PoPIA: How the ‘Operator’ must use personal information

Issue 2 2021 Security Services & Risk Management

As the Protection of Personal Information Act (PoPIA) is only three months away from being enforced, organisations and responsible parties have had to gain an in-depth understanding of the rules and regulations that must be adhered to. While much focus has been placed on the roles and responsibilities that must be fulfilled to meet the standards of PoPIA, the role of the Operator must also be highlighted.

“The Operator plays a vital function and as such it is crucial that his/her duties and responsibilities are adequately understood. The Responsible Party is charged with ensuring that the personal information obtained is protected, but it is the Operator who actually uses the data provided,” explains Carrie Peter, solution owner at Impression Signatures.


Carrie Peter.

The Operator can be a person, a system, or a third-party service provider that works in conjunction with the Responsible Party but is not necessarily under the authority of the Responsible Party. The Operator’s primary responsibility is to process the information obtained from the data subject for its intended purpose, i.e., making sure that the information is being utilised for the purpose for which consent was given. If the Operator is a third-party provider and not causally linked to the organisation, consent will need to be obtained from the data subject for the Operator to process the personal information.

“Consent is of the highest importance within PoPIA. The data subject must be informed and give consent for the purpose and use of the personal information, as well as each individual organisation or entity that will have access to this information to fulfil the required purpose,” continues Peter.

Due to the Operator not being under the direct authority of the Responsible Party, the Responsible Party will require evidence and assurance from the Operator that all necessary standards and regulations are being adhered to. This is because, although the Operator is not under the Responsible Party’s authority, the Responsible Party is still accountable for what the Operator does with the personal information at hand.

This is an important point to highlight because it means that responsible parties must be sure of the Operators with which they work. It is imperative that the Operators are vetted and can prove their compliance to the required standards as outlined by PoPIA and included in a contract that will be signed between the Operator and the Responsible Party.

“The Operator may not utilise the data for any purpose other than the original and explicitly stated purpose under which it was obtained. The Operator may also not utilise any information without the permission and knowledge of the Responsible Party. The Operator is responsible for immediate notification to the Responsible Party if it is believed that the data was accessed by an unauthorised individual and/or entity,” she adds.

The Operator will have to ensure, and be able to prove, that the data obtained was utilised for its intended purpose; that the processing of the information was done under the instruction and authorisation of the Responsible Party; that safeguards were put into place to ensure that the data is protected while being processed; that the highest level of ethical and confidential rules and regulations were adhered to in the processing of the information; and that corrective measures were implemented in instances where a breach of data has occurred.

“The Operator has a very delicate job. If you think of the Responsible Party as a hospital theatre, the Operator is the surgeon. The Operator is not only responsible for processing the information for its intended purpose (although this is the primary function), but the Operator must also ensure that this processing is done with the highest level of confidentiality,” concludes Peter.

While Responsible Parties are charged with the duty of ensuring that the data is protected, Operators carry a similar responsibility within their processing procedures. These two roles, although often performed by separate entities, are part of the same whole. It is a partnership through which all rules and regulations as outlined by PoPIA must be complied with.

As part of Impression Signature’s PoPIA Campaign, smaller businesses shouldn’t be precluded from being able to comply with the Act simply because they don’t have large budgets. To this end, the Impression Campaign offers free guidance, simplifying the roles and responsibilities to empower all companies to comply.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Identity recovery matters most
Security Services & Risk Management
As cyberattacks grow more targeted, more destructive, and increasingly aimed at the very fabric of trust within the enterprise, the ability to restore identities has become just as critical as restoring data.

Read more...
ISO 27701 helps demonstrate privacy compliance beyond POPIA
Security Services & Risk Management
ISO 27701 include privacy-specific controls and provides a structured way to manage Personally Identifiable Information (PII) throughout its lifecycle, giving organisations a way to demonstrate how privacy is managed.

Read more...
Echoes of 2018? Follow-up on Woolworths explosions
Technews Publishing News & Events Security Services & Risk Management Retail (Industry) Facilities & Building Management
SMART Security Solutions follows up with Jimmy Roodt to find out more about an old connection to the Woolworths bombings from 2018. The investigation remains ongoing.

Read more...
Increase in cyberattacks on the manufacturing sector
Security Services & Risk Management News & Events Industrial (Industry)
According to a new Kaspersky ICS CERT report, in the first quarter of 2026, the percentage of industrial control systems (ICS) on which malicious objects were blocked reached 19,6% globally.

Read more...
Next-generation cash-in-transit vehicle
News & Events Security Services & Risk Management
Fidelity Services Group has unveiled a new, purpose-engineered Cash-in-Transit (CIT) vehicle designed to redefine crew protection, deter threats, and enhance operational resilience in an increasingly complex criminal environment.

Read more...
The risk at the edge of South Africa’s agriculture supply chain
Security Services & Risk Management Agriculture (Industry) Logistics (Industry)
Research from ESET has found that a significant number of South African agritech operators and farmers continue to believe their companies are not attractive targets for cybercriminals. Unfortunately, that belief is precisely what makes them one.

Read more...
AURA partners with Discovery to launch Discovery 911
News & Events Security Services & Risk Management
AURA has announced a partnership with Discovery Insure to power the security-response component of its new Discovery 911 virtual panic-button offering, which is available through the Discovery Insure app.

Read more...
Break the silence on fraud
Security Services & Risk Management
We are entering a new era of fraud, one defined by groups that operate across borders, using advanced digital tools and impersonation tactics to deceive victims and wear down communities' trust and financial security.

Read more...
Africa’s white-collar crime landscape
Security Services & Risk Management
White-collar crime in Africa is no longer a predominantly domestic concern; it has expanded onto the international stage, and so too has the corporate exposure that accompanies it.

Read more...
Global security in 2026
Editor's Choice News & Events Security Services & Risk Management Industrial (Industry) Mining (Industry)
The World Security Report 2026 states: “In a world of increasing volatility, physical security has evolved. It is no longer just a defensive measure; it is a critical driver of corporate value.”

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.