. The objective of this paper is to raise awareness concerning the privacy implications of PII disclosure. This paper further aims to provide a guideline to educate users in terms of protecting one's personal information and towards compliance with the newly adopted PoPI Act. To achieve these objectives, an evaluation of online resources is conducted and identified resources were evaluated to identify the audience served, technical content provided and costs involved. The structure of the paper is to firstly discuss the privacy implications of PII disclosure in South Africa followed by the investigation of current compliance towards PoPI in South Africa by means of an experimental evaluation. The next section is a review of available online resources for cyber security awareness, the importance of protecting one's personal information and compliance with the PoPI Act. The paper concludes in Section 7.
2. Methodology
A brief description on the PoPI Act and its principles are given. These principles are compared at a high level with similar other international acts. Research is conducted to get a better understanding in terms of the PoPI Act and similar Acts globally. This will give a sense of the actions required for PoPI compliance. An investigation is done regarding current compliance towards the PoPI Act in South Africa using the results of existing surveys. This paper focuses on resources available online for cyber security education, with a strong interest in social media platforms such as YouTube, Facebook and Twitter. It was found that a significant number of educational material is available on YouTube (Duncan, Yarwood-Ross, & Haigh, 2013), which make it a possible tool for providing training regarding PII. Facebook, a popular social networking site and hosting millions of users (Selwyn, 2009), allows to share educational information between groups of people (Shiu, Fong, & Lam, 2010). The objective of this paper is to identify effective and publicly available online resources that can be used by different audiences such as business owners, privacy officers, managers and employees. Online videos have been identified as an excellent method to provide cyber security awareness training regarding PII (Von Solms & Von Solms, 2014). These online resources were also evaluated in terms of their significance as a training vehicle for PII and costs involved, if any.
3. Privacy implications of PII disclosure and the related PoPI Act
Personal Identifiable Information (PII) refers to any kind of information that can be used to reveal a person's identity (Krishnamurthy & Wills, 2009). PII is an internationally used term and according to the Department of Homeland Security (DHS) USA and the NIST definition, PII is "any information that which can be used to distinguish or trace the identity of an individual". This information could be directly or indirectly linked with an individual (Al-Fedaghi & Al-Azmi, 2012). The term PII will be used in this paper, although the term personal information (PI) is more widely used in South Africa and can be any of the following (South African Government Gazette, 2013):
* Contact details (names, email addresses, telephone or cell phone numbers, ID numbers, etcetera).
* Demographic information (age, sex, birthdates, religion, culture, marital status).
* Historical information (employment records, financials, education, medical records).
* Biometric information (DNA, HIV status, X-rays, blood type, finger prints).
* Personal opinions and views.
* Private and confidential correspondences.
* Views and opinions about an individual by another individual.
Consumers often give personal information away freely and eagerly in exchange for some benefit, unaware of the value it might add to certain organisations or to criminals (Norberg, Horne, & Horne, 2007). When it comes to financial or medical records, people are more concerned about disclosing information, but giving telephone numbers to shop or store clerks and email addresses online is a common occurrence (Norberg et al., 2007). This type of behaviour is dangerous since the collected information is often not used as intended but rather misused (Ablon, Libicki, & Golay, 2014). PII can be disclosed through, for example, emails, printouts and faxes, storage media, lost or stolen laptops, tablets or mobile devices, instant messaging programs, social networks, file sharing software, websites and phishing attacks. Having your PII disclosed may have huge privacy implications such as phishing attacks, identity theft and privacy breaches by allowing marketing without consent.
