9 March 2021 by , and Dispute Resolution Alert

Protection of Personal Information Act 4 of 2013: Regulations 5 and Guidelines for the development of codes of conduct

On 26 February 2021, the Information Regulator (Regulator) published the Regulations Relating to the Protection of Personal Information, 2018, GN R1383/2018 (Regulations) dealing with Regulation 5 which came into force with effect from 1 March 2021. The Regulations also set out Regulation 4, which comes into effect on 1 May 2021, as well as the residual Regulations that will be commencing on 1 July 2021. In consideration of the recently published Regulations, with specific reference to Regulation 5, the Regulator also published the Guidelines to Develop Codes of Conduct in terms of section 65 of the Protection of Personal Information Act, 2013 - GN 75/2021 (Guidelines), to assist businesses with the preparation of codes of conduct that complies with Regulation 5. This Alert focuses on the impact and consequences of Regulation 5.

Regulation 5

Regulation 5 deals with the application for issuing codes of conduct. This Regulation was published in relation to codes of conduct that are issued in terms of section 60 and 61 of the Protection of Personal Information Act (No. 4 of 2013) (POPI). In terms of section 60(2)(a) and (b) of POPI, a code of conduct must:

  • incorporate all the conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions; and
  • prescribe how the conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features of the sector or sectors of society in which the relevant responsible parties are operating.

In the event any private or public body wishes to apply for the issuing of a code of conduct in terms of section 61(1)(b) of POPI, Regulation 5 states that such public or private body must submit an application to the Regulator on Form 3.

The Guidelines

The Guidelines serve as an explanatory aid to Chapter 7 of POPI, providing guidance on the development of codes of conduct to assist relevant bodies in setting an applicable minimum criteria and evaluation standards so that there is transparency relating to the requirements for the approval of a code of conduct.

Who may make a code and why?

The Regulator at its own initiative, or a relevant body, may make a code of conduct (code). A relevant body is defined in the Guidelines as any specific body or class of bodies, either private or public, from a specified industry, profession, vocation; or class, industries, professions or vocations that in the opinion of the Regulator has sufficient representation. A relevant body intending on developing a code should provide notice to the Regulator of its intention to do so.

The purpose of a code, as set out in the Guidelines, is to establish a voluntary accountability tool and to promote transparency for relevant bodies on how personal information should be processed. The Guidelines are intended to be used by relevant bodies considering developing a code, the Regulator in developing a code at its own initiative, stakeholders considering a proposed code or stakeholders, and relevant bodies considering a proposed code from the Regulator.

What is a validly issued code?

A code is always subject to POPI, the Regulations and the Guidelines, with POPI being the main anchor in setting out the minimum requirements for a code and how it should apply in Chapter 7. Before developing a code, a relevant body must ensure that it has sufficient resources for, among others, legal advice, drafting and scoping, investigating the need for the code, and involving stakeholders in effective consultations in drafting the code.

A code must be in writing, in a form that prescribes how the conditions of lawful processing of personal information are to be applied and complied with, given the features applicable to the sector of the relevant body. In accordance with Chapter 7 of POPI, appropriate measures for, among other things, protecting legitimate interests of data subjects insofar as automated decision making is concerned, and providing for the expiry of the code within a minimum of 5 years, must be specified in the code.

If the code is issued by the Regulator’s own initiative in terms of section 61(1)(a) of POPI, they may issue the code after consultation with relevant stakeholders, and consideration has been given to the comments raised in such consultation. The Regulator must ensure that participation in the consultation is accessible to all affected persons. The Regulator may notify relevant stakeholders of the consultation in the following ways:

  • a notice in the Gazette.
  • a draft of a code can be made publicly available.
  • an invitation to the public to make written submissions which the Regulator must consider.

If the code is submitted by application by a relevant body in terms of section 61(1)(b) of POPI, the application must be made in the form and manner prescribed by Regulation 5 (Form 3) and must be accompanied by certain documentation as detailed in the Guidelines, such as, among others, a copy of the proposed code being applied for and the methods that were employed by the relevant body to consult the relevant stakeholders. The Regulator must acknowledge receipt of the application within a period not exceeding 14 days after submission and a decision by the Regulator must be given within a period not exceeding 13 weeks.

How do I ensure my code is compliant?

Relevant bodies must submit annual reports to the Regulator from one year after the code has been issued. Should parties not provide these reports, or indicate lack of compliance with the code, the Regulator may make a decision to review, revoke or vary a code.

The relevant bodies which are bound by the code have a duty to report systemic issues or serious violations of a code to the Regulator as soon as they become aware of them.

If a code sets out procedures for making and dealing with complaints, the Regulator must be satisfied that the code meets the standards prescribed in terms of the Guidelines.

The Regulator’s powers in relation to an approved code

Failure by any relevant body to comply with an issued code is deemed to be a breach of the conditions for the lawful processing of personal information, in accordance with Chapter 3 of POPI and is dealt with in terms of Chapter 10 of POPI which includes the right to submit a complaint in terms of section 74, the investigative process of the Regulator in terms of section 81, the issuing of an Enforcement Notice in terms of section 95 and the civil remedies available in terms of section 99.

The Regulator may, on its own initiative, review the operation of an approved code with a five-year period of its enforcement or when deemed necessary. The relevant body will be notified in writing when the Regulator decides to review the applicable code and will be consulted during the review process. Following the review process of the code, the Regulator may decide to revoke the approved code.

The Regulator may also approve the variation of a code in writing. A variation may occur:

1)    when the relevant body applies for variation, or

2)    on the Regulator’s own initiative.

The Regulator may consult with relevant bodies bound to the code and affected persons before deciding whether to approve a variation. Once approved, the relevant body must publish the varied code on its website within 14 days from the date of publication of the varied code in the Gazette. An application to vary an approved code must be in the form and manner prescribed in the Guidelines.

The Regulator may also revoke an approved code on application by one or more relevant bodies or any relevant body bound by a code, or on the Regulator’s own initiative, after consideration of various factors as detailed in the Guidelines, such as:

  • a change in industry practices, technology or expectations of affected persons that may impact the effective operation of a code; or
  • the lack of compliance with an approved code.

In revoking an approved code, the Regulator will undertake a consultation in a similar process as for the variation of an approved code. In the event an approved code is revoked, the Regulator must:

1)    notify the relevant body of the decision to revoke the code including the date of revocation;

2)    publish a notice of the revocation on the Regulator’s website and in the Gazette; and

3)   remove the approved code from the register.

The Guidelines are a great tool and guide to assist all relevant bodies and affected persons, both public and private, with preparing of a code of conduct and its subsequent submission. This is just one of many steps that businesses can take towards being fully POPI complaint and protecting your business from any consequences that may stem from non-compliance.

Please contact us should you need any assistance with developing a code, submitting any application for a code, or having to make any submissions in regard to any developing code, or variance or revocation of any existing code.

download PDF

The information and material published on this website is provided for general purposes only and does not constitute legal advice.

We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter.

We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.

Please refer to the full terms and conditions on the website.

Copyright © 2021 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com

You may also be interested in