Most businesses make use of a third party service provider, also known as an Operator, in its support structure. This is generally due to the high costs involved in establishing these services internally in the business and therefore it is easier to outsource same to a third party. One such third party would be a Cloud Service Provider, due to the costs of expensive software and storage of data, as a Cloud Service Provider provides a cost-effective and flexible solution for businesses storing large quantities of data.
Where data storage is involved, the Protection of Personal Information (POPI) Act must be considered and your business is the Responsible Party working with an Operator.
The POPI Act defines a Responsible Party (the business in this instance) as: “…public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.”
An Operator (Cloud Service Provider) is then defined as: “…a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.”
To ensure good business practice the Responsible Party must ensure that it complies with Section 21 of the POPI Act in that it concludes a written agreement between itself and the Operator to ensure that the personal information processed by the Operator is done in a manner which is confidential and secure and that the security measures which are established in Section 19 of the POPI Act are maintained and complied with. This may be achieved by both parties signing a non-disclosure agreement.
The Operator must ensure that it complies with Section 20 and 21 of the POPI Act in that it must process personal information only with the knowledge and authorisation of the responsible party and must treat personal information which comes to its knowledge as confidential and must not disclose it, unless required by law or in the proper performance of its duties.
The POPI Act has a serious impact on Cloud Services due to the massive volumes of personal information being stored in the Cloud and the need to protect this information in order to ensure that the Cloud environment is safe for those using the service. It is crucial that Cloud providers address the safeguards required by the POPI Act by implementing the appropriate controls to ensure that the Cloud environment is secure for its users. Risks faced by Cloud users include issues with security breaches, the reliability of the service itself and the overall lack of control of information provided.
Non-compliance to the POPI Act by Cloud providers may result in severe penalties including a fine of up to R10 million or 10 years imprisonment, and may expose businesses to civil damages claims by data subjects. Non-compliance could also have a severe effect on businesses’ reputation that could result in serious economic loss.
Once a Cloud provider has achieved compliance with the POPI Act, it will be able to confidently reassure a Responsible Party that its information is secure and protected. Implementation of the POPI Act in the relationship between the Responsible Party and the Operator should rather be seen as a welcoming factor than a cause for concern.
ABOUT THE AUTHOR
Marike Brand obtained her LLB from the University of Stellenbosch and thereafter practised for three years as an admitted attorney in commercial civil litigation. She is currently a SEESA Consumer Protection & POPI Legal Advisor at our Cape Town office.