26 August 2020 by , and Technology, Media & Telecommunications Alert

Information Regulator publishes POPIA and PAIA operational readiness plans

The South African Information Regulator has published Operational Readiness Plans (ORPs) in respect of the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (as amended by POPIA) (PAIA), respectively, in order to ensure that its operating environment is prepared to effectively promote and protect the rights to privacy and access to information.

Actions to be undertaken in relation to POPIA

Some of the salient actions that the Information Regulator plans to take during the forthcoming months in terms of the POPIA ORP include:

  • The development of a guide which will provide public bodies (and potentially certain private bodies) with guidance on when POPIA will not apply to their processing activities which involve the interests of national security.
  • The provision of guidance on how data subjects are to be notified of data breaches in respect of their personal information, as well as on the manner in which responsible parties would be required to publicise such data breaches.
  • The development of application forms for responsible parties to complete to request authorisation from the Information Regulator to process (i) special personal information; and/or (ii) the personal information of children. A responsible party would require such authorisation where its processing of the personal information in question does not fall within one of the general authorisations (e.g. obtaining consent) for the processing of such personal information, either under section 27 (in respect of special personal information) or under section 35(1) (in respect of the personal information of children). To bring such an application, the processing by the responsible party would need to be in the ‘public interest’, and the responsible party would need to have put ‘appropriate safeguards’ in place to protect the personal information in question. In this regard, the Information Regulator will provide responsible parties with the following guidance in order to assist them in successfully bringing such applications: (i) a definition/list of acceptable public interest processing activities; and (ii) a definition/explanation of the technical and organisational requirements that will be deemed appropriate in relation to the responsible party’s security safeguards.
  • The development of regulations relating to the specific authorisation to process special personal information concerning a data subject’s health or sex life (Health Data) under section 32 of POPIA. These regulations will be of particular importance in light of the vast processing of Health Data in the context of the COVID-19 pandemic. POPIA allows certain responsible parties (such as healthcare institutions, medical schemes, schools and employers) to process Health Data subject to requirements provided for under section 32 of POPIA. The proposed regulations relating to this section will presumably provide more detail on the specific instances in which the relevant responsible parties will be authorised to process Health Data in accordance with POPIA.
  • The issuing of codes of conduct that will apply to specific sectors under Chapter 7 of POPIA. These codes of conduct may apply in relation to any specified information, body, activity, industry, profession or vocation, and will essentially speak to the practical application of POPIA within the specified sectors in question.
  • The development of guidelines on trans-border information flows, automated decision making and profiling.

In addition to the above, the POPIA ORP lists several actions of an administrative nature that the Information Regulator plans to take in respect of its appointment of staff members, its internal structures and functions, and several of its powers and duties.

Actions to be undertaken in relation to PAIA

For PAIA, the Information Regulator plans to take some of the following steps as part of the ORP:

  • The approval of the Information Regulator’s PAIA manual under section 14(1) of PAIA – which requires the Information Regulator (as a public body) to compile a manual containing, inter alia: (a) a description of its structure and functions; (b) its postal and street address; (c) sufficient detail to facilitate a request by a data subject for access to a record held by the Information Regulator; and (d) a description of the remedies available to a data subject in the event that the Information Regulator acts in a manner contrary to (or fails to act in accordance with) the provisions of PAIA.
  • The development and conducting of educational programmes.
  • The training of information officers and deputy information officers of public bodies.
  • The development of regulations for lodging a complaint with the Information Regulator.

Conclusion

The successful implementation of the planned actions in the POPIA ORP by the Information Regulator will provide responsible parties, operators, data subjects and data protection practitioners alike with important clarification on the interpretation of several provisions in POPIA – clarification which has been long awaited since the initial promulgation of POPIA in 2013.

The information and material published on this website is provided for general purposes only and does not constitute legal advice.

We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter.

We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.

Please refer to the full terms and conditions on the website.

Copyright © 2020 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com

You may also be interested in