PoPIA: How the ‘Operator’ must use personal information

Issue 2 2021 Security Services & Risk Management

As the Protection of Personal Information Act (PoPIA) is only three months away from being enforced, organisations and responsible parties have had to gain an in-depth understanding of the rules and regulations that must be adhered to. While much focus has been placed on the roles and responsibilities that must be fulfilled to meet the standards of PoPIA, the role of the Operator must also be highlighted.

“The Operator plays a vital function and as such it is crucial that his/her duties and responsibilities are adequately understood. The Responsible Party is charged with ensuring that the personal information obtained is protected, but it is the Operator who actually uses the data provided,” explains Carrie Peter, solution owner at Impression Signatures.

Carrie Peter.

The Operator can be a person, a system, or a third-party service provider that works in conjunction with the Responsible Party but is not necessarily under the authority of the Responsible Party. The Operator’s primary responsibility is to process the information obtained from the data subject for its intended purpose, i.e., making sure that the information is being utilised for the purpose for which consent was given. If the Operator is a third-party provider and not causally linked to the organisation, consent will need to be obtained from the data subject for the Operator to process the personal information.

“Consent is of the highest importance within PoPIA. The data subject must be informed and give consent for the purpose and use of the personal information, as well as each individual organisation or entity that will have access to this information to fulfil the required purpose,” continues Peter.

Due to the Operator not being under the direct authority of the Responsible Party, the Responsible Party will require evidence and assurance from the Operator that all necessary standards and regulations are being adhered to. This is because, although the Operator is not under the Responsible Party’s authority, the Responsible Party is still accountable for what the Operator does with the personal information at hand.

This is an important point to highlight because it means that responsible parties must be sure of the Operators with which they work. It is imperative that the Operators are vetted and can prove their compliance to the required standards as outlined by PoPIA and included in a contract that will be signed between the Operator and the Responsible Party.

“The Operator may not utilise the data for any purpose other than the original and explicitly stated purpose under which it was obtained. The Operator may also not utilise any information without the permission and knowledge of the Responsible Party. The Operator is responsible for immediate notification to the Responsible Party if it is believed that the data was accessed by an unauthorised individual and/or entity,” she adds.

The Operator will have to ensure, and be able to prove, that the data obtained was utilised for its intended purpose; that the processing of the information was done under the instruction and authorisation of the Responsible Party; that safeguards were put into place to ensure that the data is protected while being processed; that the highest level of ethical and confidential rules and regulations were adhered to in the processing of the information; and that corrective measures were implemented in instances where a breach of data has occurred.

“The Operator has a very delicate job. If you think of the Responsible Party as a hospital theatre, the Operator is the surgeon. The Operator is not only responsible for processing the information for its intended purpose (although this is the primary function), but the Operator must also ensure that this processing is done with the highest level of confidentiality,” concludes Peter.

While Responsible Parties are charged with the duty of ensuring that the data is protected, Operators carry a similar responsibility within their processing procedures. These two roles, although often performed by separate entities, are part of the same whole. It is a partnership through which all rules and regulations as outlined by PoPIA must be complied with.

As part of Impression Signature’s PoPIA Campaign, smaller businesses shouldn’t be precluded from being able to comply with the Act simply because they don’t have large budgets. To this end, the Impression Campaign offers free guidance, simplifying the roles and responsibilities to empower all companies to comply.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Numerous challenges for transport and logistics
Transport (Industry) CCTV, Surveillance & Remote Monitoring Security Services & Risk Management Logistics (Industry)
Operators are making significant investments in automation and digitalisation in order to address security concerns, improve loss prevention as well as efficiency, and reduce unit order costs.

Defining the resilience of cybersecurity
Cyber Security Security Services & Risk Management
Cyber resilience is less buzzword and more critical business strategy as the cybercrime landscape grows in intent and intensity.

Technology and the future of security installation in South Africa
Editor's Choice Integrated Solutions Security Services & Risk Management
What are the technologies and trends shaping installation, service and maintenance teams globally, and how will they shape South African businesses today and in the future?

The technology wave implications for staff mismatches in control rooms
Leaderware Editor's Choice Security Services & Risk Management
An industry habit of looking at control rooms through a physical security lens has increasingly left clients and staff at a disadvantage in keeping up with control room technology and demands.

Streamlining processes, integrating operations
Security Services & Risk Management Integrated Solutions Transport (Industry) Logistics (Industry)
With Trackforce Valiant, Airbus now has one single platform that connects its security guards, supervisors and management across its organisation.

Smollan partners with FleetDomain
Logistics (Industry) Asset Management, EAS, RFID Security Services & Risk Management Transport (Industry)
Smollan has been using FleetDomain to manage its fleet of around 2000 vehicles in South Africa, enabling it to contain costs and manage its fleet much more effectively.

Smarter parking services
Security Services & Risk Management Transport (Industry) Logistics (Industry)
Smart technologies are changing the face of parking services and helping property owners realise their commercial objectives.

Adopting a cyber-secure mindset
Security Services & Risk Management Cyber Security
Adopting a cybersecure mindset is the key to mitigating the risk of falling victim to the growing cybercrime pandemic.

SAFPS warns against advance-fee scam
News Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) has warned consumers of an advance-fee scam where the perpetrator is falsely presenting themself as a representative of the SAFPS.

Fire prevention in your home or business?
Fidelity Services Group Fire & Safety Security Services & Risk Management
A recent fire at a nightclub in Boksburg has once again highlighted the importance of fire safety for both homes and businesses. When a fire breaks out, the consequences can be devastating.