Here is the definition of a Responsible Party in the POPI Act:
|‘responsible party’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;|
This definition is about understanding the concept of Means and Purpose. In simple terms a Responsible Party is someone who determines the Means and Purpose for processing personal information.
It refers to public and private bodies who need to understand the distinction. Find definitions in the Act for public and private bodies. Here is a simple example to illustrate how to determine the Means and Purpose, according to the POPI Act:
1. The Head of HR in a company decides with his team that they can no longer justify doing payroll in-house and they decide to outsource the function to a third party.
2. The HR team sends out requests for proposals to various companies who prepare their submissions and present to the committee. The committee reviews each submission and makes the decision on the final choice.
3. The Means and Purpose have been determined for the processing, the result being that the company is a responsible party for this information.
The Means and Purpose test is an important one. It is especially true where you have to analyse who is accountable for which aspects of a process. This process may involve various parties when servicing a client.
This will be explained further in a future post covering the issues of third parties carrying out processing on behalf of the responsible party. This will provide clarity on where accountabilities lie.