THE DRAFT REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2017
On 8 September 2017, the Department of Justice and Constitutional Development published the draft regulations relating to the protection of personal information (draft regulations) under section 112(2) of the Protection of Personal Information Act 4 of 2013 (POPIA). The public has been invited to comment by 7 November 2017. Click here to read the notice.
The draft regulations provide clarity regarding prescribed forms and processes to be followed under POPIA:
- by data subjects when:
- objecting to the processing of personal information under section 11(3) of POPIA; or
- requesting the correction or deletion of personal information under section 24(1) of POPIA;
- by a responsible party when requesting a data subject’s consent for the processing of personal information for direct marketing by means of unsolicited commercial communications;
- by data subjects or other persons when:
- lodging a complaint alleging interference with the protection of personal information (section 74(1) of POPIA); or
- lodging a complaint when aggrieved by the determination of an adjudicator section 74(2) of POPIA).
The draft regulations further sets out the prescribed form and process to be followed under POPIA by a public or private body which, in the opinion of the Information Regulator (Regulator) is sufficiently representative of any class of bodies or of any industry, profession or vocation, who wishes to apply to the Regulator to issue a code of conduct. This relates to the Regulator’s mandate to issue codes of conduct applicable to specific sectors when it deems it necessary and also on application by a body in terms of section 61 of POPIA.
The draft regulations provide more detail on the duties and responsibilities of information officers. Section 55 sets out a broad outline of the duties and responsibilities of an information officer and in section 55(e) covers any further duties and obligations to be prescribed. Pursuant to this the draft regulations provide more specific obligations of an information officer, including:
- developing, implementing and monitoring a compliance framework;
- ensuring that adequate measures are taken to ensure the lawful processing of personal information and that preliminary assessments are conducted;
- developing, and making available to the public, a manual in terms of the Promotions of Access to Information Act (PAIA);
- developing internal measures and adequate systems to process requests for information or access to information; and
- conducting awareness sessions regarding POPIA and any regulations, codes of conduct or other information obtained by the Regulator.
The draft regulations further elaborate on:
- the role of the Regulator when acting as conciliator during an investigation into any interference with the protection of personal information as well as the process to be followed by the Regulator in this regard;
- the process for conducting an investigation including the procedure to inform and notify parties during the course of an investigation; and
- the prescribed procedure for assessments under POPIA.
Click here to access the draft regulations, which are also available on the Regulator’s website.