Maintaining Compliance with the Protection of Personal Information Act (POPIA)
A series of compliant events – Part 2 – Who is accountable for processing the personal information?
Once your business has conducted a POPIA assessment and has determined that it is processing personal information, maybe even special personal information, it is then time to assess whether you comply with POPIA. How do you go about complying with POPIA and its eight conditions for lawful processing of personal information?
First, a business must understand that for every item of personal information it has identified, each item must comply with all eight conditions. These conditions operate similarly to a wheel in that one has to comply with all eight conditions in order for the wheel to turn (i.e., in order for the business to fully comply with POPIA).
The first condition is Accountability, where a business has to determine first and foremost whether it is processing the personal information in its capacity as a responsible party or as an operator. The responsible party refers to the person who, alone or in conjunction with another person, determines the purpose of and the means for processing personal information. The operator is the person who processes the personal information on behalf of a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. The distinction between these terms is very important because it is the responsibility of the responsible party to ensure compliance with POPIA and to ensure that it enters into a written agreement with the operator that sets out exactly what personal information the operator may process.
Section 20, 21 and 22 of POPIA applies to the relationship between the responsible party and the operator and states that should an operator act outside the scope of their instructions and should the responsible party fail to enter into a written agreement with such operator, the responsible party shall remain accountable for any non-compliance with POPIA by the operator.
Failure to enter into such a written agreement effectively means that the responsible party is absolving the operator from any of its actions and that the responsible party is likely to be the person to whom the information regulator issues a fine or imprisonment order.
If the responsible party can prove to the Information Regulator (by way of a written agreement signed by the operator, i.e., a Data Processing Agreement or Operator Agreement) that the responsible party has set the parameters for the processing of personal information by the operator and the operator acted outside of these parameters, the Information Regulator is likely to impose an enforcement order, fine or imprisonment on the operator and not the responsible party.
It is possible in certain instances for the parties to be unsure whether they are the responsible party or the operator. If one looks for guidance from the European Union in order to determine whether you are a responsible party or an operator in respect of the processing of the personal information, you can ask yourself:
- Are you the party that determines and excises overall control over the why and how of processing, but the other party (operator) has some discretion in how to carry out their function?
- Are you required in terms of law to process personal information?
- Ask yourself which entity decides:
- to collect the personal data in the first place and the legal basis for doing so;
- which items of personal data to collect, i.e., the content of the data;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data and if so, to whom;
- whether subject access and other individuals’ rights apply, i.e., the application of exemptions; and
- how long to retain the data or whether to make non-routine amendments to the data.
If you are the party that exercises most of the above decisions, the chances are high that you will be regarded as the responsible party.
It is also possible for both parties to make the above decisions in which case both parties would be regarded as joint responsible parties. Should this situation arise, it is important that the parties enter into a Joint Responsible Parties Agreement instead of a Data Processing Agreement or Operator Agreement. This agreement must set out the liabilities and indemnities of the parties as well as compliance with POPIA and the manner in which matters will be handled with the Information Regulator.
Once you have determined that you are the responsible party, you must assess how many operators you are using in order to enter into the necessary Data Processing Agreements/ Operator Agreements and in order to move on to complying with the next condition, which is Process Limitation.