SOUTH AFRICA: POPIA REGULATIONS AND GUIDELINES TO DEVELOP CODES OF CONDUCT
The majority of the substantive provisions of the Protection of Personal Information Act (POPIA) came into effect on 1 July 2020. Organisations were, however, afforded a 12-month grace period to ensure compliance with POPIA by 30 June 2021.
With the grace period coming to an end in less than four months, the Information Regulator has published the Guidelines to Develop Codes of Conduct and given notice that the POPIA Regulations (which were published in December 2018) will come into effect as follows:
- Regulation 4 (Responsibilities of Information Officers) will take effect on 1 May 2021;
- Regulation 5 (Application for Code of Conduct) took effect from 1 March 2021; and
- the remaining Regulations will take effect on 1 July 2021.
Responsibilities of information officers
POPIA requires every responsible party (regardless of its size or form) to appoint an information officer (and potentially deputy information officers) and to register the individual with the Information Regulator.
Once registered, section 55 of POPIA prescribes certain duties that an information officer is required to comply with. These duties include, among other things, ensuring that the responsible party complies with the provisions of POPIA, dealing with requests made under POPIA, and assisting the Information Regulator with any investigations conducted in respect of the responsible party.
In addition to the duties set out in POPIA above, Regulation 4 of the POPIA Regulations prescribes additional duties to be performed by information officers, which include ensuring that:
- a compliance framework is developed, implemented, monitored and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- a manual is developed, maintained and made available as prescribed in terms of the Promotion of Access to Information Act (commonly referred to as PAIA);
- internal measures are developed together with adequate systems to process requests for information; and
- internal awareness sessions are conducted regarding the provisions of POPIA and the Regulations.
The draft Guidelines on the Registration of Information Regulators published in August last year indicate that all information officers will be required to be registered with the Information Regulator by 31 March 2021. These guidelines have not yet, however, been finalised.
In light of Regulation 4 coming into effect from 1 May 2021, we anticipate that the Information Regulator will finalise the guidelines soon in order to allow for the information officers to commence with their duties.
Codes of Conduct
Chapter 7 of POPIA allows for the Information Regulator to develop and issue codes of conduct which may apply to certain types of personal information, specific industries, professions, bodies or to specific types of activities.
In this regard, the Information Regulator has published Guidelines to Develop Codes of Conduct in terms of section 65 of POPIA. The Guidelines, amongst other things:
- provide guidance on the process for the development of a code of conduct by the Information Regulator or an application by relevant bodies;
- outlines the matters that need to be addressed in the issuing and registration of approved codes; and
- outlines the procedures that may be prescribed in a code for dealing with complaints.
With effect from 1 March 2021, Regulation 5 of the POPIA Regulations requires any industry, profession or body who wishes to apply for the issuing of a code of conduct to submit an application to the Information Regulator using Form 3 published in terms of the Regulations.
As the deadline for compliance with the provisions of POPIA is fast-approaching and the Regulations in their entirety will be in effect from 1 July 2021, it is important for organisations to take steps now to ensure that they are already complying with POPIA. Employers may find the Bowmans POPIA Toolkit for Employers of great assistance in getting POPIA-ready.