At the time of writing, only certain provisions of POPI have come into force (such as those mandating the establishment of the Information Regulator contained in Chapter 5). However, the primary provisions dealing with personal information and direct marketing are not yet operative.
In December 2018, the Information Regulator published regulations as contemplated in section 112(2) of POPI (the Regulations). These concern:
(1) certain prescribed forms;
(2) the responsibilities of what are referred to as “Information Officers”, in addition to those responsibilities contained in the Act;
(3) investigation, conciliation, and settlement of complaints; and
(4) the process to be followed should a public or private body wish to apply to the Information Regulator for the issuing of a “code of conduct”. The Regulations are not yet operative. Presumably they will be proclaimed to be effective when the remainder of POPI is brought into force and effect.
Below is a brief overview of the Regulations.
Prescribed forms relating to the Information Regulator
The regulations prescribe certain forms to be completed, among other things, in relation to the following matters:
- Where a “data subject” (defined in POPI as the person to whom the personal information relates) wishes to object to the processing of personal information.
- Where a data subject wishes to request a correction be made to their personal information, or the deletion or destruction of their personal information.
- The submission of a complaint by a data subject to the Information Regulator.
- The request by a holder of personal information for the data subject’s consent to process their personal information for direct marketing.
The prescribed forms accompany the regulations and provide a first step towards the practical enforcement of provisions of POPI when ultimately enacted.
The regulations also set out the responsibilities of so-called “Information Officers”. In terms of Section 56 of POPI, read with Section 17 of PAIA, public and private bodies are required to appoint Information Officers. An Information Officer is responsible for ensuring compliance with POPI and PAIA. In addition to encouraging compliance with POPI and PAIA, Information Officers are required to:
- develop, implement, monitor and maintain a compliance framework;
- undertake a personal information impact assessment to ensure that adequate measures and standards exist;
- develop, monitor and maintaining an access to information manual (i.e. a PAIA manual);
- develop internal measures and systems to process requests for information or access; and
- conduct internal awareness sessions.
Investigation, conciliation, and settlement of complaints
The Regulations also provide further information in respect of the Regulator’s powers and duties as regards pre-investigation, conciliation, and settlement of complaints. This is, however, primarily in respect of the prescribed forms required to be completed by the Regulator in respect of the necessary notifications to be made to the relevant parties.
The notifications include the following:
- As regards pre-investigation proceedings, if the Regulator intends to investigate any matter, the Regulator must notify the parties prior to conducting the investigation.
- During the course of an investigation, the Regulator must keep the complainant, the data subject (if not the complainant) and the responsible party informed of the developments of the investigation.
- If during the investigation of a complaint, the Regulator decides to act as a conciliator and convene a conciliation meeting, the Regulator must inform the data subject and responsible party implicated on the compliant form.
- If it appears from a compliant, any written reply to the complaint, or during a conciliation meeting that it may be possible to secure a settlement between the parties, the Regulator may confer with the parties as required, and may hold a settlement meeting.
Industry codes of conduct
Section 5 of the Regulations provides that a “private or public body which is sufficiently representative of any class of bodies, or of any industry, profession or vocation” may apply to the Information Regulator for the issuing of a “code of conduct” as contemplated in Section 61(1)(b) of POPI. In terms of Section 60 read with Section 61 of POPI, the legislature has seemingly contemplated that the Information Regulator may issue codes of conduct that are binding on a specified class of persons (or class of information), and must:
(1) incorporate all the conditions for the lawful processing of information; and
(2) prescribe how the conditions for the lawful processing of information are to be applied or complied with, given the sector in which the class of persons operate.
The publication of the Regulations is a first step toward empowering the Information Regulator (and Information Officers) to discharge their functions under POPI and PAIA. As noted, they are yet to come into force and effect. In the interim, public and private bodies would be well advised to consider how they could best comply, among other things, by providing for the appointment of Information Officers, and possibly even considering how best to formulate codes of conduct which may be proposed to the Information Regulator, as opposed to waiting for the Information Regulator to impose them.