Your organisation may outsource certain processing activities, such as storing documents, managing call centres, prospecting on your behalf or doing backups. You could also be outsourcing functions such as sending bulk sms’s or emails or sending out newsletters. You may outsource payroll or general accounting. There are a number of different outsourcing activities which happen on a daily basis.

In these situations, it is likely that these third parties will be required to process personal information on your behalf. A third party who processes information on your behalf is known as an “operator”.

An operator processes information on instruction from the responsible party. The instruction will usually take the form of a mandate or contract but does not include an employment contract. This means that staff are not operators.

As the operator will be acting in terms of a mandate issued by your organisation, to process information on your behalf, you remain ultimately accountable.

As the responsible party, you must ensure that where data is processed, this is done lawfully. The third-party data processor does not own the data that they process. This means that the data processor will not be able to change the purpose and the means in which the data is used. Furthermore, operators are bound by the instructions given by your organisation.

If the operator determines the purpose of, and the means of processing the information, they then become a responsible party, as well. It is therefore important to identify all instances where you are the responsible party and where another party is a “processor” or “operator“.

This can be done by completing a responsibility assessment. A responsibility assessment is a written document that identifies :

• the responsible party or data controller – this is the person who decides on the purpose or reason for processing the personal information
• the operator  or  data  processor   – this  is the person who processes the personal information on behalf of a responsible party or data controller

In order to complete this assessment, you will have to break down every activity so that you can see who does what. It will provide evidence to any Regulator that you have assessed your business and motivate why you will behave like a responsible party or data processor.

As you remain responsible for ensuring that data is protected, even when you outsource processing to a third party, it is important that you make sure that the third party has the capability to properly protect this data, and only processes it the way it is supposed to. This means doing a due diligence on the third party to satisfy yourself that their framework and resources are sufficiently robust. Operators that you use may not be as POPI compliant as your organisation. This can cause contractual or other problems unless you address it early and conduct proper checks. The measures implemented must be equal to, or greater than, those which your organisation requires.

It is recommended that the due diligence is regularly done as risks and requirements change over time. By documenting your due diligence, you are able to prove that you have taken reasonable measures to manage and mitigate this risk.

It is essential that a properly drafted agreement is in place, and this could include provisions that the operator must take responsibility for some or all of the POPI compliance measures which must be in place.

You must ensure that the operator processes personal information as POPI envisaged and this can be done by incorporating the operator’s obligations under POPI in a service level agreement and by auditing compliance with these provisions of the contract on a regular basis.

The agreement should also provide an undertaking that the operator will ensure POPI compliance with an indemnity to protect the responsible party in the event of a breach. The agreement must require the operator to establish and maintain confidentiality and security measures to ensure the integrity of the personal information.

If an agreement is not in place, you are acting unlawfully so make sure that you properly discuss and agree on the terms and conditions of the agreement so that each party properly understands and agrees to the terms and conditions.

Your contract should ensure that the operator will:

• secure all personal information under their control and ensure this remains confidential;
• only process information as mandated
• follow your instructions
• immediately notify you if they believe there has been a breach
• grant you full access to monitor and check their compliance

Where an operator is contracted or mandated, this person must only process information with your knowledge and authorisation and must treat this personal information as confidential. These limitations don’t apply if the operator must process the information by legislation or in the course of the proper performance of their instructions.

When an operator provides its service from outside South Africa, the transborder requirement of Section 72 applies. This means that a further aspect must be included in the contract, namely that the operator is subject to data privacy laws which are at least equal to POPI, or that the operator agrees to be bound by the provisions of POPI.

Compliance does not stop when your contract is concluded. Even though the contract may protect you to some extent, it is still the responsible party’s duty to check and ensure that operators are acting compliantly.

You may need to provide training on your processes and requirements to achieve the same level of compliance, and it is a good idea to regularly check processes and systems of operators to ensure that they are adequately resourced to comply.

WHAT MUST YOU DO?

