Confidentiality and information security

Misuse or loss of confidential client information or personal data may compromise our clients, expose the firm to legal proceedings, and adversely impact our reputation.

Confidentiality and information security are key elements of our professional responsibilities.

Misuse or loss of confidential client information or personal data may compromise our clients, expose the firm to legal proceedings, and adversely impact our reputation.

The firm’s Information Protection Leader is a member of the Africa Risk Council and is supported by the PwC Network Information Security Organisation which, together with the Information Protection Committee, provides oversight, policy and strategic direction on information risk and cybersecurity matters.

Membership of the Committee comprises representatives from Risk and Quality, the Office of General Counsel, Network Information Security, Information Technology and the lines of service. The committee’s objectives are to:

provide overall governance and oversight of the Information Management programme;
act as an approval body for Information Management policies and procedures;
agree and allocate Information Management accountability and responsibilities;
identify and initiate Information Management remediation projects; and
monitor progress of the Information Management programme.

PwC regularly reviews its data protection practices to comply with applicable laws, industry standards and best practices. To meet the requirements of the European Union’s General Data Protection Regulation (GDPR), and as a result of other territorial regulations impacting privacy, a comprehensive global programme -- the Network Data Protection Programme or NDPP -- has been established to provide a basis for, and a consistent approach to, data protection compliance across the PwC network and within each member firm.

PwC South Africa operates an information security management system, which is certified as compliant with the requirements of ISO/IEC 27001:2013 for all client data that comes under its control or ownership by virtue of a contract for services between PwC South Africa and a client.

PwC’s information security policies and procedures aim to ensure that:

information is protected from internal and external threats;
confidentiality, availability and integrity of information is maintained;
statutory regulatory and contractual obligations are met; and
access to confidential information is granted only for justified business needs.

Our policies and procedures include:

our security policy, which focuses on protecting our information and technology assets and complies with regulatory standards and local security policies;
a security organisation aimed at the management of our security, including our network-wide security model framework, third party access to our firm's resources and security requirements for outsourced service providers;
personnel responsibilities, such as employee vetting, terms and conditions of employment, confidentiality agreements, and user awareness training;
assigning access controls to PwC’s information and technology assets based on a data classification scheme and assigned roles and responsibilities;
protecting PwC’s business premises and the information and technology assets within them with physical and environmental security measures for building access control;
clear desk policy and laptop security measures;
cyber security incident management – implement controls to minimise the impact in the event of a security breach;
data protection – classification and security of information assets and systems, including data classification;
service management – secure operation and management of information processing centres. For example, clear separation of test and production environments, separation of operational duties based upon roles, strong change management controls, and secure network connections;
systems development – development and ongoing maintenance of information systems to include adequate security controls during the conceptual design phase;
resilience – business continuity and disaster recovery planning based upon service level agreements and recovery time objectives with the overall aim of minimal impact to the business in the event of a disaster;
compliance programme – outlines controls that measure and monitor compliance of our enterprise and systems with the ISP and other relevant security controls as agreed via the policies and standards process. Includes additional controls required to determine compliance with applicable regulations and legislation such as data protection.

The firm’s policies and standards are supported by ongoing compliance monitoring. Monitoring is carried out by PwC Africa’s Internal Audit and Compliance teams and is supplemented by checks by the PwC Network Information Security Organisation. Our ISO/IEC 27001:2013 certification is subject to annual external independent assessment. The firm’s incident reporting and response procedures seek to minimise the impact of any data loss that may arise. These procedures include notifying clients when it is known that their data is at risk and, where appropriate and feasible, taking corrective action.