Actions to be undertaken in relation to POPIA
Some of the salient actions that the Information Regulator plans to take during the forthcoming months in terms of the POPIA ORP include:
- The development of a guide which will provide public bodies (and potentially certain private bodies) with guidance on when POPIA will not apply to their processing activities which involve the interests of national security.
- The provision of guidance on how data subjects are to be notified of data breaches in respect of their personal information, as well as on the manner in which responsible parties would be required to publicise such data breaches.
- The development of application forms for responsible parties to complete to request authorisation from the Information Regulator to process (i) special personal information; and/or (ii) the personal information of children. A responsible party would require such authorisation where its processing of the personal information in question does not fall within one of the general authorisations (e.g. obtaining consent) for the processing of such personal information, either under section 27 (in respect of special personal information) or under section 35(1) (in respect of the personal information of children). To bring such an application, the processing by the responsible party would need to be in the ‘public interest’, and the responsible party would need to have put ‘appropriate safeguards’ in place to protect the personal information in question. In this regard, the Information Regulator will provide responsible parties with the following guidance in order to assist them in successfully bringing such applications: (i) a definition/list of acceptable public interest processing activities; and (ii) a definition/explanation of the technical and organisational requirements that will be deemed appropriate in relation to the responsible party’s security safeguards.
- The development of regulations relating to the specific authorisation to process special personal information concerning a data subject’s health or sex life (Health Data) under section 32 of POPIA. These regulations will be of particular importance in light of the vast processing of Health Data in the context of the COVID-19 pandemic. POPIA allows certain responsible parties (such as healthcare institutions, medical schemes, schools and employers) to process Health Data subject to requirements provided for under section 32 of POPIA. The proposed regulations relating to this section will presumably provide more detail on the specific instances in which the relevant responsible parties will be authorised to process Health Data in accordance with POPIA.
- The issuing of codes of conduct that will apply to specific sectors under Chapter 7 of POPIA. These codes of conduct may apply in relation to any specified information, body, activity, industry, profession or vocation, and will essentially speak to the practical application of POPIA within the specified sectors in question.
- The development of guidelines on trans-border information flows, automated decision making and profiling.
In addition to the above, the POPIA ORP lists several actions of an administrative nature that the Information Regulator plans to take in respect of its appointment of staff members, its internal structures and functions, and several of its powers and duties.
Actions to be undertaken in relation to PAIA
For PAIA, the Information Regulator plans to take some of the following steps as part of the ORP:
- The approval of the Information Regulator’s PAIA manual under section 14(1) of PAIA – which requires the Information Regulator (as a public body) to compile a manual containing, inter alia: (a) a description of its structure and functions; (b) its postal and street address; (c) sufficient detail to facilitate a request by a data subject for access to a record held by the Information Regulator; and (d) a description of the remedies available to a data subject in the event that the Information Regulator acts in a manner contrary to (or fails to act in accordance with) the provisions of PAIA.
- The development and conducting of educational programmes.
- The training of information officers and deputy information officers of public bodies.
- The development of regulations for lodging a complaint with the Information Regulator.
The successful implementation of the planned actions in the POPIA ORP by the Information Regulator will provide responsible parties, operators, data subjects and data protection practitioners alike with important clarification on the interpretation of several provisions in POPIA – clarification which has been long awaited since the initial promulgation of POPIA in 2013.