Contact

One step closer to POPIA becoming fully effective

Back to top

One step closer to POPIA becoming fully effective

The Protection of Personal Information Act, No 4 of 2013 (POPIA) was promulgated into law in November 2013. The primary purpose of POPIA is to promote the protection of personal information processed by public and private entities and regulate the manner in which such entities may collect, collate, store, disclose and destroy personal information. POPIA also seeks to align South African legislation with international legislation regarding the requirements for the lawful processing of personal information. 

15 Sep 2017 7 min read Employment and Technology & Sourcing Alert Article

On 11 April 2014, only s1, s112, s113 and Part A of Chapter 5 of POPIA came into effect and these sections essentially deal with the definitions, establishment of the Information Regulator, regulations and the procedure for making such regulations.

Pursuant to the establishment of the Information Regulator and in accordance with s112 and s113 of POPIA, the Information Regulator released draft Protection of Personal Information Act Regulations (Regulations) on Friday, 8 September 2017 under Government Notice 709 of 2017. The publication of the draft Regulations for public comment brings South Africa a step closer towards POPIA becoming fully effective.

The draft Regulations set out detailed procedures on the practical implementation of POPIA and seek to regulate the following administrative issues: 

  • the manner in which an objection to the processing of personal information can be made;
  • requests for the correction or deletion of personal information or the destruction or deletion of a record of personal information;
  • duties and responsibilities of information officers;
  • applications for the Information Regulator to issue industry codes of conduct;
  • the manner in which consent is requested for processing of personal information for direct marketing by means of unsolicited electronic communications;
  • submission of complaints or grievances;
  • the Information Regulator acting as a conciliator during an investigation;
  • the notification requirements of the Information Regulator to provide notification and information to all affected parties to a compliant/investigation; and
  • the notification requirements of the Information Regulator to provide notification to affected parties of its intention to carry out assessments or relating to a request by a third party to do so. 

The draft Regulations also provide for various prescribed forms which are required to be utilised when requests
or complaints are submitted. 

Duties and responsibilities of Information Officers

The draft Regulations specifically deal with the duties and responsibilities of Information Officers (who are required to be appointed in terms of POPIA by every responsible party). The definition of an Information Officer, in a private body, is accorded the same definition as the “head” of a private body contemplated in s1 of the Promotion of Access to Information Act, No 2 of 2000 (PAIA), which states as follows:

(a)      in the case of a natural person, that natural person or any person duly authorised by that natural person;

(b)      in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership;

(c)      in the case of a juristic person:

(i)       the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or

(ii)      the person who is acting as such or any person duly authorised by such acting person.

In terms of s55(2) of POPIA, Information Officers must only take up their duties as prescribed in POPIA after the relevant responsible party has registered them with the Information Regulator. The draft Regulations do not, however, provide details on the registration process for appointed Information Officers. A responsible party is any public or private employer or any other person which, alone or in conjunction with others, determines the means and purpose of processing personal information. Essentially, all employers must ensure compliance with the appointment of an Information Officer.  

It is important to ensure that companies duly appoint an Information Officer, if one has not already been appointed, to be registered with the Information Regulator once POPIA is in full force and effect. In terms of the draft Regulations, the Information Officer will have to take charge of the compliance requirements set out in POPIA on behalf of the responsible party. These requirements include ensuring that:

  • a compliance framework is implemented;
  • adequate measures and standards are put in place to comply with POPIA;
  • preliminary assessments are conducted; 
  • a manual for the purpose of PAIA and POPIA is developed and is made available for inspection;
  • internal measures and adequate systems are put in place to process requests for, or access to, personal information; and
  • POPIA awareness training is provided. 

The draft Regulations introduce very specific obligations and requirements of Information Officers and while drafted using broad language, the requirements to develop a compliance framework, ensure adequate measures and standards are in place, and to develop a combined PAIA and POPIA manual place specific additional obligations on the Information Officer and would require formal documentation to be prepared. 

Objections to processing of personal information and requests for correction or deletion of records.

Section 11(3)(a) of POPIA provides that a data subject may object to the processing of personal information in the prescribed manner and on reasonable grounds. In terms of s24(1) of POPIA, a data subject may, in the prescribed manner, request a responsible party to:

  • correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or 
  • destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain.

The draft Regulations give effect to the above sections and provide prescribed forms to be used to object to the processing of personal information, or to request the correction or deletion of personal information. An oversight in the draft Regulations appears to be that these forms only provide for requests from a natural person. As POPIA applies to both natural and juristic data subjects, the forms should cater for both.

Businesses need to familiarise themselves with these requirements and adopt appropriate internal mechanisms to properly deal with any such requests. This would include ensuring that internal procedures are in place to comply with the specific obligations contained in the draft Regulations requiring that a responsible party assist a data subject with completing the prescribed forms. 

From an employment perspective, employers must ensure that their employees are fully informed of their personal information which is processed and mechanisms should be put in place to allow employees to either object to the processing of such information, or correct or delete such information. The employee’s request must, however, be reasonable and not impede the employer’s ability to obtain the employee’s personal information required for the compliance of any other employment legislation. 

