Hinde, C. (2014) A Model to Assess Organisational Information Privacy Maturity against the Protection ...


Reports on information security breaches have risen dramatically over the past five years with 2014 accounting for some high-profile breaches including Goldman Sachs, Boeing, AT&T, Ebay, AOL, American Express and Apple to name a few. One report estimates that 868,045,823 records have been breached from 4,347 data breaches made public since 2005 (Privacy Rights Clearing House, 2013). The theft of laptops, loss of unencrypted USB drives, hackers infiltrating servers, and staff deliberately accessing client's personal information are all regularly reported (Park, 2014; Privacy Rights Clearing House, 2013).

With the rise of data breaches in the Information Age, the South African government enacted the long awaited Protection of Personal Information (PoPI) Bill at the end of 2013. While South Africa has lagged behind other countries in adopting privacy legislation (the European Union issued their Data Protection Directive in 1995), South African legislators have had the opportunity to draft a privacy Act that draws on the most effective elements from other legislation around the world.

Although PoPI has been enacted, a commencement date has still to be decided upon by the Presidency. On PoPI's commencement date organisations will have an additional year to comply with its requirements, before which they should: review the eight conditions for the lawful processing of personal information set out in Chapter three of the Act; understand the type of personal information they process; review staff training on mobile technologies and limit access to personal information; ensure laptops and other mobile devices have passwords and are preferably encrypted; look at the physical security of the premises where personal data is stored or processed; and, assess any service providers who process information on their behalf.

With the demands PoPI places on organisations this research aims to develop a prescriptive model providing organisations with the ability to measure their information privacy maturity based on “generally accepted information security practices and procedures” (Protection of Personal Information Act, No.4 of 2013, sec. 19(3)).

Using a design science research methodology, the development process provides three distinct design cycles: 1) conceptual foundation 2) legal evaluation and 3) organisational evaluation. The end result is the development of a privacy maturity model that allows organisations to measure their current information privacy maturity against the PoPI Act.

This research contributes to the knowledge of how PoPI impacts on South African organisations, and in turn, how organisations are able to evaluate their current information privacy maturity in respect of the PoPI Act. The examination and use of global best practices and standards as the foundation for the model, and the integration with the PoPI Act, provides for the development of a unique yet standards-based privacy model aiming to provide practical benefit to South African organisations

Citation Charles Hinde (2014). A Model to Assess Organisational Information Privacy Maturity against the Protection of Personal Information Act. University of Cape Town. Paywall

BibTex entry for this thesis:

BibTex entry for this thesis:

author = {Hinde, Charles},
pages = {1--101},
school = {University of Cape Town},
title = {{A Model to Assess Organisational Information Privacy Maturity against the Protection of Personal Information Act}},
year = {2014}

Key ideas