Once an attacker has obtained PII, a common attack such as phishing can be used to gain access to more sensitive information such as usernames and passwords. This type of attack, known as social-engineering, uses spoofed email messages in order to obtain sensitive and personal information (Sheng, Holbrook, Kumaraguru, Cranor, & Downs, 2010). Attackers are using PII in their phishing emails, which increase the infection rates to more than 70% (FireEye, 2012; Hong, 2012; Sheng et al., 2010). Currently there is no real solution to stop phishing attacks, leaving awareness regarding cyber crime as the best option (Hong, 2012). Another implication for having your PII disclosed is identity theft. This term refers to the impersonation of a specific individual, in order to obtain money, goods or services, and thereafter the criminal disappears (LoPucki, 2001). Since identity theft is increasing, more concerns have been raised regarding the unauthorised disclosure of PII (Krishnamurthy & Wills, 2009). Less malicious but still considered a significant breach of privacy occurs when PII is stolen through marketing without consent (News24, 2014b; Petty, 2000).
As stated before, South Africa has adopted new legislation in November 2013, called the PoPI Act. This Act sets certain conditions or principles on the way personal information may be processed (Michalsons, 2014b). The PoPI Act was created on the basis of the European Data Protection Directive (EU DP Directive) (Birnhack, 2008; DataGuidance, 2013). Other international laws include, but are not limited to, the UK Data Protection Act (United Kingdom Government Gazette, 1998), the US Privacy Act (Langheinrich, 2001) and the Australian Privacy Principles (Office of the Australian Information Commissioner, 2014). Table 1 gives a short description of each principle in PoPI and a high-level comparison to privacy laws from the European Union (EU), United Kingdom (UK) and the United States of America (USA) and Australia (AUS). The reason for comparing the PoPI Act with these countries, is that they have privacy legislation in place for a number of years and because of the fact that PoPI is based on the EU DP Directive. The Australian Privacy Principles has been amended in January 2014 from the Privacy Act in 1988 (Office of the Australian Information Commissioner, 2014).
From Table 1 it can be seen that the principles of the PoPI Act meets similar criteria of principles in privacy laws internationally, therefore indicates that PoPI is well aligned with international legislation. Unlike SA, UK and EU, the USA has not adopted one comprehensive law regarding privacy, but have adopted a number of different laws addressing principles concerning data protection. AUS has thirteen principles set out in the privacy fact sheet, not directly aligned with the PoPI Act. However, close analysis of these principles showed that PoPI is aligned with the Australian privacy principles. As the main objective of this paper is to identify and evaluate online resources available for training regarding the South African PoPI Act, in-depth discussions of other international laws fall outside the scope of this paper.
It is every individual's right to have their personal information protected against any unlawful collection, retention, dissemination and use. Organisations will not be allowed to use, store or process personal information of individuals without their consent (South African Government Gazette, 2013). Having this legislation in place opens new implications for disclosing personal information. Organisations will face consequences for non-compliance to this Act such as:
* Damage to a company's reputation.
* Losing customers.
* Unable to attract new customers.
* Payouts in damages as a result of civil class action.
* Fines of up to R10 million.
* Facing jail time of up to 10 years.
Looking at the consequences above it is very important to protect PII and to comply with the PoPI Act. The next section discusses the status of current compliance in South Africa towards this Act.
4. Current compliance to the PoPI Act
The legislative environment in South Africa changes continuously, often before organisations are ready to meet the conditions and obligations set by the legislation. This causes major challenges for organisations in terms of the compliance processes involved and the PoPI Act is no exception (Pennel, 2014). The PoPI Act applies to every individual or organisation giving rights to juristic entities in the way their personal information should be handled. This Act requires changes in the way organisations conduct themselves in terms of the use and processing of personal information. As discussed in section 3, failing to adhere to the conditions of this Act will result in significant penalties. A recent survey (Cibecs, 2012) indicated that only 26% of companies in South Africa are in the process of complying to the PoPI Act and upgrading their security measures. The survey also revealed that 38% of these companies are still using outdated security measures. In another instance, a survey performed by Deloitte indicated that only 42% of these companies have started to act towards upgrading their security structures for compliance to the PoPI Act (Lamprecht, 2013).
