As many of you will be aware, South Africa promulgated the Protection of Personal Information Act 4 of 2013 (“PoPI”) on 26 November 2013. Notwithstanding this however, PoPI will only come into effect on the publishing of the enactment date by the President in the South African Government Gazette. When the enactment date is published, companies in South Africa will have 12 months to bring their practices and processes in line with the requirements of PoPI and its 8 conditions for lawful processing of personal information.
There was little sign of movement on the enactment date and then, on 11 April 2014, via proclamation in the Government Gazette it was announced that certain sections of PoPI would come into effect on 11 April 2014 (“the April enactment”). The relevant sections of PoPI which are now in effect are:
- Section 1 – the definitions;
- Part A of Chapter 5 – all sections relating to the Information Regulator including (amongst others):
- Section 39 - Establishment of the Information Regulator,
- Section 41 – Appointment, term of office and removal of members of the Regulator;
- Section 112 – Regulations; and
- Section 113 – Procedure for making regulations.
In essence, the South African government enacted those sections of PoPI which are necessary for the establishment of the Information Regulator, as well as those sections which relate to the Information Regulator’s powers to make Regulations relevant or needed under PoPI. The enactment of these sections should have acted as a warning to all South African entities to increase in earnest their efforts to prepare for the enactment of PoPI.
If the April enactment did little to entice you to pick up the pace within your organisation regarding PoPI compliance, then the appointment of the members and Chairperson of the Information Regulator should certainly act as a “shot across the bow”. The appointment of the Chairperson and members of the Regulator takes place on recommendation from the National Assembly to the President, and as such there may yet be some political waters to be sailed. Once appointed though, it would not be a surprise if the South African government were to delay the enactment of the remaining provisions of PoPI so as to give the Information Regulator time to set their course and approach following enactment.
These delays should not be seen as further reasons to delay dealing with this issue. Far from it, they should act as spurs to increase your activities and actions so that you are able to identify what personal information you have and to perform the necessary due diligence in relation to the processing of that personal information. Do not forget that there will be at least 2 aspects to this due diligence exercise:
- consideration of personal information that belongs to your workforce (this may include not only permanent staff, but also temporary staff, contractors and other individuals who make up your workforce) where you as a company will be the responsible party (“HR personal information”); and
- consideration of personal information that belongs to other third parties including your customers, suppliers, service providers amongst others where you may or may not be the responsible party (“customer personal information”).
The considerations in relation to the above categories and how they relate to the 8 conditions for lawful processing of personal information will be different not only in relation to the broad categories of HR and customer personal information, but also on a more granular level, for example:
- HR personal information relating to performance appraisals will have a different set of considerations and limitations than that personal information which will be needed for payment of a salary; or
- customer personal information gathered for the delivery of a product will have different considerations from customer information collected and used for direct marketing purposes.
The rumours are already circulating that the appointment of the Chairperson and members may happen shortly. As such, now is the time for all South African entities to step up their efforts in preparing for the enactment of PoPI. Our experience tells us that 12 months (the grace period for South African companies to become compliant) is avery short period of time to try and get your house in order, especially if you live in a large house!