The Responsible Party and the Operator, 3 of the 8 Conditions for lawful processing - Narrative
Hello everyone and welcome to the third episode of our POPIA for Estate Agents podcast. This is our first podcast for 2021, which is also the year we will have to process personal information in accordance with POPIA, from 1 July 2021. I am Linda Reid, Head of Data at Lightstone, and your host for these podcasts. For this conversation I welcome Hayley Ivins-Downes, Head of Sales at Lightstone. Thank you for joining us Hayley.
Thanks Linda, and here’s wishing all our Estate Agent clients a healthy and successful 2021. Just a quick recap for our audience (because some memories don’t survive the Christmas holidays!)…
In Episode one we discussed some elements of the Client Contact book for Estate Agents, and Episode two went into detail on the topic of Consent.
That’s right. Just to summarise – Estate Agents will need to make some substantial changes to the way they collect and manage their Client Contact Books to be compliant with the new legal requirements for processing personal information. They will also need to develop a system for collecting and managing consent from Data Subjects (your clients), for marketing and other purposes.
In this, our third podcast, we’re going to cover the two roles that a company or person could have under POPIA and how to understand which one applies to you.
Not to worry, we’ll try to make the content as practical and clear as possible. Also this is a fairly long section so we are going to split it between this podcast and the next one.
Great. So what are these two roles then?
POPIA allows for different levels of responsibility for handling PI, depending on whether you’re the person who is primarily responsible for the data or if you’re simply processing it on the instruction of someone else.
What are these two roles and how do we know which one applies when?
The main role with the largest responsibility is the RESPONSIBLE PARTY. If you are the person who is collecting PI and deciding what to do with it, then you are the Responsible Party. So, if an Estate Agent collects contact details from a prospective client and decides to store it and use it to connect with the prospective client, then they are the RESPONSIBLE PARTY under POPIA. This role involves a lot of responsibility around the collection, use and care of that data. If the RESPONSIBLE PARTY contracts an OPERATOR to do something on their behalf, then the Operator will only be allowed to execute on the terms of that arrangement, and will not be bound to some of the other conditions of POPIA, which apply to the Responsible Party.
In the Estate Agent’s world, what kind of person or company would be an Operator?
An example would be the company that does your photography for you. You would give them some Personal Information on the client so that they can arrange the session. They are allowed to use the PI purely for the purposes of that engagement and not for any other reason. They also have to ensure they store that personal information appropriately and securely and protect it from breach. They will need to delete that PI when the engagement is complete and notify the Responsible Party immediately if they believe that the personal information has been accessed or compromised. In short, the Operator may only process the personal information with the knowledge or authorization of you, the estate agent, and must treat that information as confidential and may not disclose it. POPIA requires a Responsible Party to enter into a written contract with the Operator, to ensure that the Operator establishes and maintains the necessary security measures when dealing with the personal information.
Okay let’s run through a practical example. If I’m an Estate Agent and I am in a complex showing a unit, and the owner of another unit comes over for a chat and they say they are thinking about selling their unit and ask me to arrange to come and see their unit and chat about their listing. I take down their number and name to call them the next day. Which role am I playing?
In this case you’re the RESPONSIBLE PARTY, as you are deciding what data to collect and for what purpose. If you need another company to contact that seller, for example to arrange staging furniture for the viewings, they are the Operator and they can only use those details for the purpose you’ve contracted them for (that in this case is the staging to support the sale of the property).
Okay got it. So you mentioned eight conditions for lawful processing. What’s that about?
Well, if you’re the Responsible Party, then you need to adhere to what POPIA lays out as the eight conditions for lawful processing. There is quite a lot of detail to this section of the Act, and it is actually the nub of the act so we encourage Estate Agents to read it in full, but we will summarise the key elements here. We will also make the full section available on our website for ease of reference.
Great. Where do we start?
