Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

PoPIA: How the ‘Operator’ must use personal information

Issue 2 2021 Security Services & Risk Management

As the Protection of Personal Information Act (PoPIA) is only three months away from being enforced, organisations and responsible parties have had to gain an in-depth understanding of the rules and regulations that must be adhered to. While much focus has been placed on the roles and responsibilities that must be fulfilled to meet the standards of PoPIA, the role of the Operator must also be highlighted.

“The Operator plays a vital function and as such it is crucial that his/her duties and responsibilities are adequately understood. The Responsible Party is charged with ensuring that the personal information obtained is protected, but it is the Operator who actually uses the data provided,” explains Carrie Peter, solution owner at Impression Signatures.


Carrie Peter.

The Operator can be a person, a system, or a third-party service provider that works in conjunction with the Responsible Party but is not necessarily under the authority of the Responsible Party. The Operator’s primary responsibility is to process the information obtained from the data subject for its intended purpose, i.e., making sure that the information is being utilised for the purpose for which consent was given. If the Operator is a third-party provider and not causally linked to the organisation, consent will need to be obtained from the data subject for the Operator to process the personal information.

“Consent is of the highest importance within PoPIA. The data subject must be informed and give consent for the purpose and use of the personal information, as well as each individual organisation or entity that will have access to this information to fulfil the required purpose,” continues Peter.

Due to the Operator not being under the direct authority of the Responsible Party, the Responsible Party will require evidence and assurance from the Operator that all necessary standards and regulations are being adhered to. This is because, although the Operator is not under the Responsible Party’s authority, the Responsible Party is still accountable for what the Operator does with the personal information at hand.

This is an important point to highlight because it means that responsible parties must be sure of the Operators with which they work. It is imperative that the Operators are vetted and can prove their compliance to the required standards as outlined by PoPIA and included in a contract that will be signed between the Operator and the Responsible Party.

“The Operator may not utilise the data for any purpose other than the original and explicitly stated purpose under which it was obtained. The Operator may also not utilise any information without the permission and knowledge of the Responsible Party. The Operator is responsible for immediate notification to the Responsible Party if it is believed that the data was accessed by an unauthorised individual and/or entity,” she adds.

The Operator will have to ensure, and be able to prove, that the data obtained was utilised for its intended purpose; that the processing of the information was done under the instruction and authorisation of the Responsible Party; that safeguards were put into place to ensure that the data is protected while being processed; that the highest level of ethical and confidential rules and regulations were adhered to in the processing of the information; and that corrective measures were implemented in instances where a breach of data has occurred.

“The Operator has a very delicate job. If you think of the Responsible Party as a hospital theatre, the Operator is the surgeon. The Operator is not only responsible for processing the information for its intended purpose (although this is the primary function), but the Operator must also ensure that this processing is done with the highest level of confidentiality,” concludes Peter.

While Responsible Parties are charged with the duty of ensuring that the data is protected, Operators carry a similar responsibility within their processing procedures. These two roles, although often performed by separate entities, are part of the same whole. It is a partnership through which all rules and regulations as outlined by PoPIA must be complied with.

As part of Impression Signature’s PoPIA Campaign, smaller businesses shouldn’t be precluded from being able to comply with the Act simply because they don’t have large budgets. To this end, the Impression Campaign offers free guidance, simplifying the roles and responsibilities to empower all companies to comply.




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

957 women killed in three months
News & Events Security Services & Risk Management
Despite years of summits, task teams and public commitments, South Africa’s femicide rate remains around five times higher than the global average, and too few are using the legal lifelines available.

Read more...
The security debt hidden in residential estates
Security Services & Risk Management Integrated Solutions Residential Estate (Industry)
Many residential estates undermine their own security not through a lack of technology, but through hidden weaknesses in gate design, fragmented systems, recurring software dependence, weak operational ownership, and insufficient estate management input.

Read more...
Verification is reshaping South Africa’s labour market
Security Services & Risk Management Asset Management Commercial (Industry)
Hiring faster, trusting less: in a labour market defined by both constraint and potential, the ability to hire with confidence may well become one of the most important competitive advantages.

Read more...
Africa’s opportunity to shape the future of human-centred AI
AI & Data Analytics Security Services & Risk Management
Across the Global South, countries are not yet locked into decades of legacy AI systems, energy-intensive infrastructure, or governance frameworks designed for a different technological era. That creates something rare in technology development: a cleaner slate.

Read more...
AURA appoints Taryn Winer as global head of people
News & Events Security Services & Risk Management
Following its €13,5 million Series B funding round last year and accelerating international expansion, particularly across the United States, AURA has appointed Taryn Winer as global head of people.

Read more...
95% do not have full trust in cybersecurity vendors
Information Security Security Services & Risk Management
Trust in cybersecurity vendors is fragile, difficult to measure, and increasingly shaping risk posture at both operational and board levels. Lack of verifiable transparency undermines cybersecurity decision-making, according to Sophos-backed research.

Read more...
Enhancing control room operations
iFacts Security Services & Risk Management Surveillance
As South Africa faces complex and more advanced security challenges, the demand for advanced surveillance solutions, including CCTV and security control rooms, continues to surge, but what about the people in front of the screens?

Read more...
Understanding the Shared Responsibility Model
Infrastructure Security Services & Risk Management
While the cloud can certainly be a growth enabler in many ways, it can also introduce new security risks. Companies want to have a clear understanding of where their security duties end and where their cloud service provider’s begin.

Read more...
“This Is Theft!” SASA slams Mafoko Security
News & Events Security Services & Risk Management Associations
The Security Association of South Africa (SASA) has issued a stark warning that the long-running Mafoko Security Patrols scandal is no longer an isolated case of employer misconduct, but evidence of a systemic failure in South Africa’s regulatory and governance structures.

Read more...
Making a mesh for security
Information Security Security Services & Risk Management
Credential-based attacks have reached epidemic levels. For African CISOs in particular, the message is clear: identity is now the perimeter, and defences must reflect that reality with coherence and context.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.