Page 52 - PHG_Q&A_Eng.indd
P. 52

POPI and the storing of personal information

            January 2018

            “My business collects a lot of personal and financial information from our
            clients.  This information is obtained both electronically and in hard copy
            format. Because of the volume of the information, we store the information
            electronically and in hard copy with an off-site data storage company. They
      Commercial  relationship?”
            don’t do anything with the data except store it for us. Does POPI apply to this

            The Protection of Personal Information Act 4 of 2013 (“POPI”), although signed
            into law, has not yet fully come into effect. It is expected to become effective
            during 2018, once the office of the Information Regulator has been fully set up,
            and will then apply to all responsible parties.
            POPI places specific obligations on parties who collect, store, use and destroy
            personal information in order to protect the persons to whom such personal
            information relates from suffering damage or harm and provides them with
            remedies should there be a breach by such a  “responsible party” of the
            obligations imposed on it by POPI.
            In your case, given the personal information of your clients that you collect, POPI
            will apply to your business. This question now is whether POPI will apply to the use
            of a third-party company for storage of personal information.

            POPI makes provision for and applies to the distribution of personal information
            to third parties who process (collect, store, use or destroy) such information on
            behalf of a responsible party, such as your business. These parties, referred to
            as “operators” by POPI, process personal information on behalf of a responsible
            party in terms of an agreement, without falling under the direct authority of the
            responsible party.

            To determine whether or not a party can be classified as an operator involves
            two questions:

            1.  Do they determine the purpose (‘why’) and means (‘how’) for the
               processing of the personal information?
            2.  Do they process the personal information on the instruction of a
               responsible party in accordance with some agreement?

            If the first question is answered “No” and the second question “Yes”, then the
            entity will qualify as an operator. However, if the first question is answered “Yes”,
            then the entity will not be considered an operator and the second question
            becomes  irrelevant as  it would  then  appear  that the  entity  is  potentially
            itself a responsible party. If the second question is answered “No” under any
            circumstance, then the entity will also not be considered an operator in terms of




            47
   47   48   49   50   51   52   53   54   55   56   57