Section 21 (responsible party and operator) agreements

In terms of Section 21 of the Protection of Personal Information Act a responsible party (the party who determines the purpose and means of processing of personal information) must conclude a written contract with an operator (the person who processes personal information for a responsible party) with the aim of ensuring that the operator processes the personal information in terms of a minimum information security safeguards that are statutorily required to be implemented in terms of Section 19 of the Protection of Personal Information Act.

In dealing with the contracts contemplated in terms of section 21 it is essential that the drafters have a good understanding of the information security safeguards that may be required in protecting personal information. It is also necessary to understand that the requirements contained in these agreements cannot be based on a “one size fits all” approach. The nature of the information and the manner of its processing will often require differing approaches to the information security necessary. This task is not one that can be performed by an attorney (who do not have appropriate information security background) or an information security specialist (who do not have the necessary legal and contractual background) in isolation. It is necessary that a multidisciplinary approach be adopted in dealing with the drafting of appropriate contracts that are required by Section 21.

Privacy Online consultants provide both the legal and information security skills necessary to appropriately address this important requirement of the Protection of Personal Information Act.