“My business collects a lot of personal and financial information from our clients. This information is obtained both electronically and in hard copy format. Because of the volume of the information, we store the information electronically and in hard copy with an off-site data storage company. They don’t do anything with the data except store it for us. Does POPI apply to this relationship?”
The Protection of Personal Information Act 4 of 2013 (“POPI”), although signed into law, has not yet fully come into effect. It is expected to become effective during 2018, once the office of the Information Regulator has been fully set up, and will then apply to all responsible parties.
POPI places specific obligations on parties who collect, store, use and destroy personal information in order to protect the persons to whom such personal information relates from suffering damage or harm and provides them with remedies should there be a breach by such a “responsible party” of the obligations imposed on it by POPI.
In your case, given the personal information of your clients that you collect, POPI will apply to your business. This question now is whether POPI will apply to the use of a third party company for storage of personal information.
POPI makes provision for and applies to the distribution of personal information to third parties who process (collect, store, use or destroy) such information on behalf of a responsible party, such as your business. These parties, referred to as “operators” by POPI, process personal information on behalf of a responsible party in terms of an agreement, without falling under the direct authority of the responsible party.
To determine whether or not a party can be classified as an operator involves two questions:
| || |
|1.||Do they determine the purpose (‘why’) and means (‘how’) for the processing of the personal information? |
|2. ||Do they process the personal information on the instruction of a responsible party in accordance with some agreement? |
| || |
If the first question is answered “No” and the second question “Yes”, then the entity will qualify as an operator. However, if the first question is answered “Yes”, then the entity will not be considered an operator and the second question becomes irrelevant as it would then appear that the entity is potentially itself a responsible party. If the second question is answered “No” under any circumstance, then the entity will also not be considered an operator in terms of POPI, as it falls outside the scope of the definition of an operator.
In your case, it would appear that the third party that stores your information does “process” (storing) personal information on your behalf, such storage presumably being on the basis of an agreement with you. This makes the entity an operator processing personal information on your behalf.
Important to note is that the outsourcing of personal information to an operator does not release you as the responsible party from any of your obligations under POPI. This means, that should the operator contravene POPI in any way in respect of the data it stores for you, you will be held responsible. It is therefore vital that a proper operator agreement be in place between a responsible party and operator to ensure that the operator obligations in respect of POPI are clearly stipulated.
Our advice is to obtain the assistance of a POPI specialist to review any existing agreement you may have with the operator and if necessary help put an appropriate operator agreement in place to ensure that your use of the data storage company is POPI compliant.