The challenge to comply with the PoPI Act remains huge and indications are that it might take up to three years to be fully compliant (Lamprecht, 2013). The lack of preparation and the significant time period before compliance does not mean that companies have done no preparation. KPMG has stated that most companies have some sort of privacy strategy in place, but suggested that all companies should conduct a gap analysis in terms of their readiness for compliance to the PoPI Act (KPMG, 2014a). Based on the results obtained from these surveys, it is clear that compliance to the PoPI Act is still a goal most companies are striving for, if they have even started. These companies are also most likely unaware of the consequences of non-compliance and the dangers that data breaches hold for individuals. The lack of preparation and the potential loss involved creates a clear need for effective information distribution in order to raise awareness regarding privacy implications when PII is disclosed. While the PoPI Act has been signed into legislation, the commencement date for enforcement has not yet been set. It was expected to come into effect in the second half of 2014 (Pennel, 2014) but by the time of writing this paper, no date was set yet. The next section discusses online resources available for informing users regarding the protection of PII, complying with the PoPI Act and the implications of disclosing PII.
5. Online resources available for informing users regarding protecting PII and compliance with the PoPI Act
Since the PoPI Act will place significant pressure and obligations on most individuals, employers and juristic entities in terms of how personal information will be collected and processed, the need arises for knowledge regarding clear guidelines for the protection of personal information and compliance with the conditions of this Act. Online social media such as Facebook, Twitter, Youtube and search engines have been identified as an effective method of raising awareness and informing users (Von Solms & Von Solms, 2014). A significant portion of the population are familiar with these platforms and due to this familiarity, it makes social media a suitable tool for educating affected parties regarding the privacy implications of PII disclosure. This section provides different online resources located on social media platforms such YouTube, Facebook and Twitter as well as popular search engines. All content relate to the privacy implications of the disclosure of PII in South Africa. The content of the online resources aims to serve audiences such as business owners, managers, privacy officers and employees in South Africa, who are responsible for the collection and processing of PII as well as individuals, whose PII may be at stake.
It was decided to use and evaluate a number of videos with a clear message towards protecting one's personal information and the compliance with the PoPI Act. All the videos referred to in this paper are freely available on YouTube. It should be noted that there are a number of other videos also related to this topic and that new videos might become available in the near future. The videos chosen were carefully watched and analysed in terms of their appropriateness to serve as a guideline for protecting PII and compliance to the principles of the PoPI Act. The videos found focuses on defining the PoPI Act, why it is needed, how it will affect organisations, the compliance process and consequences of non-compliance (see Table 2).
By using Google (Google, N.D.) as the search engine, Slideshare (Slideshare, N.D.) has been found to be a good source in terms of education regarding the PoPI Act. A number of presentations pertaining to the PoPI Act have been found on Slideshare. These presentations, as listed in Table 3, could be used as guidelines concerning education on the privacy implications of PII disclosure and compliance towards the PoPI Act.
Although not always regarded as an academic source, Wikipedia has been found valuable in terms of information about the PoPI Act and similar international privacy laws. A number of websites and legal websites provide educational training courses, related to the compliance with the PoPI Act. Table 4 contains a summary list of some of these courses.
Another social media source that has been found to be very effective in terms of keeping up to date with the latest information concerning a certain topic of interest is Twitter. When searching for the key words "PoPI Act" in Twitter, a number of accounts are listed that could be followed. Table 5 presents a list of Twitter accounts found reliable to follow in terms of relevant news feeds towards the PoPI Act.
