The Protection of Personal Information Act, No 4 of 2013 (POPIA) was promulgated into law in November 2013. The primary purpose of POPIA is to promote the protection of personal information processed by public and private entities and regulate the manner in which such entities may collect, collate, store, disclose and destroy personal information. POPIA also seeks to align South African legislation with international legislation regarding the requirements for the lawful processing of personal information.
On 11 April 2014, only s1, s112, s113 and Part A of Chapter 5 of POPIA came into effect and these sections essentially deal with the definitions, establishment of the Information Regulator, regulations and the procedure for making such regulations.
Pursuant to the establishment of the Information Regulator and in accordance with s112 and s113 of POPIA, the Information Regulator released draft Protection of Personal Information Act Regulations (Regulations) on Friday, 8 September 2017 under Government Notice 709 of 2017. The publication of the draft Regulations for public comment brings South Africa a step closer towards POPIA becoming fully effective.
The draft Regulations set out detailed procedures on the practical implementation of POPIA and seek to regulate the following administrative issues:
- the manner in which an objection to the processing of personal information can be made;
- requests for the correction or deletion of personal information or the destruction or deletion of a record of personal information;
- duties and responsibilities of information officers;
- applications for the Information Regulator to issue industry codes of conduct;
- the manner in which consent is requested for processing of personal information for direct marketing by means of unsolicited electronic communications;
- submission of complaints or grievances;
- the Information Regulator acting as a conciliator during an investigation;
- the notification requirements of the Information Regulator to provide notification and information to all affected parties to a compliant/investigation; and
- the notification requirements of the Information Regulator to provide notification to affected parties of its intention to carry out assessments or relating to a request by a third party to do so.
The draft Regulations also provide for various prescribed forms which are required to be utilised when requests or complaints are submitted.
Duties and responsibilities of Information Officers
The draft Regulations specifically deal with the duties and responsibilities of Information Officers (who are required to be appointed in terms of POPIA by every responsible party). The definition of an Information Officer, in a private body, is accorded the same definition as the “head” of a private body contemplated in s1 of the Promotion of Access to Information Act, No 2 of 2000 (PAIA), which states as follows:
(a) in the case of a natural person, that natural person or any person duly authorised by that natural person;
(b) in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership;
(c) in the case of a juristic person:
(i) the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or
(ii) the person who is acting as such or any person duly authorised by such acting person.
In terms of s55(2) of POPIA, Information Officers must only take up their duties as prescribed in POPIA after the relevant responsible party has registered them with the Information Regulator. The draft Regulations do not, however, provide details on the registration process for appointed Information Officers. A responsible party is any public or private employer or any other person which, alone or in conjunction with others, determines the means and purpose of processing personal information. Essentially, all employers must ensure compliance with the appointment of an Information Officer.
It is important to ensure that companies duly appoint an Information Officer, if one has not already been appointed, to be registered with the Information Regulator once POPIA is in full force and effect. In terms of the draft Regulations, the Information Officer will have to take charge of the compliance requirements set out in POPIA on behalf of the responsible party. These requirements include ensuring that:
- a compliance framework is implemented;
- adequate measures and standards are put in place to comply with POPIA;
- preliminary assessments are conducted;
- a manual for the purpose of PAIA and POPIA is developed and is made available for inspection;
- internal measures and adequate systems are put in place to process requests for, or access to, personal information; and
- POPIA awareness training is provided.
The draft Regulations introduce very specific obligations and requirements of Information Officers and while drafted using broad language, the requirements to develop a compliance framework, ensure adequate measures and standards are in place, and to develop a combined PAIA and POPIA manual place specific additional obligations on the Information Officer and would require formal documentation to be prepared.
Objections to processing of personal information and requests for correction or deletion of records.
Section 11(3)(a) of POPIA provides that a data subject may object to the processing of personal information in the prescribed manner and on reasonable grounds. In terms of s24(1) of POPIA, a data subject may, in the prescribed manner, request a responsible party to:
- correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
- destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain.
The draft Regulations give effect to the above sections and provide prescribed forms to be used to object to the processing of personal information, or to request the correction or deletion of personal information. An oversight in the draft Regulations appears to be that these forms only provide for requests from a natural person. As POPIA applies to both natural and juristic data subjects, the forms should cater for both.
Businesses need to familiarise themselves with these requirements and adopt appropriate internal mechanisms to properly deal with any such requests. This would include ensuring that internal procedures are in place to comply with the specific obligations contained in the draft Regulations requiring that a responsible party assist a data subject with completing the prescribed forms.
From an employment perspective, employers must ensure that their employees are fully informed of their personal information which is processed and mechanisms should be put in place to allow employees to either object to the processing of such information, or correct or delete such information. The employee’s request must, however, be reasonable and not impede the employer’s ability to obtain the employee’s personal information required for the compliance of any other employment legislation.
Consent for purposes of direct marketing
Section 69 of POPIA provides for instances in which personal information may be used for the purposes of direct marketing through unsolicited electronic communications. One such instance is where the data subject has consented to the use of his/her/its personal information for direct marketing purposes. In this regard, s69(2)(b) requires that a data subject’s consent be obtained in the prescribed manner and form. The draft Regulations give effect to this section by providing for a very detailed consent form, which requires, among other things, that:
- specific reference is made to s69 of POPIA;
- the data subject is made aware of what the terms “processing” and “personal information” mean in terms of POPIA, before being requested to provide consent;
- the consent is obtained in relation to the goods and/or services specified on the form; and
- specific consent is obtained in respect of each means of electronic communication (that is fax, email, SMS or other).
Should the draft Regulations and the relevant form (Form 4) remain in the current form, responsible parties who typically rely on consents for direct marketing obtained through tick boxes in online terms (such as e-commerce businesses) will need to find a way to substantially incorporate the content of Form 4 at the time of obtaining consent. Furthermore, in light of the fact that the draft Regulations require specific reference to be made to POPIA in the consent form, multi-national organisations relying on generic consents will need to reconsider the manner in which they obtain consents from South African data subjects.
Invitation for input on rules for processing personal information concerning a data subject’s health or se(x) life.
The processing of special personal information (which includes information concerning the health and se(x) life of a data subject) is prohibited unless an authorisation in terms of s27 of POPIA applies. In this regard, s32(1)(b) and s32(1)(f) of POPIA mention circumstances in which insurance companies; medical schemes and their administrators; managed healthcare organisations; administrative bodies; pension funds; employers; or institutions working with them may process personal information concerning a data subject’s health or se(x) life. The Government Notice published with the draft Regulations invites interested parties to provide input and comments in respect of more detailed rules that may be prescribed concerning the application of s32(1)(b) and s32(1)(f).
Call for public comment
Members of the public are invited to comment on the draft Regulations and the deadline for submissions is 7 November 2017. Given this deadline, it is likely that the Regulations will be tabled before Parliament before the end of the year and it is anticipated that POPIA will be fully effective in 2018. Once the date of commencement of the operative provisions of POPIA is announced, all affected parties have a grace period of at least one year to ensure that their operations, policies and procedures are POPIA compliant.
It is therefore important for all businesses and employers in both the public and private sectors to take steps to assess the level of compliance within their organisations and appoint Information Officers in order to ensure compliance and avoid potential penalties under POPIA.