Latest developments regarding Information Officers, dates to commence compliance, Guidelines to develop Codes of Conduct and prior authorisation notification
A substantial number of the provisions of the Protection of Personal Information Act, 2013 (“POPIA”) came into effect on 1 July 2020, with organisations being given a 12 month grace period within which to ensure that they comply with the requirements of POPIA.
Two important factors relating to POPIA compliance are the appointment and registration of an Information Officer, and compliance with the codes of conduct as issued by the Information Regulator in South Africa (“Regulator”).
The Regulator has recently published a guidance note for Information Officers and guidelines for codes of conduct and ‘prior authorisation’ for processing unique identifiers.
- Dates on which compliance commences
The Regulator, in her notice of 22 February 2021, indicated that:
- Regulation 4 (Responsibilities of Information Officers) will take effect on 1 May 2021;
- Regulation 5 (Application for Code of Conduct) took effect from 1 March 2021; and
- the remaining Regulations will take effect on 1 July 2021.
- Registration of Information Officers
Every organization is required to appoint an Information Officer, and to register them with the Regulator. This is an important job, and an Information Officer is responsible, under POPIA for amongst others, ensuring the organization complies with the provisions of POPIA and for the development, implementation and maintenance of a compliance framework.
To assist Information Officers, the Regulator has developed and published a guidance note, the purpose of which is to provide guidance and procedures for the (i) obligations and liabilities of Information Officers and Deputy Information Officers, (ii) registration of Information Officers with the Regulator, (iii) updating the details of Information Officers, (iv) designation of Deputy Information Officers, and (v) delegation of duties and responsibilities of the Information Officers to the Deputy Information Officers.
The guidance note, which was published on 1 April 2021, as well as the application form for the registration of Information Officers can be found on the regulator’s website. Further, in terms of a notice published by the Regulator on 1 April 2021, the Regulator is developing an online portal for the registration of Information Officers which is expected to go live by the end of April 2021. Accordingly, the registration of Information Officers is expected to commence on 1 May 2021.
- Guidelines to develop Codes of Conduct
In terms of section 61 of POPIA, the Regulator may issue a code of conduct on her own initiative after consultation with affected stakeholders, or on application by a body which sufficiently represents any class of bodies or of any industry, profession or vocation.
Following a consultation process which ended on 17 January 2020, the Regulator published a set of guidelines to develop codes of conduct in a notice of 22 February 2021, which guidelines became effective as from 1 March 2021. The Guidelines are intended to, amongst others, assist organisations in developing codes of conduct or applying the approved codes of conduct.
The published Guidelines broadly cover the following:
- the legislative framework (the objectives of the Guidelines, who should use them and the purpose thereof);
- issuing a code of conduct by the Regulator(the general principles applicable to a code of conduct);
- code governance (governance arrangements and the monitoring of compliance with a code of conduct);
- complaints handling; and
- reviewing, varying and revocation of an approved code of conduct.
The Regulator, on 3 March 2021, also published a checklist for the submission of applications for the approval of a proposed code of conduct.
- Prior authorisation notification
According to a notice gazetted by the Regulator on 1 April 2021, companies shall, as from 1 July 2021, be required to notify the Regulator if the processing of a data subject’s personal information is subject to prior authorisation, as contemplated by sections 57 and 58 of POPIA.
Prior authorisation is required, amongst others, when processing ‘any unique identifiers’ of a data subject (like a telephone number) ‘for a purpose other than the one for which the identifier was specifically intended at collection’ and ‘with the aim of linking the information with information processed by other responsible parties’. A guidance note on applications for prior authorisation, as well as the relevant application form, were published on 11 March 2021.
Prior authorisation is also required when processing (i) ‘information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties’, (ii) ‘information for the purposes of credit reporting’, and (iii) when transferring special personal information or the personal information of a child to ‘a third party in a foreign country that does not provide an adequate level of protection’.
All these documents can be found on https://www.justice.gov.za/inforeg/docs.