Our previous POPIA articles have examined various aspects of the Protection of Personal Information Act 4 of 2013 (“POPIA“) at length, most notably, the various conditions for processing personal information. In this post, we will examine the roles of “responsible party” and “operator” in terms of POPIA and what each of these roles entails, along with the rights and responsibilities of the roles.
The main purpose of POPIA is to regulate the use of personal information (as defined by POPIA and summarised below) and to provide for adequate security measures to protect personal information, and the different parties in a relationship will have to comply with these measures in certain ways. Therefore, these roles are important to consider as they have a profound impact on the relationships between responsible parties and operators and also affect the way in which information is processed and used.
What do these terms mean?
- “responsible party” means the party who determines the purpose of and means for processing personal information. This decision may be made alone or in conjunction with another party.
- “operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, but does not come under the direct authority or control of the responsible party.
- “processing” means any activity (including automatic means) concerning personal information, and includes the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use, distribution by means of transmission, distribution or making available in any other form or merging, linking, and restriction, degradation, erasure or destruction of information.
- “personal information” is information relating to an identifiable, living person and is not limited to information relating to race, gender, marital status, pregnancy, ethnicity, age, health, disability, religion, language, culture, education and employment, criminal history, identity number, contact details, biometric information, personal opinion, etc.
What is the difference between a responsible party and an operator?
As set out above, responsible parties determine the purpose for processing information, what information is processed, for how long and how it is processed. Where an operator is involved, the responsible party will still determine the purpose for processing etc, but will outsource the processing of the information to the operator. The responsible party therefore still makes all decisions in relation to the information and the operator acts in accordance with these decisions and on the instructions from the responsible party.
The responsible party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all operators providing services to the responsible party. The outsourcing or sub-contracting of any processing activities to operators does not absolve the responsible party from liability. If the operator contravenes POPIA, the responsible party will still be held liable by the Information Regulator.
The importance of contracts when appointing an operator
As with many other relationships, a contractual agreement between a responsible party and operator will prove very useful and high highly recommended in order to definitively address and govern the roles of each party and the boundaries of the relationship.
An agreement between the responsible party and operator should address, at the least, the following points:
- That the operator only acts within the ambit of the agreement/mandate with the responsible party;
- The purpose for processing of the information;
- What information may be processed by the operator;
- What the operator may or may not do with the information outside of the processing mandate;
- A duty to protect the information received, not share it with third parties without consent, to keep the information received confidential and to otherwise act within the ambit of POPIA;
- Limit the operator from appointing further operators without the responsible party’s knowledge or consent; and
- Liability for the operator*.
Liability for the operator
As mentioned above, the responsible party will be held ultimately liable by the Information Regulator for a breach of POPIA by the operator. The Information Regulator will impose this liability on the responsible party where the breach occurred within the scope of the mandate agreement between the responsible party and the operator and will not be diverted to the operator where the breach is as a result of the operator’s failure to uphold the principles of POPIA.
Therefore, the agreement between the responsible party and the operator is extremely important for the responsible party as this agreement can result in the responsible party holding the operator liable for any claims that the Information Regulator and/or data subjects (the people whose personal information is being processed) bring against the responsible party as a result of a breach of POPIA by the operator. A liability clause will allow the responsible party to bring a claim for any loss suffered by the responsible party as a result of the operator’s negligence or breach of POPIA.
Some relief for a responsible party in this regard is where an operator breaches POPIA where the operator has exceeded its mandate. In these circumstances, the operator is seen to be acting as a responsible party in regard to the personal information as the operator is determining the purposes and means of processing.
We cannot emphasise the importance of an agreement between a responsible party and operator enough as such an agreement sets out the important details of the relationship between the operator and responsible party and aims to protect not only the responsible party, but also the operator by detailing the extent of the processing and other responsibilities that the operator undertakes.
Make sure that you know when you act as a responsible party and when you are acting as an operator as your responsibilities will differ along with your liability.