Resources that could provide educational benefits have been sourced from most major social media platforms. YouTube and Slideshare have been identified as the most valuable sources for providing useful information. It has been discovered that Facebook is not a good source in terms of education towards the PoPI Act. Although the Twitter accounts did not provide any specific information, they are useful to follow in instances where case studies or specific discussions occur. The results from Twitter could not be evaluated in the same manner as the results obtained from YouTube and Slideshare, for Twitter provide news feeds on various topics related to the PoPI Act. Twitter feeds are dynamic and while not a good source of material to provide an overall view of a topic, with specific searches the potential to discover useful information is highly likely. Finding accounts that discuss the PoPI Act is as simple as searching for the terminology "PoPI Act". The Twitter accounts listed in Table 5 can then be reviewed to find relevant information relating to PoPI. For the experienced user this would serve as a good method for keeping up to date with the compliance process, but to the average person this might not be the best option. An evaluation of the online resources found is provided in section 6.
6. Evaluation of online resources found
This section is an evaluation of the online resources found and listed in section 5 in order to determine if the resources available online are enough for raising awareness concerning the privacy implications for leaking PII. Table 2 lists online resources available in terms of the privacy implications regarding the disclosure of PII and complying with the new PoPI Act. The aim is to find resources that could serve as a guideline towards protecting PII and complying with the PoPI Act. The PoPI Act imposes eight principles for processing personal information (South African Government Gazette, 2013), see Table 6.
The eight PoPI principals will be used as a benchmark for evaluating the content of the resources discussed in section 4. The eight principles of PoPI are listed in the first column of Table 6 and the second column contains the evaluated YouTube videos from Table 2, listed according to the Video ID. The results in Table 6 indicate whether the video addresses a particular condition or principle. This process is repeated for the Slideshare resources listed in Table 3 where the third column in Table 6 lists the Slideshare presentations according to their IDs from the slide presentation.
Evaluating the resources listed in Table 2, it was determined that the majority of the YouTube videos do cover most of the PoPI Act principles, as presented in Table 6. Principles that are not covered very well are information quality, the right of access and openness. The videos regarding the penalties imposed when non-compliant are videos 7, 8 and 9 from Table 2. The penalties are not covered in Table 6, but are discussed in section 3. Another point that seems to be neglected is the downside of implementing the PoPI Act. Table 2, Video ID 11 places an emphasis on this matter in terms of direct marketing. This leads to further research in terms of how the PoPI Act will affect young entrepreneurs and small and medium-sized enterprises (SMEs) to enter the market (Bits, 2013). Table 2, Video ID 12 does not address any of the principles of the PoPI Act, but it raises awareness in terms of the timeline to comply with this Act.
An interesting discovery from this research, upon assessing the data from Table 3, was that Slideshare turned out to be an excellent resource. The presentations covered all eight principles of PoPI and could immediately be used as a method of education. The topics address the privacy implications of leaking PII and the PoPI compliance process adequately (see Table 6).
In terms of the evaluation regarding the audience the resources serves, all content has been found to serve business owners, privacy officers, managers and employees in general. No content found was aimed specifically at one of these audiences.
During the evaluation process of the social media, it was realised that the online resources might not be enough to gain enough knowledge and experience on the PoPI compliance. Proper training towards this Act might still be required. By using Google as the search engine, a few courses were discovered related to the PoPI Act. Some of these courses, presented in Table 4, are not free and might add up to a costly experience. For example, to attend the PoPI Act course at the Institute of Directors South Africa (IODSA) (ID 7 from table 4), the cost is R4310.59 per individual for non IODSA members (price at the time of writing this paper). However, the cost involve would be far less than any penalties imposed by the government when non-compliant.
Most of the online resources found were freely available. One could gain a solid education towards the PoPI Act without any cost implications but in order to achieve compliance, will require expenditure. The amount required for compliance to this Act is also not fixed since it will vary depending on the type of organisation involved (Trustwave, 2014). Compliance cost implications are outside of the scope of this paper.
As discussed in section 5, the information retrieved from Twitter could not be evaluated in terms of the eight principles of PoPI. Useful accounts to be followed concerning the PoPI Act are listed in Table 5. Even though Facebook is one of the biggest social media websites, it was found to be a poor resource regarding PoPI Act education.
