Protection of Personal Information Act: Managing Operators

RESPONSIBLE PARTIES ARE LIABLE FOR THE UNLAWFUL PROCESSING OF PERSONAL INFORMATION BY THEIR OPERATORS

The Protection of Personal Information Act stipulates that every public and private body making use of operators must ensure that operators who process personal information for the responsible party, establish and maintain generally accepted information security practices and procedures which may apply to it generally or specifically.

Overview

The Protection of Personal Information Act requires accountability for any processing of personal information. Heads of public bodies, CEOs of private bodies and the business leaders identified as “responsible parties” who control the purpose and means for processing information are required to ensure compliance with the conditions of lawfully processing personal information set out in the Act.

The responsible party must clarify, in written contracts with its operators and other service providers, the services the operators are commissioned to provide. The transfer of personal information to the operator must be limited to what is necessary for the operator to fulfil its contractual obligations.

Operators may not process personal information unless commissioned by responsible parties and the purpose is compatible with the original purpose of collection.

Seminar Objectives

Participants will gain a general understanding of the legal obligations placed on Responsible Parties to manage operators and other service providers. On completion of this 1 day seminar, participants will be able to:

  • Articulate the requirements of the Protection of Personal Information Act when commissioning operators
  • Demonstrate an understanding of how the conditions for the lawful processing of personal information apply to operators
  • Understand the typical content required in written contracts when engaging operators and other service providers
  • Communicate the responsible parties’ role and responsibilities to ensure the lawful processing of personal information
  • Understand the need to validate operator procedures.

Seminar Outline

Participants will learn through discussion and practical examples how to commission and manage operators engaged by the responsible parties to provide services that process personal information.

This seminar includes topics about:

  • Why the responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organizational measures.
  • Why operators may not process personal information unless commissioned to do so and the purpose is compatible with the original purpose for which it was collected.
  • Content of the typical contract between the responsible party and the operators, including details of the technical and organizational measures that the responsible party may have identified as necessary for the operator to establish and maintain to address the internal and external risks to the processing of personal information, as identified by the responsible party.
  • The role and responsibilities of operators and other service providers when processing personal information
  • The technical and organizational capabilities operators are required to have before a responsible party can commission an operator.
  • Governance and management structures and systems to plan, organize, direct and control operators and the services they provide.
  • Verification that the operator has fulfilled its contractual obligations to maintain effective technical.