The Information Regulator has provided some welcome clarity on practical aspects of POPIA, as organisations work towards achieving compliance by 30 June 2021.
by Peter Grealy, Nozipho Mngomezulu, Wendy Tembedza and Karl Blom from Webber Wentzel
With fewer than 4 months left for organisations to comply with the Protection of Personal Information Act, 2013 (POPIA), many are grappling with the practicalities of compliance. The Information Regulator has now issued final guidelines to develop codes of conduct; a checklist to use when submitting a code to the Information Regulator for approval; and standards for making and dealing with complaints relating to a code.
The Information Regulator has also determined that the majority of the Regulations Relating to the Protection of Personal Information, 2018 (POPIA Regulations) will come into force on 1 July 2021, other than those mentioned specifically below, which relate to applications for issuing codes of conduct and the responsibilities of information officers.
These measures will provide some clarity and are welcome assistance for organisations on their journey to POPIA compliance. We have answered some questions below regarding codes of conduct and the appointment and registration of information officers. In addition, we highlight the process of obtaining an exemption from certain provisions of POPIA, which some businesses are exploring ahead of the impending POPIA compliance deadline of 30 June 2021.
Code of conduct – who should consider developing a code and when can it be submitted to the Information Regulator for approval?
A code of conduct developed and approved under POPIA is a set of rules which may apply to specific information, activities, bodies, professions or industries. For example, representatives of the legal industry may determine that the legal industry requires a POPIA code to guide legal practitioners in entrenching data protection in their practices.
The purpose of the guidelines and checklist published by the Information Regulator is to outline how all the conditions for the lawful processing of personal information should be applied or complied with by the body or industry applying for the code, by providing minimum criteria to develop a code. The guidelines also contain a framework for ensuring that codes are evaluated in a standard manner, to foster transparency.
The POPIA Regulation regarding the application for issuing a code of conduct (in the prescribed format) became effective on 1 March 2021. This means that bodies and industries may now submit applications to the Information Regulator to approve a code of conduct.
Information officers – what is an information officer and when do his or her responsibilities become effective from?
POPIA requires organisations to appoint an information officer, who will be an individual responsible for ensuring that the organisation complies with POPIA (amongst other duties and responsibilities set out in POPIA and the POPIA Regulations). The role of the information officer is not new. The role was originally contemplated in the Promotion of Access to Information Act, 2000 (PAIA). However, POPIA requires information officers to be registered with the Information Regulator before they can take up their duties under POPIA.
The POPIA Regulation which sets out the responsibilities of the information officer will come into effect on 1 May 2021. Information officers (and deputy information officers) will have to commence their duties and responsibilities under POPIA and the POPIA Regulations from that date. However, we note that the Draft Guidelines on the Registration of Information Officers (published by the Information Regulator in July 2020) provide that information officers must be registered with the Information Regulator on or before 31 March 2021. This is presumably to provide a window period to enable the Information Regulator to complete the information officer’s registration at the Information Regulator’s offices.
POPIA exemption – when to consider obtaining an exemption and how can this be achieved?
POPIA allows the Information Regulator to grant an exemption from certain conditions for processing personal information in certain circumstances.
The Information Regulator may grant an exemption to a responsible party to process personal information (even if the processing breaches one of the 8 conditions for lawful processing contained in POPIA) if the Regulator is satisfied that the public interest outweighs any interference with the privacy of the data subject, or the processing involves a clear benefit to the data subject or a third party, and that benefit outweighs any interference with the privacy of the data subject.
Personal information processed to discharge a relevant function is exempt from certain provisions of POPIA to the extent that applying those provisions would be likely to prejudice the proper discharge of that function. An example of a relevant function is where an organisation processes personal information to protect members of the public against financial loss caused by the dishonesty, malpractice, or improper conduct of certain corporate or professional bodies.