The question that can be asked is, "are the current online resources enough for raising awareness concerning the privacy implications of leaking PII and also towards the compliance with the PoPI Act"? Based on the findings of this research, the best social media sources concerning the PoPI Act are YouTube and Slideshare, for they provided the most relevant information regarding the topic. The resources have been found adequate for raising awareness to a certain level. However, to become fully compliant, the need arises for proper training and possibly making use external organisations to assist. The external resources would be organisations specialising in the PoPI Act compliance process (most likely part of the regulators). The leakage of PII online still remains a huge problem in South Africa, with an enormous amount of PII being disclosed (Swart, Irwin, & Grobler, 2014). See Table 7 for a view on the amounts of PII detected on the Internet (.co.za domain space only), through the leakage of electronic documents on websites, between November 2013 and May 2014 in an investigation by (Swart et al., 2014).
Based on the results shown in Table 7 and the surveys discussed in section 4, it can be said that people and organisations in South Africa are not prepared enough for the PoPI Act. They are also not aware of the amounts of PII being leaked and not too concerned about the implications of the disclosure of PII. As revealed in section 4, current compliance with the PoPI Act in South Africa is not as high as it should be. However, the Act is not yet enforced and there is still time to comply. The need arises for proper training in terms of the conditions of this Act and the compliance process. Raising awareness concerning privacy implications in South Africa when leaking PII should become an urgent matter.
While PoPI is rated as some of the best legislation (Gunstons Attorneys, 2014), several caveats exist. This paper does not focus on any shortcomings, this is a topic for future research. When a person resides in Botswana for example, he/she could collect PII from South Africa and sell it. The PoPI Act will have no effect on that particular person (News24, 2014b). Another possible scenario is that PoPI makes an exception for the South African Government to be allowed for lawful collection and processing of PII. This means that the Department of Home Affairs, (Department: Home Affairs Republic of South Africa, N.D.), for example, could share information with the South African National Roads Agency Limited (SANRAL) (News24, 2014b). SANRAL is an organisation responsible for the management, maintenance and development of the road networks in South Africa (SANRAL, N.D.).
7. Conclusion
The research performed in this paper investigated how online resources available to individuals, organisations and governmental departments can be used as a guideline to raise awareness concerning the implications when leaking PII and how to comply with the PoPI Act. The focus was to examine content made available through popular social media platforms such as YouTube, Facebook, Twitter and search engines. Most people are familiar with these data sources, therefore making them good possible tools to use for raising awareness concerning the privacy implications of PII disclosure and compliance with the PoPI Act. The identified resources are evaluated for the different audiences they serve, technical content and cost implications. It has been discovered that the best social media sources concerning the PoPI Act are YouTube and Slideshare. These sources provided the most relevant information regarding the topic and current online resources available can be used in education and raising awareness. To become fully compliant however, the need for proper training in terms of the PoPI Act compliance process is still required. It would be best to make use of external organisations who are experts in providing services related to the PoPI Act compliance.
References
Ablon, L., Libicki, M. C., & Golay, A. A. (2014). Markets for cybercrime tools and stolen data: Hackers' bazaar Rand Corporation.
Al-Fedaghi, S., & Al-Azmi, A. A. R. (2012). Experimentation with personal identifiable information.
Birnhack, M. D. (2008). The EU data protection directive: An engine of a global regime. Computer Law & Security Review, 24(6), 508-520.
