Confidentiality and information security
Misuse or loss of confidential client information or personal data may compromise our clients and expose the firm to legal proceedings, and it may also adversely impact our reputation.
Confidentiality and information security are key elements of our professional responsibilities.
The firm’s Information Protection Leader is a members of the Africa Risk Council and supported by the PwC Network Information Security Organization, which, together with the Information Protection Committee provides oversight, policy and strategic direction on information risk and cybersecurity matters.
Membership of the Committee comprises representatives from Risk and Quality, Office of General Counsel, Network Information Security, Information Technology and the lines of service. These committees’ objectives are to:
- Provide overall governance and oversight of the Information Management programme.
- Act as an approval body for Information Management policies and procedures.
- Agree and allocate Information Management accountability and responsibilities.
- Identify and initiate Information Management remediation projects.
- Monitor progress of the Information Management programme.
In previous years, the Global PwC network launched a programme in response to the EU General Data Protection Regulation (GDPR) and other worldwide data protection regulatory changes. This programme was designed to implement a robust and consistent approach to data protection compliance across the PwC network and within each member firm.
PwC South Africa operates an information security management system, which is certified as compliant with the requirements of ISO/IEC 27001:2013 for all client data that comes under its control or ownership by virtue of a contract for services between PwC South Africa and a client.
PwC’s information security policies and procedures aim to make sure that:
- Information is protected from internal and external threats.
- Confidentiality, availability and integrity of information is maintained.
- Statutory regulatory and contractual obligations are met.
- Access to confidential information is granted only for justified business needs.
Our policies and procedures include:
- Encryption of all the firm’s laptops, PCs and memory sticks.
- Secure and managed apps for data accessed by mobile devices.
- Software restricting the use of removable media.
- Access to engagement files – both electronic and hard copy paper files – is restricted to those with a ‘need to know’.
- Regular backups of data on individual laptops and PCs.
- Clear-desk policy, both in our offices and at client sites.
- Securing hard copy files when they are not in use.
- Remote access to our network via a secure virtual private network, or equivalent technology.
- Policies on the transmission of data by email outside of the organisation.
- Restricted access to operational areas of PwC South Africa and our buildings.
The firm’s policies and standards are supported by ongoing compliance monitoring. Monitoring is carried out by PwC Africa’s internal audit and compliance teams and is supplemented by checks by the PwC Network Information Security Organization. Our ISO/IEC 27001:2013 certification is subject to annual external independent assessment. The firm has incident reporting and response procedures that seek to minimise the impact of any data loss which may arise. These procedures include notifying clients when it is known that their data is at risk and, where appropriate and feasible, taking corrective action.
Follow us
Contact us
Verena Koobair
Head of Communications and Societal Purpose Firm Pillar Lead, PwC South Africa
Tel: +27 (0) 11 797 4873
