Outsourcing
Medical practices may, at times, outsource the processing and storage of personal information.
There is nothing in the Protection of Personal Information Act (POPI) that prevents organizations from outsourcing the processing of data.
However, regardless of where information is being processed—whether in South Africa or in a foreign country—organizations subject to POPI –
- must take all reasonable steps to protect that information from unauthorized uses and disclosures while it is in the hands of the third-party processor;
- must also be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times;
- need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally they should do it at the time the information is collected.
When personal information is in the hands of a third-party service provider operating on foreign soil, it is subject to the laws of that country and no contract can override that. This could mean, for instance, that the organization may be obliged to respond to a subpoena or other mechanism that would give law enforcement officials access to personal information.
For more information:
- The Meaning of “Accountability”
- Reaching for the Cloud(s): Privacy Issues related to Cloud Computing
- Contracting with Contractors that are NOT POPI Operators: Best Practices