Bits. (2013). PoPI (protection of personal information) unintended. Retrieved from https://www.youtube.com/watch?v=IytNgmlctOg [Accessed October/13, 2014]
Cibecs. (2012). Survey results: Only 26% percent of south african companies preparing for PoPI bill. Retrieved from http://cibecs.com/blog/2012/11/05/business-data-protection-statistics-and-trends/ [Accessed June/20, 2014]
DataGuidance. (2013). South africa: New privacy law will have 'significant impact'on businesses. Retrieved from http://www.dataguidance.com/dataguidance_privacy_this_week.asp?id=2104 [Accessed November/28, 2014]
Department: Home Affairs Republic of South Africa. (N.D.). Retrieved from www.home-affairs.gov.za [Accessed October/21, 2014]
DigitLab TV. (2013). The PoPI act. Retrieved from https://www.youtube.com/watch?v=gmmun1zUQTU [Accessed October/13, 2014]
Duncan, I., Yarwood-Ross, L., & Haigh, C. (2013). YouTube as a source of clinical skills education. Nurse Education Today, 33(12), 1576-1580.
Facebook. (N.D.). Retrieved from www.facebook.com [Accessed October/21, 2014]
FireEye (Ed.). (2012). Spear phishing attacks-why they are successful and how to stop them (white paper) (1st ed.) FireEye.
Google. (N.D.). Retrieved from www.google.com [Accessed October/21, 2014]
Gunstons Attorneys. (2014). When is the PoPI act effective date? Retrieved from http://gunstons.com/popi-act-effective-date/ [Accessed December/11, 2014]
Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81.
Information Shield. (N.D.). International privacy laws. Retrieved from http://www.informationshield.com/intprivacylaws.html [Accessed July/7, 2014]
KPMG. (2013). KPMG - protection of personal information bill signed into law. Retrieved from https://www.youtube.com/watch?v=Z6yveaoPnnA [Accessed October/13, 2014]
KPMG. (2014a). PoPI takes effect. Retrieved from http://www.kpmg.com/za/en/issuesandinsights/articlespublications/protection-of-personal-informationbill/pages/popi-takes-effect.aspx [Accessed July/18, 2014]
KPMG. (2014b). The protection of personal information act (PoPI) - nikki pennel . Retrieved from https://www.youtube.com/watch?v=yCGu3cEhS_A [Accessed October/13, 2014]
Krishnamurthy, B., & Wills, C. E. (2009). On the leakage of personally identifiable information via online social networks. Paper presented at the Proceedings in the 2nd ACM Workshop on Online Social Networks, 7-12.
Lamprecht, I. (2013). Few organisations ready for popi. Moneyweb.co.za. Retrieved from http://www.moneyweb.co.za/moneyweb-south-africa/few-organisations-ready-for-popi [Accessed July/18, 2014]
Langheinrich, M. (2001). Privacy by design-principles of privacy-aware ubiquitous systems. Paper presented at the Ubicomp 2001: Lecture Notes in Computer Science Volume 2201, 273-291.
LoPucki, L. (2001). Human identification theory and the identity theft problem. Texas Law Review, 80, 89-134.
Michalsons. (2014a). Michalsons protection of personal information act (PoPI) workshops. Retrieved from https://www.youtube.com/watch?v=OrKc40fff6c [Accessed October/14, 2014]
Michalsons. (2014b). Protection of personal information act - PoPI. Retrieved from http://www.michalsons.co.za/protection-of-personal-information-act-popi/11105 [Accessed April/1, 2014]
Michalsons. (2014c). Protection of personal information act (PoPI) - the challenge. Retrieved from https://www.youtube.com/watch?v=fp7-auX-o54 [Accessed October/13, 2014]
Michalsons. (2014d). Protection of personal information act (PoPI) - the timeline. Retrieved from https://www.youtube.com/watch?v=IytNgmlctOg [Accessed October/13, 2014]
Michalsons. (2014e). Protection of personal information act (PoPI) - why? Retrieved from https://www.youtube.com/watch?v=WbpTV5pu448 [Accessed October/13, 2014]
Michalsons. (2014f). Protection of personal information act (PoPI) and debt collection. Retrieved from https://www.youtube.com/watch?v=G70UEzRnkRc [Accessed October/13, 2014]
News24. (2014a). Is the protection of personal information act (PoPI) working in south africa? Retrieved from https://www.youtube.com/watch?v=PiGlrHhILEU [Accessed October/13, 2014]
News24. (2014b). Protection of personal information. Retrieved from https://www.youtube.com/watch?v=i420JE7wJJU [Accessed October/13, 2014]
Norberg, P. A., Horne, D. R., & Horne, D. A. (2007). The privacy paradox: Personal information disclosure intentions versus behaviors. Journal of Consumer Affairs, 41(1), 100-126.