You must:

• identify where you make use of operators
• ensure that you do a proper due diligence to satisfy yourself that there is adequate data protection
• enter into an appropriate contract
• ensure that the operator maintains the security measures referred to in section 19 of POPI; and
• ensure that all the conditions of POPI are met by the operator

COLLECTION DIRECTLY FROM DATA SUBJECT

In most instances, personal information must be collected directly from the data subject. Where the information is not collected directly from the data subject, there must be a very good reason for this, and one of more of the following must apply:

• The information is contained in or derived from a public record or the person has deliberately made the data public
• You have the data subject’s consent (or a competent person for a child) to collect information from another source
• Collection from another source won’t prejudice a legitimate interest of the data subject
• It is required to uphold a law and fight crime, or in the interests of national security (for example the purpose of the collection of information relating to criminal activities or those of national security would be subverted if you needed the consent of the data subject)
• It is required to enforce tax collection by Revenue
• It is necessary for proceedings in Court or a Tribunal
• To maintain the legitimate interests of the responsible party or third party to whom the data is supplied
• Where compliance will prejudice a lawful purpose of the collection; or
• Where compliance is not reasonably practicable in the circumstances of the particular case.

WHAT MUST YOU DO?

Identify every instance where data is collected and ensure this is directly from the data subject. Where data is not collected from the data subject, ensure that the collection can be justified in terms of one of the permitted reasons. Maintain full records of the collection process and motivation.

DATA SUBJECT OBJECTION

Data subjects have the right to object to the processing of their information. Objections must be submitted using Form 1 which forms part of the POPI Regulations and you are required by law to provide reasonable assistance to the person, free of charge.

In such instance, unless there is legislation which supercedes this right and allows the processing, you are no longer permitted to process the person’s data.

WHAT MUST YOU DO?

You will need a proper procedure which you can provide to someone who objects to the processing of their data or who withdraws their consent for its use.

This must align to the prescribed requirements, with objections being submitted using Form 1 which can be found in the Regulations.

Ensure that unless you are legally permitted to continue processing the personal information, that you stop doing so where you receive an objection or withdrawal of consent.

Keep full records of where consent is withdrawn, or an objections to processing the personal information of a person is received and motivate all the decisions you take in respect of these.

ACCOUNT NUMBERS

There is no specific section in the POPI Act which requires particular compliance with requirements relating to account numbers, however, specific reference is made in respect of contraventions relating to account numbers. This immediately indicates that additional precautions should be taken and controls put in place where your organisation processes account numbers.

An “account number” is defined as “any unique identifier that has been assigned-

• to one data subject only; or
• jointly to more than one data subject,

by a financial or other institution which enables the data subject to access his, her or its own or joint funds or credit facilities.

Bank account numbers fall into this category. Bank account numbers are used every day in most business operations, where debit orders or other bank transfers are processed. Where salaries are paid to staff, this is usually into their bank account.

There are therefore a number of risk areas which should be assessed and where particular attention should be paid, in respect of account numbers.

Where a bank account number is intentionally, or negligently obtained from a data subject without their consent, or disclosed to someone without the required consent, this is a crime and there are potentially very severe penalties.

It is also a crime to procure (obtain or arrange) the disclosure of an account number to another person without the data subject’s consent.

This is therefore an area where you require robust policies and procedures to ensure that there is no contravention.

Strict security measures must be implemented as this is a high risk area. Account information should only be collected where absolutely necessary and then under controlled circumstances. The collection of this information must occur only where you have the required consent, and from persons who have the right authority. Where you collect account details from an employee of a company, for example, make sure that the person has the necessary authority to provide this to you.

Account numbers should be treated as highly confidential and the right measures implemented to ensure they are not inadvertently disclosed to unauthorised parties. Consider, for example, the case where IT is outsourced or where you engage the services of external persons such as accountants. You will need to establish whether these persons can access this type of information, and if so, for what purpose.

Where disclosure to another party of person is required, you should ensure that you obtain the necessary consent from the holder of the account before sharing.

Controls should ensure that measures are complied with and that this risk is effectively mitigated.

WHAT MUST YOU DO?

Ensure that where you collect or process account numbers, this is with the full consent of the data subject, and that you have record of this consent. The consent must be done on an informed basis, so make sure that you can show that you have made the required disclosures before the consent is obtained, and that it is given freely and without duress.

Identify all areas of your organisation where account information is processed. Ensure that you implement robust protective mechanisms to ensure the security of account numbers.

Consider ensuring that any transmission of banking information, such as a customer’s bank account and routing number, be encrypted using “commercially reasonable” encryption technology if transmitted via an unsecured network, like the Internet.

Do not send bank account information via regular email and don’t enter bank account information on an insecure web form or enter it via an insecure system.

Ensure that where account information is shared, this is only with authorised persons and where the necessary consent has been obtained.

Where account numbers are no longer required, these should be appropriately disposed of.

Your policies and procedures need to ensure compliance and any contraventions must be addressed with the level of seriousness these merits.