INFORMATION processed by
an operator (i.e. one who
‘acts in terms of a contract or
mandate and without coming
under the direct authority of
the RP’ – responsible person)
must be dealt with as follows:
The operator (or anyone else
acting on behalf of the RP)
must only process personal
information (PI) with the
knowledge or authorisation
of the RP.
The operator must treat
PI as confidential and not
disclose it.
RP must ensure the
operator complies with
sections 18 and 27 or
the applicable law of the
territory where the operator
is domiciled (read with 72
re transborder information
flow: additional requirements
i.e. (a) Data Subject (DS)
consent [unless (i) for
benefit DS, (ii) obtaining
consent not practical, plus
(iii) DS would be likely to
have consented]; or b)
transfer must be required for
performing contract).
The above must be
contained in a written
contract between the RP and
the operator.
Notification of security
compromises:
If there are reasonable
grounds to believe that
PI has been ‘accessed
or acquired’ by an
unauthorised person, the DS
and IPR must be notified.
Notification must take
place as soon as possible
after discovery of the
compromise, unless a
criminal investigation will be
impeded as determined by
the SAPS, NIA or IPR.
Such notification must be in
writing and conveyed to the
DS in one of:
Ordinary mail
Email
On the website of the PR ‘in
a prominent position’
Published in the news media
As directed by the IPR
It must contain adequate
information for the DS to
‘take protective measures
against the potential
consequences of the
compromise, including the
identity of the unauthorised
person’
From Louis the Lawyer – POPI
Comments | 0
