POPI Regulations – An Overview

The Protection of Personal Information Act No 4 of 2013 (POPI) has a number of lofty and noble objectives. For example, it is intended to promote the protection of personal information processed by public and private bodies (and to introduce certain conditions so as to establish minimum requirements for the processing of personal information). It also provides for the establishment of an “Information Regulator”, mandated to exercise certain powers and to perform certain duties and functions in terms of POPI and the Promotion of Access to Information Act, 2000 (PAIA).

22 Jan 2020 4 min read Corporate & Commercial Alert Article

At the time of writing, only certain provisions of POPI have come into force (such as those mandating the establishment of the Information Regulator contained in Chapter 5). However, the primary provisions dealing with personal information and direct marketing are not yet operative.

In December 2018, the Information Regulator published regulations as contemplated in section 112(2) of POPI (the Regulations). These concern:

(1)   certain prescribed forms;

(2)   the responsibilities of what are referred to as “Information Officers”, in addition to those responsibilities contained in the Act;

(3) investigation, conciliation, and settlement of complaints; and

(4)   the process to be followed should a public or private body wish to apply to the Information Regulator for the issuing of a “code of conduct”. The Regulations are not yet operative. Presumably they will be proclaimed to be effective when the remainder of POPI is brought into force and effect.

Below is a brief overview of the Regulations.

Prescribed forms relating to the Information Regulator

The regulations prescribe certain forms to be completed, among other things, in relation to the following matters:

  1. Where a “data subject” (defined in POPI as the person to whom the personal information relates) wishes to object to the processing of personal information.
  2. Where a data subject wishes to request a correction be made to their personal information, or the deletion or destruction of their personal information.
  3. The submission of a complaint by a data subject to the Information Regulator.
  4. The request by a holder of personal information for the data subject’s consent to process their personal information for direct marketing.

The prescribed forms accompany the regulations and provide a first step towards the practical enforcement of provisions of POPI when ultimately enacted.

Information Officers

The regulations also set out the responsibilities of so-called “Information Officers”. In terms of Section 56 of POPI, read with Section 17 of PAIA, public and private bodies are required to appoint Information Officers. An Information Officer is responsible for ensuring compliance with POPI and PAIA. In addition to encouraging compliance with POPI and PAIA, Information Officers are required to:

  1. develop, implement, monitor and maintain a compliance framework;
  2. undertake a personal information impact assessment to ensure that adequate measures and standards exist;
  3. develop, monitor and maintaining an access to information manual (i.e. a PAIA manual);
  4. develop internal measures and systems to process requests for information or access; and
  5. conduct internal awareness sessions.

Investigation, conciliation, and settlement of complaints

The Regulations also provide further information in respect of the Regulator’s powers and duties as regards pre-investigation, conciliation, and settlement of complaints. This is, however, primarily in respect of the prescribed forms required to be completed by the Regulator in respect of the necessary notifications to be made to the relevant parties.

The notifications include the following:

  • As regards pre-investigation proceedings, if the Regulator intends to investigate any matter, the Regulator must notify the parties prior to conducting the investigation.
  • During the course of an investigation, the Regulator must keep the complainant, the data subject (if not the complainant) and the responsible party informed of the developments of the investigation.
  • If during the investigation of a complaint, the Regulator decides to act as a conciliator and convene a conciliation meeting, the Regulator must inform the data subject and responsible party implicated on the compliant form.
  • If it appears from a compliant, any written reply to the complaint, or during a conciliation meeting that it may be possible to secure a settlement between the parties, the Regulator may confer with the parties as required, and may hold a settlement meeting.

Industry codes of conduct

Section 5 of the Regulations provides that a “private or public body which is sufficiently representative of any class of bodies, or of any industry, profession or vocation” may apply to the Information Regulator for the issuing of a “code of conduct” as contemplated in Section 61(1)(b) of POPI. In terms of Section 60 read with Section 61 of POPI, the legislature has seemingly contemplated that the Information Regulator may issue codes of conduct that are binding on a specified class of persons (or class of information), and must:

(1)   incorporate all the conditions for the lawful processing of information; and

(2)   prescribe how the conditions for the lawful processing of information are to be applied or complied with, given the sector in which the class of persons operate.

The publication of the Regulations is a first step toward empowering the Information Regulator (and Information Officers) to discharge their functions under POPI and PAIA. As noted, they are yet to come into force and effect. In the interim, public and private bodies would be well advised to consider how they could best comply, among other things, by providing for the appointment of Information Officers, and possibly even considering how best to formulate codes of conduct which may be proposed to the Information Regulator, as opposed to waiting for the Information Regulator to impose them.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.