AGREEMENTS IN REGARDS TO POPIA
In an effort to bring your organization’s practices in line with the Protection of Personal Information Act, 4 of 2013 (POPIA), your organization’s Legal and Compliance department needs to obtain a list of all persons, including individuals or legal entities, i.e. service providers, who handle and manage personal information on your behalf, and who are known under POPIA as an “Operator”, from the relevant departments within the organization.
Who is an “Operator”?
An Operator is defined under POPIA as a “person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”.
Examples of these service providers include:
- Advertising agencies;
- PR agencies;
- Recruitment and employment agencies;
- Credit Bureaux;
- Verification agencies;
- Sales Agents;
- Service Agents.
What definitions do you need to know?
“responsible party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
“operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
“processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information.
“personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
What is the difference between a Responsible Party and an Operator?
Responsible parties determine the purpose for processing information, what information is processed, for how long and how it is processed. Where an Operator is involved, the Responsible Party will still determine the purpose for processing etc, but will outsource the processing of the information to the Operator. The Responsible Party therefore still makes all decisions in relation to the information and the Operator acts in accordance with these decisions and on the instructions from the Responsible Party.
The Responsible Party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all Operators providing services to the Responsible Party. The outsourcing or sub-contracting of any processing activities to Operators does not absolve the Responsible Party from liability. If the Operator contravenes POPIA, the Responsible Party will still be held liable by the Information Regulator.
Why do you need an Operator Agreement?
In terms of section 20 of POPIA, an Operator or anyone processing personal information on behalf of a Responsible Party or an Operator, has a duty to treat any personal information which it processes on behalf of the organization as confidential and must not disclose it, unless required by law or in the course of the proper performance of his/her duties.
Furthermore, in terms of section 21 of POPIA, the Responsible Party must have a written agreement between itself and the Operator to ensure that the Operator establishes and maintains adequate safeguards and security measures in respect of the information which it is processing on behalf of the Responsible Party.
The Responsible Party will ultimately be held liable by the Information Regulator for a breach of POPIA by the Operator where the breach occurred within the scope of the mandate agreement between the Responsible Party and the Operator.
However, in the instance where the Operator have exceeded its mandate and breached POPIA, the Operator is seen to be acting as a Responsible Party in regard to the Personal Information as the Operator is determining the purposes and means of processing.
A written agreement between the Responsible Party and the Operator is therefore extremely important for the Responsible Party. By including a liability clause, the Responsible Party can hold the Operator liable for any claims which the Information Regulator and/or data subjects may have against the Responsible Party as a result of a breach of POPIA by the Operator.
Is your Operator Agreement in line with POPIA’s requirements?
If not, we have you covered!
This week’s Template of the Week is an Operator Agreement to assist you in bringing your Organization’s Operator practices in line with POPIA.
For subscribers, please login to The Legal Team to access this templates.
Should you wish to subscribe to our UPDATE service, please contact us with a request for a quote. The UPDATE service includes weekly e-mails containing detailed Gazette Watch, Newsflash, Alerter, Template of the Week information.