1. Home
  2. news
  3. adv louis nel business review popia insert 19 use operators and related security

Adv Louis Nel Business Review: POPIA Insert 19 - The use of operators and related security

October 12, 2023
Partner News

I addressed this aspect during the initial rush for compliance when I launched my survey project. I conducted numerous compliance surveys, providing guidance to businesses in the early days of POPI 2021, and continued to do so, although the urgency has diminished as was the case with the CPA.

As part of the aforementioned project, I developed and offered a package of four documents at a significantly reduced price. This package included a template contract to be executed with any third-party supplier engaged by the parties to ensure that such a third party was POPI compliant.

Recently, this issue has become significant, resulting in dire consequences for non-compliant parties.

Let’s revisit the issue—it concerns the safekeeping of Personal Information (PI):

  • Section 19 mandates the Responsible Party (RP), i.e., the party processing personal information (PI), to 'secure the integrity and confidentiality of PI under its control and in its possession.' The RP must take 'appropriate, reasonable technical and organizational measures' to prevent 'unlawful access or processing,' including 'collection and dissemination.'
  • Section 20 extends these duties to 'operators,' i.e., parties processing on behalf of the RP 'in terms of a contract or mandate.'
  • Section 21 requires the RP to have a 'written contract' with the operator, confirming the Section 19 obligations.

There may be a second wave of compliance once this article is disseminated. The anticipated trigger for this renewed compliance demand is the increasing number of breaches of the above provisions and the imposed penalties.

Complaints of POPI transgressions reported to the Information Regulator (IR) and handled by the Enforcement Committee (EC) lead to investigations and enforcement notices (EN).

It's essential to note that the security breach itself doesn't trigger the compliance investigation by the IR and the issuance of an EN. There are numerous such breaches globally and locally. The IR recently revealed it had received notifications of over 500 data breaches or security compromises between October 2022 and February 2023 (source: [ITWeb](https://www.itweb.co.za/content/VgZeyvJlQrbMdjX9)).

Such breaches must be reported not only to the IR but also to the data subjects (DS), i.e., the 'owners' of the PI (Section 22). Failure to do so is an offence and can be exacerbated if the subsequent investigation reveals other non-compliance issues, as was the case with Dischem.

Dischem not only failed to notify the IR and DS 'as soon as reasonably possible after discovery of the compromise' but was also found to have failed in various respects:

  • Identifying the risk of using weak passwords;
  • Preventing the usage of such passwords;
  • Putting in place adequate measures to monitor and detect unlawful access to its environment;
  • Entering into an operator agreement with the operator Grapevine (as per Section 21);
  • Ensuring that Grapevine has adequate security measures in place to secure personal information in its possession.

It's crucial to note that the responsibility does not end once the RP has entered into such an 'operator agreement'—ongoing monitoring is required.

The EN issued to Dischem included several demands that provide a useful guideline for every business going forward. These demands, once fulfilled, can be documented in some form of compliance notice that can be provided to clients:

  • Conduct a personal information impact assessment to ensure adequate measures and standards exist to comply with the conditions for the lawful processing of personal information as required by Regulation 4(1)(b) of POPIA.
  • Implement an adequate incident response plan.
  • Implement the Payment Card Industry Data Security Standards by maintaining a vulnerability management programme.
  • Implement strong access control measures.
  • Maintain an information security policy.
  • Ensure it concludes written contracts with all operators that process personal information on its behalf, and that such contracts compel the operator(s) to establish and maintain the same or better security measures referred to in section 19 of POPIA.
  • Develop, implement, monitor, and maintain a compliance framework, in terms of Regulation 4(1)(a) of POPIA, which clearly makes provision for the reporting obligations of Dis-Chem and all its operators in terms of section 22 of POPIA.

Please note that Dischem disputes the EN allegations (source: [ITWeb](https://www.itweb.co.za/content/KBpdg7pm9DgMLEew)).

Readers should not take transgressions of this nature lightly, as they can result in a fine of up to R10 million or imprisonment or both.

Accordingly, I reiterate my offer of a template third-party supplier contract at the reduced rate of R750.00.

© Copyright Louis-THE-lawyer

October 09, 2023

DISCLAIMER - Each case depends on its own facts & merits - the above does not constitute advice - independent advice should be obtained in all instances

LEGAL ADVICE CLUB ('LAC') - You can obtain specialized tourism advice from Louis (41 years in tourism) (1) on an ad hoc basis: 10 minutes of pro bono (Free) advice via a phone call or e-mail and/or (2) by joining his LAC: R9,000 per year payable in 3 (three) equal monthly installments or a lump! This equates to a monthly fee of only R750.00 per hour.