Cloud computing has become a pervasive technology that has changed the way consumers and employees operate, as they have come to rely on services such as the Outlook.com, Nokia HERE Drive+, and music streaming services such as Nokia MixRadio.
Due to the ubiquitous nature of online services, the cloud contains a vast amount of extremely valuable personal data. With the inception in South Africa of the Protection of Personal Information (PoPI) Act 4 of 2013, cloud computing has fallen under the proverbial legal spotlight. It is therefore apt to briefly address some of the expectations POPI requires of cloud service providers.
A question that many cloud service providers regularly encounter is whether their services are PoPI compliant. This question possibly stems from a common misunderstanding that, by definition, a cloud provider is a Responsible Party. In reality, the cloud provider, while simply providing its services to a third party, is defined as an Operator under PoPI.
This means that a cloud provider’s obligations under PoPI and the services that it provides to customers should not be the focus of direct compliance and should not be confused with the obligations of a Responsible Party. A cloud provider should be seen as a sub-contractor or agent who falls under the indirect control of a Responsible Party. It is the latter to whom the vast majority of PoPI compliance and responsibility falls, and the cloud provider will have to meet the compliance standards of the Responsible Party rather than the other way around.
Who’s who: Responsible Party vs. Operator
To better understand a cloud provider’s obligations and its role under PoPI, it is essential to understand the difference between a Responsible Party and an Operator, which is a cloud service provider.
According to PoPI, the Responsible Party is a public or private person or entity who determines the purpose of and means for processing personal information, while the Operator is a person or entity that processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party.
Rights of the parties involved
PoPI requires that the Responsible Party must secure the integrity and confidentiality of personal information in its possession or under its control. It has to do so by taking both operational and technical measures to prevent the loss thereof or unlawful access thereto.
An Operator (the cloud provider) must only process personal information on behalf of a Responsible Party, with the knowledge or authorisation of the Responsible Party. In addition, the Operator has to ensure the confidentiality in its processing of such information.
A Responsible Party needs to enter into a written agreement with an Operator to ensure that the Operator maintains the security standards established by the Responsible Party. On the other hand, the Operator has to notify a Responsible Party of a breach (data loss) regarding personal information immediately.
In conclusion, if a cloud provider is asked whether its cloud services are PoPI compliant, the appropriate response to this question is to ask whether the client is compliant with and has taken the technical and operational measures to secure their personal information within their business environment. The cloud provider is only there to help customers achieve compliance and work with them on their journey to PoPI compliance.