How the “Operator” Must Use Personal Information
As the Protection of Personal Information Act (PoPIA) is a few months away from being enforced, organisations and responsible parties have had to gain an in-depth understanding of the rules and regulations that must be adhered to. While much focus has been placed on the roles and responsibilities that must be fulfilled to meet the standards of PoPIA, the role of the Operator must also be highlighted.
“The Operator plays a vital function and as such it is crucial that his/her duties and responsibilities are adequately understood. The Responsible Party is charged with ensuring that the personal information obtained is protected, but it is the Operator who actually uses the data provided,” explains Carrie Peter, Solution Owner at Impression Signatures.
As part of Impression Signature’s PoPIA Campaign, smaller businesses shouldn’t be precluded from being able to comply with the Act simply because they don’t have large budgets. To this end, the Impression Campaign offers free guidance, simplifying the roles and responsibilities to empower all companies to comply.
The Operator can be a person, a system, or a third-party service provider who works in conjunction with the Responsible Party but is not necessarily under the authority of the Responsible Party. The Operator’s primary responsibility is to process the information obtained by the data subject for its intended purpose; i.e. making sure that the information is being utilised for the purpose for which consent was given. If the Operator is a third-party provider and not causally linked to the organisation, consent will need to be obtained from the data subject for the Operator to process the personal information.
“Consent is of the highest importance within PoPIA. The data subject must be informed and give consent for the purpose and use of the personal information, as well as each individual organisation or entity that will have access to this information to fulfil the required purpose,” continues Peter.
Due to the Operator not being under the direct authority of the Responsible Party, the Responsible Party will require evidence and assurance from the Operator that all necessary standards and regulations are being adhered to. This is because, although the Operator is not under the Responsible Party’s authority, the Responsible Party is still accountable for what the Operator does with the personal information at hand.
This is an important point to highlight because it means that responsible parties must be assured of the Operators with which they work. It is imperative that the Operators are vetted and can prove their compliance to the required standards as outlined by PoPIA and included in a contract that will be signed between the Operator and the Responsible Party.
“The Operator may not utilise the data for any purpose other than the original and explicitly stated purpose under which it was obtained. The Operator may also not utilise any information without the permission and knowledge of the Responsible Party. The Operator is responsible for immediate notification to the Responsible Party if it is believed that the data was accessed by an unauthorised individual and/ or entity,” she adds.
The Operator will have to ensure, and be able to prove, that the data obtained was utilised for its intended purpose; that the processing of the information was done under the instruction and authorisation of the Responsible Party; that safeguards were put into place to ensure that the data is protected while being processed; that the highest level of ethical and confidential rules and regulations were adhered to in the processing of the information; and that corrective measures were implemented in instances where a breach of data has occurred.
“The Operator has a very delicate job. If you think of the Responsible Party as a hospital theatre, the Operator is the surgeon. The Operator is not only responsible for processing the information for its intended purpose (although this is the primary function), but the Operator must also ensure that this processing is done with the highest level of confidentiality,” Concludes Peter.
While Responsible Parties are charged with the duty of ensuring that the data is protected, Operators carry a similar responsibility within their processing procedures. These two roles, although often performed by separate entities, are part of the same whole. It is a partnership through which all rules and regulations as outlined by PoPIA must be complied with.
