In a previous post “Understanding who a responsible party is in POPI”, we used a simple example to demonstrate the concept of “means” and “purpose”. This concept is part of the definition of a responsible party according to POPI.
The Head of HR (human resources) in a company decides along with his team that they can no longer justify doing payroll in-house. They decide to outsource the function to a third party. The HR team sends out requests for proposals to various companies who prepare their submissions and present to the committee. The committee reviews each company and makes the decision on the final choice.
Are you a responsible party?
Here are some basic questions to ask to determine if the company is a responsible party, using the example:
- Firstly, is personal information being processed? The answer has to be yes, as payroll deals with the salary details of staff.
- Is the Head of HR acting on behalf of the company or in his personal capacity? He/she is acting on behalf of his/her company and is responsible for making sure salaries are paid to all the employees every month. We are dealing with the company in this example, even though the staff are initiating the changes.
- Did the company or Head of HR determine the purpose of processing? To answer this we need to look at what the purpose of processing is. It is to do the payroll. The Head of HR is instructed to do this every month in terms of his performance contract with the company, so the company determined the purpose of processing.
- What is the means of processing and who determined it? Another way of looking at this would be to ask how the processing is being done or envisaged. In this case it is being outsourced to a third party and once again it is the Head of HR who made this decision along with his/her committee set up to handle this task.
In conclusion, in this example the company is a responsible party.