The Protection of Personal Information Act 4 of 2013 (“the Act” and “POPI”) aims to regulate the processing of personal information in order to protect the constitutional right to privacy. It does this by, among other things, setting out conditions for the “lawful processing” of personal information. Compliance with its provisions is compulsory for most companies in South Africa; penalties, fines and even criminal liability are imposed by the Act in order to ensure such compliance.
Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) became applicable as of 1 July 2020. This means that companies need to be compliant with the main portion of the Act by 1 July 2021. With this date being just over two months away and with the consequences for non-compliance being so serious, businesses may be scrambling for any last-minute guidance to ensure that the procedures they have in place will fit the standards of the Act. Logically, some businesses may turn to the Act’s Regulations (“the Regulations”) to provide such guidance.
Being only 8 pages long with an extra 35 pages of standardised forms, the Regulations unfortunately do not provide any sought-after practical guidance and insight into how to comply with the Act as a whole. With their content prescribed by section 112 of the Act, the scope of the Regulations is quite limited.
It is expected that most professional bodies will release their own industry-specific POPI regulations and guidelines with greater detail on how their members may comply. Until these guidelines are released, companies and professionals will need to comply as best they can with the gazetted Regulations, limited though they may be.
Principally, the Regulations provide for the procedures to be followed and the relevant forms to be submitted in relation to specific provisions of the Act including the procedures to be followed when:
- Objecting to the processing of personal information in terms of section 11(3)(a);
- Requesting the correction or deletion of personal information or destruction or deletion of a record of personal information in terms of section 24(1);
- Applying for the issuing of a code of conduct in terms of section 61(1)(b);
- Requesting a data subject’s consent to process personal information in terms of 69(2);
- Submitting a complaint in terms of section 74(1);
- A Regulator decides to act as a conciliator during an investigation;
- A Regulator intends to investigate a matter provided for in Chapter 10 of the Act;
- Settling complaints ; and
- requesting an assessment in terms of section 89(1).
The Regulations also set out the responsibilities of information officers, in addition to those provided by section 55(1) of the Act.
Accordingly, a company’s main point of reference in ensuring compliance with the provisions of the Act is still the Act itself and the Regulations only come into play when a party needs to take procedural steps in the specific instances set out in section 112 of the Act. If a company wants further practical insight into understanding how to comply with the Act/POPI they may need to consult online resources and undergo training from the relevant competent bodies
There are eight principles to POPI compliance, downloadable here, the most important of which is probably the second: processing limitation. This principle deals with lawfulness of processing information – that such information should be collected lawfully, as minimally as possible, with the subject’s direct consent and with adequate justification. A good rule of thumb until more specific guidelines are published (but which by no means replaces these guidelines) is to always obtain a person’s informed consent before collecting their information, to collect only what you need, and to use it only for the purpose explained to the person.
Save for Regulation 4 (providing for the responsibilities of information officers), which will commence on 1 May 2021, and Regulation 5 (providing for the application for the issuing of a code of conduct), which commenced on 1 March 2021, the Regulations will commence on 1 July 2021. If in doubt regarding compliance for your business, it is advisable to contact a reputable lawyer for assistance.
About the author
Mikayla joined Dunsters as a candidate attorney in 2020 and is currently in her second year of articles. She is an alumni of Stellenbosch University where she obtained her BA(Law), LLB and LLM degrees. While completing her LLM she obtained practical experience in the legal field and gained valuable insight into the plight of disadvantaged communities by working as a paralegal at the Stellenbosch University Law Clinic.
Mikayla enjoys general civil litigation and has a keen interest in Company and Tax Law. She particularly enjoys drafting civil pleadings as well as tailoring commercial contracts to suit each client’s unique goals.
In her time off, Mikayla enjoys taking long drives and frequenting outdoor markets.