Blog Post

Lawful Processing Of Information – Accountability

June 12, 2017

Exigent By EXIGENT GROUP


Image Copyright: Ignite Global

In our previous blog posts we wrote about a high level overview of the Protection of Personal Information Act (‘POPI‘) and the potential impact thereof on your organization. We also touched on the eight conditions for the lawful processing of personal information (as set out in the Act) which are:

  1. accountability;
  2. processing limitation;
  3. purpose specification;
  4. further processing limitation;
  5. information quality;
  6. openness;
  7. security safeguards; and
  8. data subject participation.

Accountability

In this first of the blog series, we will be focusing on each of the individual conditions, starting with accountability. Section 8 of the Act states: “The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself”.

Foundation of Accountability

The first condition essentially lays the foundation for the lawful processing of personal information by placing an obligation on the responsible party to ensure that the processing conditions are met. To understand this, we need to take a step back and look at who the responsible party is. The Act defines the responsible party as a public or private body or any person which, alone or in conjunction with others, determines the purpose of, and means for, processing personal information. In other words, the person or organization that obtains the personal information in the first instance, from the person or organization to which it relates, is the responsible party.

Many organizations make use of operators like third party vendors to process personal information on their behalf. Being accountable means that the responsible party remains responsible for the processing of personal information throughout the processing cycle, even if the personal information was transferred to a third party operator. The responsible party must ensure that the operator processes personal information as POPI envisaged and this can be done by incorporating the operator’s obligations under POPI in the service level agreement and by auditing compliance with these provisions of the contract on a regular basis.

Attributes of Accountability

Being accountable means that the organization processing the personal information is automatically exposed to a certain degree of risk. To minimize this risk, it is extremely important that the responsible party identifies the personal information that it processes and that it nominates a suitably qualified representative – an information officer – that will be tasked with the preservation of this information. Once the details of the information officer are registered with the regulator, the information officer will be responsible for:

  • encouraging compliance with the conditions for lawful processing of personal information;
  • attending to any request made in terms of POPI;
  • assisting the regulator with any investigation relating to the organization’s POPI compliance; and
  • ensuring the organization’s compliance with the provisions of POPI.

In short, the information officer will be the custodian of any activity relating to the processing of personal information and if any of the provisions of POPI is breached, he or she could ultimately be held liable for that transgression.

Conclusion

Depending on the size of the organization, it will not always be possible for one person or a single information officer to oversee the flow of personal information throughout the business. It cannot be emphasized enough that the protection of personal information is the responsibility of the organization as a whole and not merely that of the information officer. It is therefore critical that everybody is on the same page when handling personal information. Strategies and policies should be implemented in terms of which people or departments that process personal information take ownership of the obligations imposed by POPI, and in cases where there is non-compliance, those responsible should be held accountable and disciplined accordingly. If accountability is part of the organization’s culture, compliance with the conditions set out in POPI will not be hard to achieve.

Contact us