Tax and Legal Insights | 3 min read

POPIA explained – Part 1

The role players

The final commencement date of the Protection of Personal Information Act, 2013 (“POPIA”) was recently announced. This was reported on in last week’s issue of the Glacier Weekly where we explained POPIA and the implications of its commencement.

Over the next few weeks we’ll focus on one specific aspect of POPIA, in detail. In this edition we’ll start with taking a closer look at the role players.

Quick recap – the crux of POPIA

Before we get into the detail, let’s quickly recap on what exactly POPIA aims to achieve. POPIA gives effect to the right to privacy as set out in the Constitution - it provides the regulatory framework within which organisations may process personal information (thereby giving individuals control over how their personal information is used or disclosed).

In essence, POPIA applies to the processing of personal information of a data subject by or on behalf of a responsible party.

The role players

POPIA identifies three main role players, namely:

  1. The data subject;
  2. A responsible party; and
  3. An operator.

Let’s look at each in more detail.

Who is the “data subject”?

The “data subject” refers to the person to whom the personal information relates. Personal information refers to information relating to an identifiable, living natural person or juristic person (e.g.: information relating to race, gender, marital status, age, health, disability, language, education and employment, criminal history, identity number, contact details, etc).

(*PS: we will discuss “personal information” in more detail in a later edition.)

Who is the “responsible party”?

Section 1 defines a “responsible party” as a public or private body (or any other person) which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

Put simply: it’s the person/entity who decides what personal information must be processed and how it is processed.

*PS: POPIA only applies to responsible parties that are domiciled in the Republic (or, where not domiciled in the Republic, make use of automated or non-automated means to process personal information in the Republic).

A few examples of responsible parties:

  • Retirement funds;
  • Product providers;
  • Financial Intermediaries;

*Remember: companies within a group each have separate juristic personality and are therefore separately regarded as responsible parties.

Who is the “Operator”?

Responsible parties will not always process personal information themselves – certain functions (which involve the processing of personal information) may be outsourced to a third party. In the context of POPIA, this third party is referred to as an operator.

An “operator” is defined as the person (natural or juristic) who processes personal information for a responsible party in terms of contract or mandate, without falling under the direct authority of the responsible party.

A few examples of operators:

  • Tracing agents;
  • Retirement fund administrators;
  • Third party service providers.

The importance of a contract between the responsible party and the operator

Despite the fact that the processing of personal information may be done by the operator (and not the responsible party itself), it is ultimately the responsible party who decides what must be processed and how. The responsible party therefore remains ultimately responsible for ensuring that POPIA is complied with. (PS: the Information Regulator can hold the responsible party liable for contraventions by the operator.)

POPIA sets specific requirements for the processing of personal information by operators. It requires the responsible party to enter into a written contract with the operator which ensures:

  1. that the operator establishes and maintains the required confidentiality and security measures which apply to the responsible party (as set out in section 19); and
  2. places a contractual obligation on the operator to inform the responsible party if there was unauthorised access or disclosure of personal information.

The operator, in turn, must:

  1. process personal information only with the knowledge or authorisation of the responsible party; and
  2. treat personal information as confidential, unless required by law or in the course of the performance of their duties.

Conclusion

As stated above, the outsourcing of any services to operators which involve the processing of personal information on behalf of the responsible party does not absolve the responsible party from liability. It is therefore vital that responsible parties use only reputable operators and relook existing contracts to ensure that meets the requirements as explained above (and includes the appropriate indemnities!).

Now that we have discussed the role players, we can move on to taking a closer look at the types of personal information and the different requirements for the processing thereof, as well as what is meant by the term “processing”– more on this in the next edition.

Glacier Financial Solutions (Pty) Ltd and Sanlam Life Insurance Ltd are licensed financial services providers

Your Next Read

Investment Insights | 3 min read
How the Glacier AI Flexible Fund of Funds helps to navigate uncertainty and deliver stellar performance.

We use cookies to give you the very best possible online experience. By continuing, you confirm that you’re on board with our privacy policy.

What Glacier Insights is…and isn’t

Glacier Insights provides investment professionals and financial intermediaries with information on the markets in general, Glacier products, and the services we offer. This website is not primarily for private individuals, but we are pretty sure that everyone interested in investing would find the content useful. If you are a private individual, please seek financial advice from a registered financial intermediary before you invest. A trained financial intermediary will help you determine which of our products are most appropriate for your needs. Glacier Insights is not designed to replace the job and expertise of a professional financial intermediary.

Content use and ownership

We love that you want to browse Glacier Insights, and please let us know if there is any more information that you would like us to provide. Also know that the intellectual property rights in the content are protected by local and international laws and agreements. So, our intellectual property may not be used in any way without our consent or the consent of any business that licensed us to use its intellectual property. This includes reproducing, changing, publishing, displaying, distributing, licensing or creating by-products of the content on this site, unless you receive our permission in writing. The website with all its content is owned by or licensed to Glacier by Sanlam, and includes text, graphics, icons, hyperlinks, private information and designs.

I have read the above and understand the purpose of the Glacier Insights website.

No, I do not agree

Receive the latest Glacier Insights delivered to your inbox


Please enabled javascript to view Glacier.