Consent for purposes of direct marketing

Section 69 of POPIA provides for instances in which personal information may be used for the purposes of direct marketing through unsolicited electronic communications. One such instance is where the data subject has consented to the use of his/her/its personal information for direct marketing purposes. In this regard, s69(2)(b) requires that a data subject’s consent be obtained in the prescribed manner and form. The draft Regulations give effect to this section by providing for a very detailed consent form, which requires, among other things, that: 

  • specific reference is made to s69 of POPIA;
  • the data subject is made aware of what the terms “processing” and “personal information” mean in terms of POPIA, before being requested to provide consent; 
  • the consent is obtained in relation to the goods and/or services specified on the form; and
  • specific consent is obtained in respect of each means of electronic communication (that is fax, email, SMS or other).

Should the draft Regulations and the relevant form (Form 4) remain in the current form, responsible parties who typically rely on consents for direct marketing obtained through tick boxes in online terms (such as e-commerce businesses) will need to find a way to substantially incorporate the content of Form 4 at the time of obtaining consent. Furthermore, in light of the fact that the draft Regulations require specific reference to be made to POPIA in the consent form, multi-national organisations relying on generic consents will need to reconsider the manner in which they obtain consents from South African data subjects.

Invitation for input on rules for processing personal information concerning a data subject’s health or se(x) life.

The processing of special personal information (which includes information concerning the health and se(x) life of a data subject) is prohibited unless an authorisation in terms of s27 of POPIA applies. In this regard, s32(1)(b) and s32(1)(f) of POPIA mention circumstances in which insurance companies; medical schemes and their administrators; managed healthcare organisations; administrative bodies; pension funds; employers; or institutions working with them may process personal information concerning a data subject’s health or se(x) life. The Government Notice published with the draft Regulations invites interested parties to provide input and comments in respect of more detailed rules that may be prescribed concerning the application of s32(1)(b) and s32(1)(f).

Call for public comment

Members of the public are invited to comment on the draft Regulations and the deadline for submissions is 7 November 2017. Given this deadline, it is likely that the Regulations will be tabled before Parliament before the end of the year and it is anticipated that POPIA will be fully effective in 2018. Once the date of commencement of the operative provisions of POPIA is announced, all affected parties have a grace period of at least one year to ensure that their operations, policies and procedures are POPIA compliant. 

It is therefore important for all businesses and employers in both the public and private sectors to take steps to assess the level of compliance within their organisations and appoint Information Officers in order to ensure compliance and avoid potential penalties under POPIA. 

Written by Samiksha Singh, Preeta Bhagattjee and Christoff Pienaar (assisted by Bilal Bokhari and Aphindile Govuza)

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

14 Mar 2024

by Richard Marcus, Belinda Scriba and Sentebale Makara

Webinar Recording | Your land or mine?

A review of the law and trends in relation to unlawful occupation, both rural and urban.

01:30:08 Minutes

28 Jun 2023

by Muzammil Ahmed and Simone Dickson

Part Two: Should I ask my lawyer or should I just ChatGPT it?

In Part One, we explored ChatGPT’s capabilities in the legal field, and we saw both its impressive potential and significant limitations. Now, in Part Two, we delve deeper into the potential consequences for legal professionals relying solely on AI tools, such as ChatGPT, by considering a real-life scenario that sheds light on the importance of accuracy, ethics and the indispensable role of human judgement.

Corporate & Commercial Law

4 min read

22 Feb 2024

by Emil Brincker and Gerhard Badenhorst

Webinar Recording | Overview of the 2024 Budget Speech

1:19:58 Minutes

25 Apr 2024

by Thandiwe Nhlapho

No blissful ignorance for non-compliance: The Turquand rule and section 20(7) in the context of special resolutions and fundamental transactions

The Turquand rule has been discussed and fairly applied in the South African jurisprudence. However, an interesting question remains as to whether the Turquand rule or section 20(7) of the Companies Act 71 of 2008 (Companies Act) can be used to compel a party to implement a transaction where the party has not complied with the applicable provisions of the Companies Act requiring a special resolution of shareholders for the disposal of all or a greater part of the company’s assets or undertaking, amalgamation or merger, or a scheme of arrangement (fundamental transactions). The jurisprudence has adopted the take-no-prisoners approach sofar. 

Corporate & Commercial Law

4 min read

19 Feb 2024

by Thabang Rapuleng and Malesela Letwaba

Discrimination v differentiation: A remuneration dispute

In 2003, the City of Johannesburg Metropolitan Municipality (Municipality) took a decision to make use of fixed-term contracts of employment for certain positions. In doing so, the Municipality invited permanent employees to convert their contracts of employment to fixed-term contracts, albeit on equal terms (converting employees). As an incentive, the converting employees were offered a salary increase of between 5% and 10%, as well as payment of an annual performancebonus. 

Employment Law

4 min read

11 Mar 2024

by Tayyibah Suliman and Zachary Kokosioulis

CIPC hack: What we know and how to mitigate the risk

The Companies and Intellectual Property Commission of South Africa (CIPC), which falls under the Department of Trade, Industry and Competition and is responsible for maintaining the country’s business and intellectual property registrations, released a statement regarding a data breach which compromised its systems on 29 February2024. 

Technology & Communications

2 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline