PROTECTION OF PERSONAL INFORMATION: DRAFT REGULATIONS IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT (POPIA)

What will be required from businesses?

STATUS OF POPIA

The Protection of Personal Information Act, 2014, (Act 13 of 2014), (POPIA), was assented to on 19 November 2013.

Only certain sections of POPIA are currently in operation. On 11 April 2014, sections 1 (Definitions), 112 (Regulations), 113 (Procedure for making Regulations) and Part A of chapter 5 (Information Regulator) were brought into operation in order to appoint the Information Regulator and to allow the Minister to develop and draft regulations.

PURPOSE OF POPIA

Once POPIA is fully in operation it will safeguard the personal information received, collected or disseminated from your business clients during the course of your business operations.

The purpose of POPIA is to prevent the misuse and abuse of your clients’ personal information for instance through identity theft and unsolicited marketing.

POPIA will not prevent the processing or sharing of the personal information of your clients but will regulate how it should be done so that the information is safeguarded against misuse and abuse.

DRAFT REGULATIONS

It is expected that POPIA will be brought into full operation once the regulations under POPIA have been drafted and promulgated. In terms of section 113 of POPIA the draft regulations must be published for public comment and consulted with the Information Regulator before it is finally promulgated.

The draft regulations in terms of POPIA have recently been published for comment. Comments on the draft regulations had to be submitted to the Information Regulator by 7 November 2017. Comments submitted on the draft regulations must now be considered and be addressed through amendments to the draft regulations before the final regulations may be promulgated.

WHAT IS PROPOSED BY THE DRAFT REGUATLIONS

The draft regulations propose certain administrative processes, prescribed forms and impose obligations on information officers. These processes and obligations, if finally adopted, will have to be incorporated in the business practices and policies of businesses that receive, collect or disseminate (use) the personal information of their clients.

What internal and external processes must businesses provide for?

The draft regulations propose that businesses adopt the following processes:

  • Receiving and dealing with objections by clients regarding the use of their personal information
  • Receiving and dealing with request by clients to delete or correct their personal information
  • Requesting the consent of clients to use their personal information for direct unsolicited electronic marketing

What further obligations must businesses comply with?

The draft regulations propose that the following obligations be imposed on the information officer (the head) of a business:

  • A compliance framework must be developed, implemented and monitored
  • Assessments must be conducted
  • Measures and standards for lawful processing of information must be developed and implemented
  • A manual must be drafted setting out what personal information will be used, who it will be shared with, for what purpose it will be used and shared, and describing the security measures to protect the information
  • Processes must be developed to deal with requests for access to information
  • Awareness sessions must be held

Unfortunately, the draft regulations do not provide guidance regarding the content and requirements of the above framework and standards that must be developed and implemented.

What other matters are proposed?

The draft regulations also propose the following procedures:

  • How to submit complaints to the Information Regulator
  • Procedures for Assessments and Investigations by the Information Regulator
  • Applications by bodies representing industries to develop codes of conduct

HOW CAN BUSINESSES PREPARE FOR IMPLEMENTATION?

Should the draft regulations be adopted in their current form, it is clear that businesses will have to review their internal and external processes to make sure that they comply with the above.

Many businesses have started to implement the requirements of POPIA which is advisable, but it should be kept in mind that any measure implemented at this stage will have to be reviewed when the regulations and supporting instruments in terms of POPIA come into operation to ensure compliance therewith. Once POPIA comes into operation there will be a grace period of one year to implement the prescribed measures.

It will be important for businesses that receive, collect or disseminate their clients’ personal information to closely follow the developments pertaining to POPIA to ensure readiness, to receive advice on how to comply and possibly to influence how the Information Regulator will implement POPIA by submitting comments on the supporting instruments and guidelines when published for comment.

For more information or advice contact us at Goldberg & de Villiers Inc Tel: 041 501 9800. (Bardine Hall – BA LLB)