POPIA FAQ: 3rd-Party Stakeholders

What is POPIA about?

POPIA protects the personal information (“PI”) of both individuals and businesses. It does this using the following 8 conditions or principles that a business should follow: (i) accountability (who takes responsibility); (ii) processing limitation (when you can use the PI); (iii) purpose specification (acceptable reasons to process PI); (iv) further processing limitation (using the PI again for another reason); (v) information quality (making sure the PI is of a good quality); (vi) openness (letting people know what PI you have about them); (vii) security (both digital and physical security of PI); and (viii) data subject participation (letting people access and correct their PI).

What is “personal information”?

"Personal information" is everything that relates to a person or a company including, where applicable, marital status, age, language, names, education, financial information, employment information, email addresses (and other contact information) and implicitly private correspondence. In addition to the definition of “personal information”, POPIA introduces the concept of “special personal information”, which is information about an individual that is very sensitive including her/his race, sexual orientation, health, trade union membership, religion, political beliefs and biometric information (like fingerprints and signatures).

What is a “responsible party”?

POPIA defines a “responsible party” as “the public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”.

What is an “operator”?

POPIA defines an “operator” as, “a person (natural or juristic person) who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party”.

Is Experian the Operator or the Responsible Party?

Experian can be the Responsible Party or the Operator depending on whether it is Experian who is determining the purpose for processing the personal information. Experian will typically be the Responsible Party when it gives instruction to a service provider to process personal information on Experian’s behalf. Where Experian holds data as part of its regulatory obligations as a credit bureau, Experian is the custodian of that data and it decides how the data is kept secure and how its processed. While it does not strictly meet the definition of Responsible Party, Experian does fulfil the role of Responsible Party.  When a client requests personal information from Experian, Experian is typically the Operator. In certain instances Experian can be a joint-Responsible Party with a Client and/or a Vendor.

What is the meaning of “processing”?

POPIA defines “processing” as “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –

  • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  • dissemination by means of transmission, distribution or making available in any other form; or
  • merging, linking, as well as restriction, degradation, erasure or destruction of information".

What is the meaning of a “security breach”?

A security breach happens when you know (or you reasonably believe) that there has been:

  • loss of personal information;
  • damage to personal information;
  • unauthorised destruction of personal information;
  • unauthorised access to personal information;
  • unauthorised processing of personal information.

By when must organisations comply with POPIA?

Responsible parties and operators have until 30 June 2021 to ensure that their processing of personal information complies with the provisions of POPIA. 

Who is the Information Officer / Deputy Information Officer?

The Information Officer for a private company as set out in the Promotion of Access to Information (PAIA) Act 2 of 2000 is its ‘head’ or Chief Operating Officer (CEO). POPIA allows for authorisation by the ‘head” of another employee to take up this role. A deputy information officer may be appointed by the Information Officer (i.e. the CEO/authorised Information Officer) in writing. If no written appointment of a deputy information officer has occurred then there are no deputy information officers.

Experian has appointed an Information Officer and a Deputy Information Officer and has registered them in terms of Section 55(2) with the South Africa Information Regulator. The Registration Number is: 3913/2021-2022/IRRTT.

The Information Officer’s contact details are as follows: informationofficerafrica@experian.com

Download the full Data Processing Standards here