South Africa’s Information Regulator released draft Protection of Personal Information Act regulations on Friday September 8 2017.
Popi (or Popia), provides for the protection of personal information in South Africa. It was passed into law in 2013, but is not yet fully effective.
The finalisation of the Popia regulations is one of two crucial step needed to make Popia fully effective (the second, is ensuring that the regulator is capacitated and able to carry out its operations). The draft regulations are, essentially, more detailed rules and procedures on the practical implementation of the Act. A review of the draft regulations shows that they are practical and relatively uncomplicated. This is of course a good thing, as there is nothing worse for a regulator (and nothing better for lawyers), than a set of regulations that twist themselves into knots.
The draft regulations expand on and regulate a number of administrative and procedural steps and obligations that Popia imposes. These steps include how to: object to the processing of personal information; request the correction, deletion or destruction of personal information; and how to request a person’s permission to send them unsolicited direct marketing (a contradiction of sorts though, because if you have permission it’s not unsolicited).
The most immediate and important focus for South African businesses, should be regulation 4 of the draft regulations. It deals with the duties and responsibilities of information officers. An information officer is essentially a business’s point person for Popia purposes. He or she will have a crucial responsibility because, unlike Popia’s sister law – the Promotion of Access to Information Act (PAIA) – there are major financial consequences for organisations under Popia.
If businesses that take themselves seriously have not appointed an information officer already, now is probably the time. This is because such a person has a crucial role to fulfill under the draft regulations. The information officer will need to attend to a number of requirements. These include ensuring that:
- A compliance framework is developed, implemented and monitored. In other words has your organisation assessed its ‘as is’ and ‘to be’ positions?
- Adequate measures and standards exist in order to comply with the lawful processing of personal information. In other words, if your organisation is a hospital or school, are your measures up to what would be expected, given the sensitive personal information you hold?
- Your current PAIA manual is updated to take Popia’s requirements into account. For example, once the draft regulations are finalised, you will be required to include some of the forms that have been published in the draft regulations. Of course, if you do not have a manual, you will need to get this done as a matter of urgency.
- You have internal measures and adequate systems to process requests for, or access to, information.
- You have conducted awareness sessions on Popia (i.e. staff and supplier training), its regulations, any industry codes of conduct or information you obtain from the Information Regulator.
Popia gives one year from the time it becomes effective, for organisations to become compliant. Despite this grace period, do not leave this to the last minute. It will cost your organisation much more in terms of stress, finances and the risk of poor implementation if it is not done timeously and properly.
Considering that the Information Regulator chairperson hopes to have Popia fully effective in early 2018, has your organisation appointed an Information Officer and has he or she started on what is listed above?
A copy of the draft regulations is available on the Information Regulator’s website. If you wish to comment on the draft regulations, the regulator will be accepting submissions until November 7 2017.
Lucien Pierce is a partner at PPM Attorneys.