In our February Newsletter we indicated that we have identified the need to provide our clients with a more detailed discussion on the requirements and Conditions of Lawful Processing as provided for in the Protection of Personal Information Act 4 2013 (POPI). Last month we introduced you to our POPI series.
This article is the second of the series and the first article to start specific discussions around the 8 Conditions for Lawful Processing in accordance with POPI requirements.
Condition 1 relates to “accountability” of the organization.
In terms of section 8 of POPI:
“Responsible party to ensure conditions for lawful processing.—the responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself”.
In our view, Accountability is essentially the point of departure in that it provides for a general requirement to take the necessary steps to ensure that all other POPI conditions and requirements are met.
What does “accountability” mean?
“Accountability” is not defined in the Act. Some dictionary definitions include:
- “The fact or condition of being accountable or responsible”
- “To give an account or be answerable”
- “The obligation of an individual or organization to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner.”
- “Taking or being assigned responsibility for something that you have done or something you are supposed to do.”
From the above it is clear that accountability relates to accepting responsibility by taking ownership -to ensure that the organisation processes personal information in the manner intended by the Act.
Who is accountable in this regard?
In terms of POPI, this responsibility has been put squarely on the shoulders of the person (natural or juristic) whom the Act refers to as the “Responsible Party”. The Act defines “Responsible Party” as follows: “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.
What does it mean practically?
Condition 1 requires from the Responsible Party to ensure that all conditions are complied with from the time the PI is collected up to and including the time of destruction.
How will the RP achieve this?
We believe that although an Information Officer will be appointed for the organisation, it would be best to implement a strategy in terms whereof each department within the business takes responsibility for POPI compliance by that division – being accountable as a business unit.
We furthermore believe that organisations will need to implement measures to keep individuals accountable – meaning that there should be consequences for “not doing what you are supposed to be doing”. For example, if a policy exists (consider something like a clean desk policy for example), the business division will need to take responsibility to ensure (and monitor) that the division actually implements the policy.
Ongoing training will of course also assist with this challenging task to become and remain an organisation that processes personal information in accordance with the POPI principles.
Essentially, appointed individuals within an organisation will be required to take initiative to implement POPI requirements, and ensure that business units comply with requirements through implementing business processes and policies to assist with POPI compliance. As the “person” (responsible party) who makes the decisions around the use of and means for processing personal information, you need to accept accountability to ensure that your organisation processes personal information in a responsible manner and in compliance with the Act.