Privacy fact sheet 17: Australian privacy principles, (2014).
Pennel, N. (2014). Does PoPI matter? getting to the truth. Retrieved from http://www.kpmg.com/za/en/issuesandinsights/articlespublications/protection-of-personal-information-bill/pages/default.aspx [Accessed October/13, 2014]
Petty, R. D. (2000). Marketing without consent: Consumer choice and costs, privacy, and public policy. Journal of Public Policy & Marketing, 19(1), 42-53.
PolitySA. (2011). Protection of personal information bill. Retrieved from https://www.youtube.com/watch?v=23ngtSAEu_k [Accessed October/13, 2014]
PolitySA. (2013). Becoming PoPI compliant. Retrieved from https://www.youtube.com/watch?v=DwMAI6HiKO0 [Accessed October/13, 2014]
Property24. (2012). 8 information principles of PoPI. Retrieved from http://www.property24.com/articles/8-information-principles-of-popi/16544 [Accessed Jul/16, 2014]
SANRAL. (N.D.). Retrieved from http://www.sanral.co.za/ [Accessed October/14, 2014]
Selwyn, N. (2009). Faceworking: Exploring students' education-related use of facebook. Learning, Media and Technology, 34(2), 157-174.
Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish?: A demographic analysis of phishing susceptibility and effectiveness of interventions. Paper presented at the Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 373-382.
Shiu, H., Fong, J., & Lam, J. (2010). Facebook-education with social networking websites for teaching and learning. Hybrid learning (pp. 59-70) Springer.
Slideshare. (N.D.). Retrieved from http://www.slideshare.net/ [Accessed October/21, 2014]
Protection of personal information act, ActU.S.C. (2013).
Swart, I., Irwin, B., & Grobler, M. (2014). On the viability of pro-active automated PII breach detection: A South African case study. Paper presented at the Proceedings of the Southern African Institute for Computer Scientist and Information Technologists Annual Conference 2014 on SAICSIT 2014 Empowered by Technology, 251.
Trustwave. (2014). The cost implications of PoPI aligned to security technologies. Retrieved from https://secure.brighttalk.com/webcast/7051/123815 [Accessed December/4, 2014]
Twitter. (N.D.). Retrieved from https://about.twitter.com/company [Accessed August/22, 2014]
Data protection act, ActU.S.C. (1998).
Von Solms, S., & Von Solms, R. (2014). Towards cyber safety education in primary schools in africa. Eigth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2014), , 185-197
YouTube. (N.D.). Retrieved from www.youtube.com [Accessed October/21, 2014]
Johnny Botha1, 3, M.M. Eloff2, 3 and Ignus Swart1
1 CSIR, Pretoria, South Africa
2 Institute for Corporate Citizenship, University of South Africa (UNISA), Pretoria, South Africa
3 University of South Africa (UNISA), Pretoria, South Africa
Johnny Botha is a Software developer & researcher at the Council for Scientific and Industrial Research(CSIR). He is studying his masters (MTech) degree in Information Technology, at University of South Africa(UNISA). Topic: "Personal Identifiable Information Disclosure since the Protection of Personal Information Act Adoption in South Africa". He has obtained NDip and BTech degree in Computer Systems Engineering at the Tswane Uni versity of Technology(TUT).
Ignus Swart joined the CSIR in 2010 and holds a Masters degree in computer science. A frequent speaker on radio and conferences and a active participant in a number of cyber security competitions, consistently placing in the top three nationally
Copyright Academic Conferences International Limited 2015