POPIA: Managing Operators
The Protection of Personal Information Act requires accountability for any processing of personal information. Heads of public bodies, CEO’s of private bodies and the business leaders identified as “responsible parties” who control the purpose and means for processing information are required to ensure compliance with the conditions of lawfully processing personal information set out in the Act.
The responsible party must clarify, in written contracts with its operators and other service providers, the services the operators are commissioned to provide. The transfer of personal information to the operator must be limited to what is necessary for the operator to fulfil its contractual obligations.
Operators may not process personal information unless commissioned by responsible parties and the purpose is compatible with the original purpose of collection.
Participants will gain a general understanding of the legal obligations placed on Responsible Parties to manage operators and other service provider. On completion of this seminar, participants will be able to:
- Articulate the requirements of the Protection of Personal Information Act when commissioning operators
- Demonstrate an understanding of how the conditions for the lawful processing of personal information apply to operators
- Understand the typical content required in written contracts when engaging operators and other service providers
- Communicate the responsible parties’ role and responsibilities to ensure the lawful processing of personal information
- Understand the need to validate operator procedures.
Participants will learn through discussion and practical examples how to commission and manage operators engaged by the responsible parties to provide services that process personal information.
This seminar includes topics about:
- Why the responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.
- Why operators may not process personal information unless commissioned to do so and the purpose is compatible with the original purpose for which it was collected.
- Content of the typical contract between the responsible party and the operator, including details of the technical and organisational measures that the responsible party may have identified as necessary for the operator to establish and maintain to address the internal and external risks to the processing of personal information, as identified by the responsible party.
- The role and responsibilities of operators and other service providers when processing personal information
- The technical and organisational capabilities operators are required to have before a responsible party can commission an operator.
- Governance and management structures and systems to plan, organise, direct and control operators and the services they provide.
- Verification that the operator has fulfilled its contractual obligations to maintain effective technical and organisational measures to safeguard the data subjects’ rights.