Responsible Party or Operator?
It’s important to know whether you are an ‘operator‘ or the ‘responsible party’ under POPI. Both have certain obligations but the responsible party has a much broader responsibility.
To determine if you are an Operator, you can ask yourself whether you process the information:
- Solely in the interest of and on behalf of another (practice for example).
- Do so only according to instructions, but without coming under the boss’s direct authority.
- In terms of a written contract.
- Would dispose of the information after the arrangement ends, and
- Do not use the information for any of your own purposes.
If all the above are true, you are probably an operator – if not, you are a responsible party. If you are uncertain, you should get legal advice on your position.
Operators have the following obligations under POPI:
Section 20:
Anyone processing personal information on behalf of a Responsible Party or an Operator, must:
a. Process the information only with the knowledge or authorisation of the Responsible Party.
b. Treat the personal information as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties.
Section 21:
a. There must be a written agreement between the Responsible Party and the Operator.
b. The Agreement must ensure that the Operator maintains strict security measures.
c. The Operator must notify the Responsible Party immediately if he/she believes that any personal information has been lost, or if it has been seen by an unauthorized person.