First I’m going to run through all eight of them, so that our listeners have the framework before we unpack them in greater detail. They are:
- Accountability
- Processing Limitation
- Purpose Specification
- Further Processing Limitation
- Information Quality
- Openness
- Security Safeguards
- Data Subject Participation
That’s quite wordy!
It will all become a lot clearer when we explain each in more detail. Let’s start with Accountability. This condition simply says that if you’re the Responsible Party it is your job to ensure that the other 7 conditions are complied with throughout your journey with that data. You also have to ensure that your Operators are in a position to handle the data with that same due care.
That seems fair enough. What’s the next one?
Next is Processing Limitation, and this is a biggie. The Processing Limitation requires a Responsible Party to process personal information only if it is adequate, relevant and not excessive given the purpose for which it is being processed. This means that you can’t collect more information than what you need to cover the purpose, as a "just in case" or because it would be useful to have that information..
So if you’re engaging with a prospective client and need to contact them, you shouldn’t make notes on their existing health conditions, the name of their employer, or the names and ages of their kids. Is that what you mean?
Not unless having that information is required for the purposes of helping them buy or sell their house. Also, under Processing Limitation, you need to ensure you have a lawful reason for collecting their information. This comes down to the six lawful grounds for processing, which we covered in the last podcast, such as gathering consent or processing the data in the execution of a contract, for example.
Ah yes. If our Estate Agent clients need a refresher on what these six legal grounds are, there is a transcript of that podcast available on the same site you accessed this recording.
Yes, those six Lawful Grounds are very important. It’s what gives you the right to collect and process the PI in the first place. But there’s also one more element in the condition of Processing Limitation and that is that you need to collect the information directly from the Data Subject. There are some exceptions to this, which are clearly outlined in the Act, but for the most part you should get the information directly from the Data Subject.
Oh that’s interesting. So an Estate Agent’s client can’t give them the phone number of their neighbour?
No, she can’t, not unless the neighbour has consented to her passing on the details to the Estate Agent.
Okay got it. So Processing Limitations cover minimality, which means you mustn’t collect more PI than you need; lawful grounds, which means you must have one of the six possible legitimate reasons for processing information, and that you have to collect the PI directly from the Data Subject, for the most part.
Yes you’ve got it. The third condition is called Purpose Specification. Basically, the data you collect must be for a specific and lawful purpose related to your functions or activities, and you must make sure the Data Subject is aware of that purpose.
Okay so I can’t just collect PI in case I might need it later?
Absolutely not, because then you are in breach of both ‘minimality’, ‘collection for specific purpose’, and you probably don’t have one of the six ‘lawful grounds’ for collecting it.
So I must have a purpose and the Data Subject must be aware of it. Anything else I need to know under Purpose Specification?
Yes, there’s a rather detailed section explaining what your responsibilities are for retaining and restricting access to the records of personal information. You aren’t allowed to keep the Personal Information for longer than is necessary for the purpose you collected them. In other words you have to delete the records after that purpose has been completed. There are a number of exceptions to this, so I do encourage our listeners to read this section of the Act which is available on our site, to see if any of those exceptions apply to them.
I guess that makes sense. If I give my personal information to someone, I probably don’t want them to have the right to hold on to that information forever.
Exactly – remember that POPIA aims to give people control over how their personal information is used, and especially that it is used in a way that doesn’t infringe on the privacy of the Data Subject.
So I can’t keep that data to use for anything else afterwards.
Spot on, and actually that’s Condition number four, called Further Processing Limitation. But we are going to end here for today and pick up in our next podcast with this condition and the remaining four after that.
Thanks for another empowering session Linda. I’m looking forward to the next one. I’d like to encourage our listeners to give us feedback and tell us what their main questions and concerns are so that we can try to address these in future episodes.
Indeed. We welcome all feedback and would love to hear from our listeners. Thank you for being my co-host today Hayley. It’s so important that we have these conversations around POPIA, so that we can all come away a little bit smarter, wiser and hopefully more prepared. Until next time… goodbye.