A .pdf file of this article can be downloaded above.
The
Protection of Personal Information Act (POPIA) defines a number of different
persons who may either be involved in and/ or responsible for the processing
and protection of personal data, or, alternatively, are the persons to whom
such personal data relates. One of these persons is the “operator”.
This
article provides a high-level overview of the role of an operator, how the
position compares to the role of the “responsible party” and what organisations
should practically be considering when it comes to implementing compliance
measures which this role may involve.
Who is an operator?
Section
1 of POPIA defines an operator as “a person who processes personal information
for a responsible party in terms of a contract or mandate, without coming under
the direct authority of that party”. In other words, an operator is a person
(for example, a registered entity, such as a company, public authority,
department, or a natural person), contracted by another person, the responsible
party, to assist with the processing of personal information for such
responsible party.
For
example, an operator may be a vendor or service provider of a company who
assists the company in being able to provide its customers with its goods or
services and manage its business processing activities, such as an outsourced
IT service provider, HR service provider, or a supplier to a distributing
business.
Who is responsible in the event of a breach?
The
responsible party is the “public or private body or any other person, which
alone or in conjunction with others, determines the purpose of and means for processing
personal information”. For example, a responsible party is a company that
provides goods and services to its customers (data subjects) and in order to
effectively do this, it needs to make a decision on what information (which may
include personal data) it may require of its customers to effectively deliver
its products.
The
responsible party is accountable to the Information Regulator and data
subjects, and liable for ensuring that personal data is processed lawfully. The
operator follows the instructions of the responsible party by virtue of a written
contractual mandate which may take the form of an operator agreement (also
known as a data processing agreement), which can either be concluded as a
separate agreement or incorporated into an existing service level agreement.
What
this means is that in the event of any breach occurring or complaint being
lodged by a data subject, it is the responsible party who remains solely
responsible for managing and/or reporting the incident and/or complaint, not
the operator. Any right of recourse that the responsible party may have, in the
case that the operator is to blame, will rest in the contract between the
parties whereby their relationship, duties and any indemnifications are clearly
defined.
Taking
into account an organisation's own circumstances, it may be possible that its
plays multiple roles whereby in one business relationship scenario it is the
operator, and in another, it is the responsible party.
Furthermore,
POPIA caters for joint responsibility whereby in a particular processing
activity there is more than one person who is determining the means and purpose
for processing the personal data, as opposed to one responsible party solely
determining the means and purpose and mandating an operator to assist it with
such processing on its behalf. It follows that, in the first instance, these parties
will be jointly liable as co-responsible parties to the Information Regulator
and towards data subjects.
In
the ordinary course of business an operator may wish to contract sub-operators
to assist it in the performance of its mandate towards the responsible party.
For example, a maintenance company, as an operator, who has signed a written
agreement with a homeowners association (responsible party), may decide to
sub-contract builders for the intended project work.
Therefore,
the roles and responsibilities should be clearly set out and distinguished from
the outset, and should define whether your organisation is indeed an operator
or alternatively a joint responsible party, or perhaps a sub-operator.
What should an organisation consider regarding responsible
party - operator relationships?
Ensuring you
know exactly what role your organisation plays in processing activities is
vital to avoid attracting penalties such as hefty fines from the Information
Regulator (not to mention any other data protection authority which may be
competent in the circumstances), or even reputational damage and court action
for damages by persons whose privacy rights have not been considered or
maintained.
If
you are an operator you may be inclined to not worry about safeguarding against
risks and having an operator agreement in place, since your organisation may
not be responsible for accounting to the Information Regulator. However,
ensuring the terms and conditions in a business relationship are clearly
defined, to avoid unnecessary delays, damages and potential disputes,
miscommunication or litigation, makes sound business sense. It is therefore recommended that no matter
whether you are a responsible party or an operator in a certain scenario, you
consider reviewing all existing and/ or future contractual relationships with
partners and/ or service providers to understand the dynamics of who is
accountable and to ensure that any processing of personal data remains lawful.
In
this regard, POPIA remains silent on what terms and conditions an operator
agreement must contain other than providing that any agreement should be
reduced to writing. However, in the absence of any official guidance and
interpretation of POPIA's provisions, we may be guided by the principles and
interpretation of the European Union’s General Data Protection Regulation (GDPR),
which in Article 28(3) outlines the minimum terms in a data processing
agreement.
According
to Article 28(3) of the GDPR, an operator agreement should address at least the
following aspects:
- The subject matter and duration of the processing;
- The nature and purpose of processing the personal data;
- The types of personal data being processed and the categories of data subjects;
- The responsible party's obligations and rights;
- That the processing may only take place on the documented instructions of the responsible party (i.e. duty of the operator);
- A duty of confidentiality (i.e. duty of the operator);
- The appropriate security measures that will be put in place by the operatory to ensure the personal data is safeguarded;
- Regulating the possibility of using sub-operators;
- An outline of the data subjects' rights;
- The operator's duty to assist the responsible party in certain circumstances;
- The terms governing the termination and/ or ending of the agreement and duties in relation thereto;
- The managing and regulation of audits and inspections; and
- Indemnification and limitation of liability.
POPIA,
unlike the GDPR, does not explicitly refer to any requirement for an operator
(data processor), based on the scale and type of processing being conducted, to
have a representative in South Africa where the responsible party has mandated
the operator to process personal data on its behalf and the operator is located
outside the South Africa.
Going
forward, guidance issued by the Information Regulator and interpretations of
POPIA's provisions by South African courts may result in certainty in relation
to this and other practical uncertainties that may arise in relation to the
operator – responsible party relationship.
Bear in mind
that an organisation's circumstances will need to be considered and applied to
POPIA's conditions and any other applicable data protection law, and that it
may further be the case that the parties agree to supplement the operator
agreement with additional terms.
This
article is intended for information purposes only and is a brief exposition of
the abovementioned legal position. Mention is not necessarily made of all the
finer nuances as set out in the abovementioned legislation. This article should
not be construed as formal legal advice. Contact VDT Attorneys at the details
below for legal support and advice.
www.vdt.co.za |012 – 452 1300 |info@vdt.co.za
©
VDT Attorneys