POPIA - South Africa - Responsible Party, Operator and The Information Officer
So, a Responsible Party, an Operator, and an Information Officer walk into a bar. Okay, unless you’re a POPIA guru, this joke is about to get real confusing. Thankfully, I’m here to walk you through some useful terms from SA’s very own Protection of Personal Information Act, 2013 (“POPIA”) so you too can be in on this hilarious (and not at all nerdy) joke. On top of that, getting to know the key players in the POPIA Act is an essential tool needed while navigating the road of Personal Data Protection compliance.
The Responsible Party
With great power, comes great responsibility. What Uncle Ben was saying not only rings true to this particular entity but could be a cheat sheet to remembering the qualities it possesses.
Let’s take a look at the official definition of a responsible party from the POPI Act:
'"Responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.'
As set out, the Responsible Party is the shot caller. It determines the purpose for processing information, what information is processed, for how long and how it is processed. For example, while you are biting into that creamy lemon tart from Margret’s Little Bakery, she has another enticing email on the way about a fudge brownie special this Friday.
She decides:- What personal info she needs - an email address.
- Who she needs it from - you, a user on her website.
- Why does she need it - mouthwatering marketing of course?
- Where does she store it – Microsoft Office 365
Even when working in conjunction with an Operator (an external person contracted to process certain info for the resp party...more on that below) the responsible party will still determine the who, what, why, and where...and outsource the actual processing to the Operator, who must still adhere to all these decisions the responsible party has made.
They have all this personal information and call all the shots. However, on the flip side of that coin, one can’t ignore the very essence of this key player that is built right into the title: responsibility. This isn’t Westeros, and Margret can’t be running around like King Joffrey, ruling without consequences. The responsible party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all operators providing services to the responsible party. Now that is a lot of responsibility!
The Operator
By now you know that an operator is a person who is brought in by the responsible party to process certain personal information. But what exactly is an Operator as defined by the POPI Act?
It is:
"‘a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party."
Notice two essential points here. The operator cannot come under direct authority of the responsible party, meaning the operator should not be permanently employed by them. Secondly, there needs to be a written contract between the two parties.
This is explained further in Section 20 and 21 of the Protection of Personal Information Act 4 of 2013. Here are some essential points you want to include in the Operator’s contract.
To ensure that the operator:
- establishes and maintains the obligatory security measures on integrity and confidentiality of personal information set out by the Act.
- only acts within the parameters of the agreement/mandate.
- only handles certain personal information agreed upon.
- does not share any personal information with any third parties.
The Responsible Party will be held ultimately liable by the Information Regulator for a breach of POPIA by the operator, who will likely get off on a whoopsie daisy, while the Responsible Party will have a meeting in the hot seat with the Information Regulator. Therefore, it might be wise to add an Operator liability clause in the Operator’s contract to allow the Responsible Party to bring a claim for any loss suffered as a result of the Operator’s negligence or breach of POPIA.
Who should draw up the contract?
POPIA does not specify exactly who should draw it up, but rather pointing to the Responsible Party to ensure a proper one exists. Wow Spidey, Uncle Ben wasn’t kidding...these responsibilities just keep on coming! Bottom line though is to make certain that that agreement exists, it sets out the important details of the relationship between the operator and responsible party and aims to protect not only the responsible party, but also the operator by detailing the extent of the processing and other responsibilities that the operator undertakes.
What if you are disclosing Personal Information to another Responsible Party? Would you still need a contract?
I’m glad you asked! Even though there is no legal requirement to have a contract in place between Responsible Parties, it is good practice to have an agreement between said parties. For example, Margret provides medical aid to her employees through MedStar. In this instance, MedStar would be defined, not as an Operator (not coming under direct authority of Margret’s Little Bakery), but as another Responsible Party. Naturally, they would have Margret sign their agreement upon joining, as they would with any other client. In this scenario, even though MedStar is responsible for compliance as far as Margret’s employees are concerned, one would hope that she does some due diligence as far as MedStar’s POPIA compliance is concerned.
Can I be both Responsible Party and Operator?
If you put your mind to it, you could be anything you want, champ. Seriously though, if you think about it, a business that provides a service as an Operator also has its own Personal Information to process. For example, when Margret outsources her direct marketing to MailMonkey, to her they are just an Operator. But MailMonkey has a whole business to run, including data subjects under their own roof – their employees.
From this angle it becomes clear that one can be both, it just depends on which scenario you’re looking at.
The Information Officer
And last but not least, introducing the Information Officer. It sounds like this one should be wearing a really smart and ceremonial uniform, but let’s look at how this title is officially defined. According to the Information Regulator SA Guidance Note on Information Officers and Deputy Information Officers:
“Information Officer”:of, or in relation to, a –
- public body means an Information Officer or Deputy Information Officer as contemplated in terms of section 1 or 17 of the Promotion of Access to Information Act (PAIA); or
- private body means the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act (PAIA).
Remember, if you are the Information Officer of a multinational organisation, before you go flitting off to the Bahamas office, you must authorise any person within the Republic of South Africa as an Information Officer, to maintain accessibility. That means you, Margret!
In conclusion
We’re all looking forward to Fudge Brownie Friday. Also! It helps to know what your (and others’) rights and responsibilities are when it comes to the protection of Personal Information, whichever seat you’re sitting in at any given moment. Who is responsible for what, and knowing what you can do to avoid suffering any losses as a result of negligence or breach of POPIA.
And just to give an idea of what kind of losses you could be dealing with, penalties for violating the POPI Act include:
- Administrative fines of up to 10 million South African Rand
- Prison sentences up to 10 years.
Damn, Gina! Better get started...
If you are interested in learning more or want to hear the punchline of that joke, contact us now!