In terms of the Protection of Personal Information Act, 2013 (“POPIA”), the Information Regulator in South Africa (“Regulator”) requires the appointment and registration of an Information Officer and compliance with the Regulator’s codes of conduct,
The Regulator, in her notice of 22 February 2021, indicated these effective dates:
- Regulation 5 (Application for Code of Conduct) – 1 March 2021; and
- Regulation 4 (Responsibilities of Information Officers) – 1 May 2021, and
- the remaining Regulations will take effect on 1 July 2021.
Registration of Information Officers
Every organisation is required to appoint an Information Officer to ensure compliance with the provisions of POPIA and for the development, implementation and maintenance of a compliance framework.
To assist Information Officers, the Regulator has developed and published a guidance note, the purpose of which is to provide guidance and procedures for the (i) obligations and liabilities of Information Officers and Deputy Information Officers, (ii) registration of Information Officers with the Regulator, (iii) updating the details of Information Officers, (iv) designation of Deputy Information Officers, and (v) delegation of duties and responsibilities of the Information Officers to the Deputy Information Officers.
Guidelines to develop Codes of Conduct
The Regulator published a set of guidelines that became effective from 1 March 2021. The Guidelines assist organisations in developing codes of conduct or applying the approved codes of conduct.
The published Guidelines broadly cover the following:
- the legislative framework (the objectives of the Guidelines, who should use them and the purpose thereof);
- issuing a code of conduct by the Regulator(the general principles applicable to a code of conduct);
- code governance (governance arrangements and the monitoring of compliance with a code of conduct);
- complaints handling; and
- reviewing, varying and revocation of an approved code of conduct.
Prior authorisation notification
From 1 July 2021, companies must notify the Regulator if the processing of a data subject’s personal information is subject to prior authorisation, as contemplated by sections 57 and 58 of POPIA.
Prior authorisation is required, amongst others, when processing ‘any unique identifiers’ of a data subject (like a telephone number) ‘for a purpose other than the one for which the identifier was specifically intended at collection’ and ‘with the aim of linking the information with information processed by other responsible parties’ Prior authorisation is also required when processing (i) ‘information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties’, (ii) ‘information for the purposes of credit reporting’, and (iii) when transferring special personal information or the personal information of a child to ‘a third party in a foreign country that does not provide an adequate level of protection’.