Contact

Information Regulator publishes POPIA and PAIA operational readiness plans

Back to top

Information Regulator publishes POPIA and PAIA operational readiness plans

The South African Information Regulator has published Operational Readiness Plans (ORPs) in respect of the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (as amended by POPIA) (PAIA), respectively, in order to ensure that its operating environment is prepared to effectively promote and protect the rights to privacy and access to information.

26 Aug 2020 4 min read Technology, Media & Telecommunications Alert Article

Actions to be undertaken in relation to POPIA

Some of the salient actions that the Information Regulator plans to take during the forthcoming months in terms of the POPIA ORP include:

  • The development of a guide which will provide public bodies (and potentially certain private bodies) with guidance on when POPIA will not apply to their processing activities which involve the interests of national security.
  • The provision of guidance on how data subjects are to be notified of data breaches in respect of their personal information, as well as on the manner in which responsible parties would be required to publicise such data breaches.
  • The development of application forms for responsible parties to complete to request authorisation from the Information Regulator to process (i) special personal information; and/or (ii) the personal information of children. A responsible party would require such authorisation where its processing of the personal information in question does not fall within one of the general authorisations (e.g. obtaining consent) for the processing of such personal information, either under section 27 (in respect of special personal information) or under section 35(1) (in respect of the personal information of children). To bring such an application, the processing by the responsible party would need to be in the ‘public interest’, and the responsible party would need to have put ‘appropriate safeguards’ in place to protect the personal information in question. In this regard, the Information Regulator will provide responsible parties with the following guidance in order to assist them in successfully bringing such applications: (i) a definition/list of acceptable public interest processing activities; and (ii) a definition/explanation of the technical and organisational requirements that will be deemed appropriate in relation to the responsible party’s security safeguards.
  • The development of regulations relating to the specific authorisation to process special personal information concerning a data subject’s health or sex life (Health Data) under section 32 of POPIA. These regulations will be of particular importance in light of the vast processing of Health Data in the context of the COVID-19 pandemic. POPIA allows certain responsible parties (such as healthcare institutions, medical schemes, schools and employers) to process Health Data subject to requirements provided for under section 32 of POPIA. The proposed regulations relating to this section will presumably provide more detail on the specific instances in which the relevant responsible parties will be authorised to process Health Data in accordance with POPIA.
  • The issuing of codes of conduct that will apply to specific sectors under Chapter 7 of POPIA. These codes of conduct may apply in relation to any specified information, body, activity, industry, profession or vocation, and will essentially speak to the practical application of POPIA within the specified sectors in question.
  • The development of guidelines on trans-border information flows, automated decision making and profiling.

In addition to the above, the POPIA ORP lists several actions of an administrative nature that the Information Regulator plans to take in respect of its appointment of staff members, its internal structures and functions, and several of its powers and duties.

Actions to be undertaken in relation to PAIA

For PAIA, the Information Regulator plans to take some of the following steps as part of the ORP:

  • The approval of the Information Regulator’s PAIA manual under section 14(1) of PAIA – which requires the Information Regulator (as a public body) to compile a manual containing, inter alia: (a) a description of its structure and functions; (b) its postal and street address; (c) sufficient detail to facilitate a request by a data subject for access to a record held by the Information Regulator; and (d) a description of the remedies available to a data subject in the event that the Information Regulator acts in a manner contrary to (or fails to act in accordance with) the provisions of PAIA.
  • The development and conducting of educational programmes.
  • The training of information officers and deputy information officers of public bodies.
  • The development of regulations for lodging a complaint with the Information Regulator.

Conclusion

The successful implementation of the planned actions in the POPIA ORP by the Information Regulator will provide responsible parties, operators, data subjects and data protection practitioners alike with important clarification on the interpretation of several provisions in POPIA – clarification which has been long awaited since the initial promulgation of POPIA in 2013.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

18 May 2023

by Desmond Odhiambo, Imraan Mahomed, Tendai Jangara and Thabang Rapuleng

Harassment in the workplace: Risks, Regulation and Rights

The Employment Law team from CDH and Gateley hosted a webinar titled: Harassment in the workplace: Risks, Regulation and Rights.

Employment Law

1:02:13 Hours

14 Jul 2023

by Louis Botha

Measuring Good Cause – A discussion on the case of Taxpayer N v The Commissioner for the South African Revenue Service

Adhering to court processes, no matter how trivial the compliance procedure may be, has always been paramount to one’s expression of respect to the court and the overall facilitation of smooth litigious proceedings. But the waters often get murky when an overstep of court procedure on the one side is countered by an argument of lack of merit on the other side.

Tax & Exchange Control

4 min read

26 Sep 2023

by Fiona Leppan, Kgodisho Phashe and Tyler Lillienfeldt

The over-sensitivities of an individual employee do not amount to harassment or unfair discrimination

In the recent decision of La Foy v Department of Justice and Constitutional Development and Others 1952/2017 , the Labour Court dismissed an application by an employee who sought relief as a result of alleged harassment by her employer, together with a plea for the reassignment of her job responsibilities, and a claim for compensation.

Employment Law

3 min read

5 Feb 2024

by Abednego Mutie

Electronic Travel Authorisation: Visa in disguise?

During Kenya’s 60 th independence anniversary celebrations on 12 December 2023, the president directed that Kenya will be a visa-free country, effective from January 2024. This development in the immigration sector is now implemented through the electronic Travel Authorisation (eTA) system that was unveiled on 5 January 2024. Notably, the eTA system departs from the public understanding of a visa-free experience as travellers (including infants and children) are required to obtain the document before embarkment. Travellers who expected a seamless entry into the country have aired their disappointment with the unexpected costs and additional documentation for persons from initially visa-exempt countries

Immigration

5 min read

1 Nov 2023

by Thandiwe Nhlapho

Joint ventures: To incorporate or not?

Once business partners have agreed on a joint venture (JV) as a suitable business structure, one of the initial considerations is often whether or not the JV should be incorporated. Making this decision will depend on myriad factors ranging from formation, financing, ownership of assets, regulatory, taxes, commercial considerations to dissolution.

Corporate & Commercial Law

3 min read

21 Feb 2024

by Emil Brincker

Pillar 2 has arrived in South Africa

The release of the highly anticipated discussion document for South Africa pertaining to the implementation of Pillar 2 has not disappointed. Apart from the administrative burden on South African multi-national entities (MNEs), South Africa was one of the more than 130 countries that agreed during October 2021 to implement a minimum 15% corporate tax rate for MNEs with a global turnover in excess of €750 million. This is part of the two-pillar approach that arose out of the Base Erosion and Profit Shifting (BEPS) project of the Organisation for Economic Co-operation and Development (OECD) that aims to end “ the race to the bottom ” on tax rates that has been published as part of the efforts to tax the digital economy framework.

Tax & Exchange Control

4 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline