Over the next 8 weeks this article series will provide a practical overview of each of the conditions for lawful processing of personal information as stated in Chapter 3 of the Protection of Personal Information Bill.
We will also explain how this will practically affect your organisation.
The 8 Conditions listed in Chapter 3 are as follows:
• Processing limitation
• Purpose specification
• Further processing limitation
• Information quality
• Security safeguards
• Data subject participation.
This week’s topic is CONDITION 1 – ACCOUNTABILITY.
“Responsible party to ensure conditions for lawful processing”
“The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.”
PoPI defines a ‘responsible party’ as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.”
Practically, the responsible party is the organisation working with the information, and as stated in last week’s article, this includes most organisations. Most law firms, and definitely conveyancers, will qualify as responsible parties. This condition while fairly simple in content should not be underestimated in terms of its importance and also the potential risk that this represents to an organisation. The Protection of Personal Information Bill states the Information Officer, who is the party accountable for protecting personal information, is as per the definition in the Public Access to Information Act (PAIA). This clearly states, that in a non-governmental organisation, this is the Chief Executive Officer or equivalent. In organisations working with personal information, there are many individuals who can negatively impact the security of personal information. It’s important to realise that these individuals are not limited to your own employees; they include your third parties who also have access to your information like your courier company, the company you rent your photocopier from, to name only some. However, only a few key individuals will be held accountable. It is therefore critical to have effective controls in place which adequately mitigate the risk that each individual in the organisation represents. In summary, if anyone in the organisation, or a partner to the organisation, leaks personal information, it’s the CEO who will be held personally responsible. Apart from the fines and jail terms which may result from an infringement, the damage to the organisation’s reputation comes at a far greater cost.
Contributed by Keyphase Technologies.