2021 and the Role of the Responsible Party; PoPIA

Carrie Peter, Solution Owner at Impression Signatures

Stepping into the New Year in the current socio-economic climate is a challenge for organisations of any kind. There are a variety of new rules and regulations to follow. These rules and regulations are put into place to help to protect businesses and individuals. In addition to complying with and managing Covid-19 regulations, organisations also need to ensure that they are complying with the regulations set out by the Protection of Personal Information Act (PoPIA).

To comply with the Act’s requirement that all businesses need to obtain consent for all data processed through the organisation, many businesses are assigning this work to so called ‘Responsible Parties’. These parties are the accountable parties, tasked with protecting personal and/or private data.

According to the Government Gazette a Responsible Party refers to: A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

PoPIA outlines that, for the processing of personal information to be lawful, certain conditions must be met, and the processes and procedures must comply with several regulations. These regulations include elements such as: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation.

According to Carrie Peter, Solution Owner at Impression Signatures; “It is imperative that when organisations utilise or assign responsibilities to a Responsible Party, they ensure all regulations and specifications are complied with by this party. The Responsible Party is held accountable for ensuring that the conditions for lawful processing of personal data is met.”

To support smaller businesses in ensuring compliance, Impression Signatures embarked on a PoPIA Campaign that provides relevant information about the Act, free of charge. The Campaign seeks to simplify and demystify the roles and responsibilities of the Act. With this approach, it hopes to support businesses that do not have large budgets available to employ compliance officers specifically for PoPIA purposes.

The Responsible Party works in conjunction with the operator and regulator. This collaboration ensures that all entities are working in cohesion to maintain and comply with the required regulations. The reason for the collection of the data set must be explicitly and clearly explained and outlined to the data subject, and must adhere to lawful processes.

“It is important to remember that this Act has been put into place to protect the rights of individuals and entities; to protect that personal information. This means that, while an organisation and/or Responsible Party may have access and the required permission to use that data, the data primarily belongs to the data subject and is being ‘borrowed’ by the organisation. So, if the data subject requests access to or the deletion of this information the organisation and/or Responsible Party must comply,” continues Peter.

To comply, the Responsible Party must keep a clear and definite record of processes and procedures. This record should be able to prove that the information was obtained with the consent and explicit knowledge of the data subject and that the data subject was informed of the intended use of the data. The Responsible Party must be able to prove that the data was used for its specified intent and that all legal and ethical regulations were adhered to.

The Responsible Party is not allowed to utilise this information outside of the parameters of its stipulated intent and may not disperse the information without explicitly stated consent from the data subject. The Responsible Party will need to ensure that effective safeguards are put into place to protect the information from being released and/or from being used outside of its consented intent. Proof and processes of these safeguards must be recorded in detail as evidence of compliance.

“There is a lot of weight placed onto the Responsible Party to ensure that all regulations are being adhered to. It is vital that those assigned with this role are aware and fully educated in what the rules and regulations of this act,” concludes Peter. “To meet these standards, it is imperative that the Responsible Party not only follow the letter of the law, but that detailed records of these processes and procedures are kept and maintained.”