The word “Operator” conjures up many an image or meaning:
- Mr Smooth Operator – remember the song – your just a smooth operator, coast to coast, LA to Chicago, western male, across the north and south, to Key Largo, love for sale…….you’re just a smooth operator, as crooned by Sade in the popular 1980 hit about a fashionable con-man who moves within high social circles.
- A railway network operator – under the National Railway Safety Regulator Act 16 of 2002, an Operator is defined as a network operator, train operator or station operator – i.e. an entity who operates a railway network;
- A cross border transporter – under the Cross-Border Road Transport Act 4 of 1998, an Operator is a word which is used to describes those who conduct road transport businesses in South Africa and in our neighbouring countries and who have to hold a cross border road transportation permit for such cross border passenger and freight road transport operations
- your run of the mill vanilla operator, being a person who operates something…. such as a machine or device, a business, or a person or machine e that performs surgical operations or who deals in stocks or commodities;
- your more sinister liquorish operator, being a shrewd and skillful person who knows how to circumvent restrictions or difficulties;
- the mathematical operator, being a symbol that denotes or performs a mathematical or logical operation such as a mathematical function; and
- the biological operator, a binding site in a DNA chain at which a genetic repressor binds to inhibit the initiation of transcription of messenger RNA by one or more nearby structural genes; and
- the personal information Operator, being a person who is asked by a responsible party to process personal information on behalf of the responsible party.
It’s the last one, the personal information operator, which has recently caused a lot of confusion in relation to the POPIA Act.
Your first step around OPERATORS, will be to determine who your operators are and then develop two operator registers.
So to comply with your POPIA obligations, you will need to ascertain the following:
Who is an Operator?
An Operator is any person or entity who is processing Personal Information on behalf of our Buisness.
In an effort to bring Business in line with the new law known as the Protection of Personal Information Act, 4 of 2013 (POPIA), which protects one’s right to data privacy, Legal and Compliance Departments need to obtain a list of all persons, including individuals or legal entities, i.e. service providers, who handle and manage personal information on your behalf, who are known under POPIA as an “Operator”.
Examples of these service providers include:
- Advertising agencies;
- PR agencies;
- Recruitment and employment agencies;
- Credit Bureaux;
- Verification agencies;
- Sales Agents;
- Service Agents.
Do I need an Operator Register in place?
In terms of section 20 of POPIA, such person has a duty to treat any personal information, which it processes on behalf of your Buisness, as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.
Furthermore, in terms of section 21 of POPIA, your Business must, in terms of a written contract between your Business and the person or entity who is processing Personal Information on behalf of your Business, (such service provider is then known as an Operator) ensure that the Operator, establishes and maintains adequate safeguards and security measures in respect of the information which it is processing on behalf of your Business.
In order to bring your Operator practices in line with POPIA, you will require a list of all the Operators who you use, including where information of a personal nature is sent, to persons who reside or who are situated outside South Africa.
The details of these Operators must be inserted into an Operator Register. You will need two Registers, one for personal information handled by persons in South Africa and the second for personal information handled by persons outside South Africa.
THE LEGAL TEAM can provide Generic or Customised Operator Registers and suggested wording for correspondence, to your Operators, on request.
Do I need to sign an Operator Agreement with my service Providers?
In terms of section 21 of POPIA, where you are processing Personal Information on behalf of another entity, as an Operator, as defined under POPIA, you must agree to certain processing provisions which are set out under a standard Operator agreement/addendum. Your Operator Agreement should be housed on your website, which you will then request your Service providers to download and read. The terms of your Operators Agreement will apply to all processing and where applicable should be read together with any other agreements which you may have concluded with your service providers.
THE LEGAL TEAM can provide Generic or Customised Operator Agreements and suggested wording for correspondence, to your Operators, on request.