FD Insights Issue 6 | Page 30

that the personal information of a data subject has been
accessed or acquired by any unauthorised person.

Sections 19, 20 and 21 in Summary
In summary, Sections 19, 20 and 21 of PoPI require the
following:
- A Responsible Party must secure the integrity and
confidentiality of personal information in its possession
or under its control by taking both operational and
technical measures to prevent loss thereof or unlawful
access thereto.
- An Operator (cloud provider) must only process
personal information on behalf of a Responsible Party
with the knowledge or authorisation of the Responsible
Party and the Operator must ensure confidentiality in its
processing of such information.
- A Responsible Party must enter into a written
agreement with an Operator to ensure that the Operator maintains the security standards established by the
Responsible Party under Section 19 of PoPI.
- An Operator must notify a Responsible Party of
a breach (data loss) regarding personal information
immediately where it is reasonable to believe there has
been such a breach.
Following the above example (Sections 19 to 21), it is
clear that the obligations as regards the majority of the
responsibility for direct compliance with PoPI, falls to the
Responsible Party. As illustrated, it is the Responsible Party
that must establish operational and technical measures
to secure the safety and integrity of personal information
it is processing (see Section 19), not the Operator (cloud
provider).
Further, it is the Responsible Party that must enter into a
written agreement with an Operator (cloud provider) in a
manner that contractually commits the cloud provider to
maintain services in line with the security standards the
Responsible Party has established (under Section 19). The
question is therefore whether the cloud provider will be able
to adequately maintain, or indeed establish, that security
standard for which it makes a contractual commitment under guidance from the Responsible Party, not whether it or
its cloud services are per se compliant with PoPI.
Following the above example and as regards to more direct
responsibilities for complying with PoPI, the cloud provider
does carry a small but significant number, inter alia;
- Ensuring that it only processes personal information where it is authorised to do so (or does so with the
knowledg HوH