PoPIA: How the ‘Operator’ must use personal information

Issue 2 2021 Security Services & Risk Management

As the Protection of Personal Information Act (PoPIA) is only three months away from being enforced, organisations and responsible parties have had to gain an in-depth understanding of the rules and regulations that must be adhered to. While much focus has been placed on the roles and responsibilities that must be fulfilled to meet the standards of PoPIA, the role of the Operator must also be highlighted.

“The Operator plays a vital function and as such it is crucial that his/her duties and responsibilities are adequately understood. The Responsible Party is charged with ensuring that the personal information obtained is protected, but it is the Operator who actually uses the data provided,” explains Carrie Peter, solution owner at Impression Signatures.

Carrie Peter.

The Operator can be a person, a system, or a third-party service provider that works in conjunction with the Responsible Party but is not necessarily under the authority of the Responsible Party. The Operator’s primary responsibility is to process the information obtained from the data subject for its intended purpose, i.e., making sure that the information is being utilised for the purpose for which consent was given. If the Operator is a third-party provider and not causally linked to the organisation, consent will need to be obtained from the data subject for the Operator to process the personal information.

“Consent is of the highest importance within PoPIA. The data subject must be informed and give consent for the purpose and use of the personal information, as well as each individual organisation or entity that will have access to this information to fulfil the required purpose,” continues Peter.

Due to the Operator not being under the direct authority of the Responsible Party, the Responsible Party will require evidence and assurance from the Operator that all necessary standards and regulations are being adhered to. This is because, although the Operator is not under the Responsible Party’s authority, the Responsible Party is still accountable for what the Operator does with the personal information at hand.

This is an important point to highlight because it means that responsible parties must be sure of the Operators with which they work. It is imperative that the Operators are vetted and can prove their compliance to the required standards as outlined by PoPIA and included in a contract that will be signed between the Operator and the Responsible Party.

“The Operator may not utilise the data for any purpose other than the original and explicitly stated purpose under which it was obtained. The Operator may also not utilise any information without the permission and knowledge of the Responsible Party. The Operator is responsible for immediate notification to the Responsible Party if it is believed that the data was accessed by an unauthorised individual and/or entity,” she adds.

The Operator will have to ensure, and be able to prove, that the data obtained was utilised for its intended purpose; that the processing of the information was done under the instruction and authorisation of the Responsible Party; that safeguards were put into place to ensure that the data is protected while being processed; that the highest level of ethical and confidential rules and regulations were adhered to in the processing of the information; and that corrective measures were implemented in instances where a breach of data has occurred.

“The Operator has a very delicate job. If you think of the Responsible Party as a hospital theatre, the Operator is the surgeon. The Operator is not only responsible for processing the information for its intended purpose (although this is the primary function), but the Operator must also ensure that this processing is done with the highest level of confidentiality,” concludes Peter.

While Responsible Parties are charged with the duty of ensuring that the data is protected, Operators carry a similar responsibility within their processing procedures. These two roles, although often performed by separate entities, are part of the same whole. It is a partnership through which all rules and regulations as outlined by PoPIA must be complied with.

As part of Impression Signature’s PoPIA Campaign, smaller businesses shouldn’t be precluded from being able to comply with the Act simply because they don’t have large budgets. To this end, the Impression Campaign offers free guidance, simplifying the roles and responsibilities to empower all companies to comply.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Communication in any situation
Issue 8 2020, Elvey Security Technologies , Global Communications , Security Services & Risk Management
Global Communications offers an industry-first with five-year warranty on select Kenwood two-way radios.

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

mySOS targets neighbourhood safety
Issue 2 2021 , Security Services & Risk Management
Beyond protection for valuables and premises, people are also looking to ensure their personal safety and that of their loved ones as they move around and within community areas.

Staying safe with tap-and-go
Issue 2 2021 , Security Services & Risk Management
When it comes to tap-and-go functionality, security does not fall within the ambit of only one particular link in the value chain; banks, retailers and users have a part to play in safeguarding these devices and transactions.

Free technology to boost future careers
Issue 2 2021 , Cyber Security, Security Services & Risk Management
A global shortage of cybersecurity professionals has become so severe that companies are increasingly at risk from hacking and industrial espionage.

Banking on radio
Issue 2 2021, Global Communications , Security Services & Risk Management
Communicating between built-up and remote areas is often not possible using cellular technology since signals may be poor or non-existent. This is where two-way radios come to the fore.

Dealing with farm attacks
Issue 2 2021, Technews Publishing , Editor's Choice, Integrated Solutions, Security Services & Risk Management, Agriculture (Industry)
Brutal farm attacks are unfortunately a common event in South Africa. Laurence Palmer suggests a proactive, community-based approach as the optimal way to prevent these heinous crimes from happening in the first place.

Change management for project ROI and reduced risk
Issue 1 2021, AVeS Cyber Security , Security Services & Risk Management
Companies that prioritise their employees’ change journeys during digital transformation projects, such as the remote working initiatives seen in 2020, are less exposed to risk and more likely to realise the return on their investments.

Optimising guarding through technology
Residential Security Handbook 2021: Smart Estate Living , Fidelity Services Group , Technews Publishing , Security Services & Risk Management
While technology is nowhere near being advanced enough to replace human guards, it is able to enhance their performance and safety when implemented in an efficient manner. Hi-Tech Security Solutions asked Wahl Bartmann how technology is optimising the guarding function in residential estates.

Integrating technology and human resources for effective security
Residential Security Handbook 2021: Smart Estate Living , Bloodhound Technologies , Security Services & Risk Management
Bloodhound’s workforce management tools make it easier to manage and optimise guarding services on estates, going far beyond simply checking that someone is at their post or on patrol.