[10 April 2021] The Information Regulator has published a Guidance Note on Information Officers and Deputy Information Officers, noting that it is developing an online portal to facilitate registration.
[3 March 2021] The Information Regulator published the Guideline to Develop Codes of Conduct on 22 February 2021, as well as giving notice that:
- Regulation 5 of the Regulations issued in terms of the Protection of Personal Information Act (“the POPI Regulations”) which governs applications for issuing of Codes of Conduct will be effective as from 1 March 2021.
- Regulation 4 of the POPI Regulations – which sets out responsibilities of information officers – will be effective as from 1 May 2021. Guidelines on the registration of information officers are yet to be finalised. From this date information officers will be required to:
- develop, implement, monitor and maintain a compliance framework;
- undertake a personal information impact assessment to ensure that adequate measures and standards exist;
- develop, monitor and maintain an access to information manual required in terms of the Promotion of Access to Information Act 2 of 2000 (PAIA);
- develop internal measures and systems to process requests for information or access; and
- conduct internal awareness sessions.
The balance of the POPI Regulations will be effective as from 1 July 2021.
The Guideline provides guidance to industry bodies on the making of an application for a code of conduct to be approved by the Information Regulator and set out the prescribed form.
[22 October 2020] Information Regulator Presentation Quarterly Performance 8 October 2020
[22 July 2020] The Information Regulator has published draft guidelines on the registration of information officers for public comment.
The deadline for submissions is 16 August 2020 (16h00) and can be directed to NNemasisi@justice.gov.za
[18 July 2020] With POPI in force, the Information Regulator has presented to Parliament on its readiness to implement the Act.
[1 July 2020] The Protection of Personal Information Act 4 of 2013 came into force on this day. Two sections relating to amendments to other laws and the Information Regulator taking on functions relating to access to information under the Promotion of Access to Information Act will be effective from 1 July 2021.
Under section 114(1) “all processing of personal information must within one year after the commencement of this section be made to conform to this Act”.
It is important to note that this period may be extended for all or certain classes of entities by the Minister by request or of her or his own accord for up to three further one-year periods. Given the complexity of compliance and the predicted state of the economy over the next three years it is hard not to see all of these extensions (and possibly more) being issued.
[16 May 2020] The Information Regulator presented its Annual Performance Plan for period 1 April 2020 to 31 March 2021 to Parliament on 12 May 2020.
[2 November 2019]The Information Regulator has published Guidelines to Develop Codes of Conduct in terms of Chapter 7 of POPI and will hold a consultation with industry on 6 November 2019 at the Midrand Conference Centre.
The Guidelines are required by section 65 of POPI and are intended to assist public and private bodies to develop their own codes of conduct relating to how personal information will be processed and to apply to the Information Regulator for formal recognition of such code under POPI.
Final Guidelines will be published in the Government Gazette.
15 October 2019] It seems unlikely that the process to establish the Information Regulator will be finalised this year.
[9 July 2019] The Information Regulator presented its Annual Performance Plan to the Portfolio Committee for Justice and Correctional Services on 5 July 2019:
The presentation indicates that the following progress has been made in establishing the Information Regulator (a process which must be completed before the Protection of Personal Information Act comes into force in full):
- premises have been secured for a three-year period;
- a CEO and a CFO have been appointed;
- an Executive Office: Legal, Research and Technology Analyst will commence work in August 2019 (outstanding appointments are for Executive Officer: POPIA, Executive Officer (PAIA) and Executive Officer (Corporate Services)); and
- a Draft Organisational Structure has been developed for submission to the Minister of Finance for consultation.
The IR has also submitted a request for additional budget (over and above the R28.9m allocated for the current financial year) to the Minister of Finance.
[14 December 2018] Final regulations under the Protection of Personal Information Act have been published in the Government Gazette of 14 December 2018.
[4 May 2018] The Information Regulator formed under POPI presented in Parliament on its activities since the last report in October 2017.
The regulations required to give some substance to POPI have been submitted to the Office of the State Law Advisors for the constitutional compliance vetting process. These were redrafted after more than 200 submissions were received in response to the draft published in 2017. After completion of the vetting process the draft regulations will be submitted to Parliament as is required under section 113(5) of POPI which requires the IR or the Minister to table draft regulations in Parliament within 30 days of them being published in final form in the Government Gazette.
The Budget for the IR for the medium-term is:
- 2017/18: R23 402 000
- 2018/19: R24 712 000
- 2019/20: R25 095 000
- 2020/21: R27 531 000
The finalisation of the organisational structure of the IR and its classification under the PFMA is ongoing although there are indications of lengthy delays as legal technicalities are ironed out. Only once consultations with the Minister of Finance and the organisational structure are completed can the IR proceed to advertise for applications for key executive permissions.
The IR has been engaging widely on stakeholder training as required by section 40 of POPI, and notwithstanding a lack of powers to enforce and settle complaints – the relevant sections are not yet in force – the more than 108 complaints received to date are being proactively dealt with.
The opinion of senior counsel is being sought to determine whether unsolicited direct marketing by political parties falls within the definition of direct marketing in sections 1 and 69 of the Act.
[21 October 2017] The Information Regulator provided a status report to the Portfolio Committee for Justice and Correctional Services on 10 October 2017.
Progress is slow….
[9 September 2017] The Information Regulator has published draft regulations under the Protection of Personal Information Act for public comment.
The deadline for submissions is 7 November 2017 and these can be sent to email@example.com.
[23 June 2017] The website of the Information Regulator….
[15 April 2016] There has been some progress with the finalisation of a shortlist of ten nominations for the five positions on the information regulator to be formed under the Protection of Personal Information Act.
The Portfolio Committee on Justice and Correctional Services shortlisted: Pansy Tlakula, Johannes Weapond, David Taylor, Advocate Lebogang Stroom, Lindelo Snail, Siyakhula Simelane, Thav Reddy, Francois Cronje, Shamila Singh and Tana Pistorius.
[19 September 2015] Our information from the Department of Justice is that the Protection of Personal Information Act will come into force in mid-2017 at the earliest.
It seems that every agreement we see has now got pages and pages of text requiring compliance with this Act, notwithstanding that
- the Information Regulator has not been appointed
- only once the Information Regulator has been appointed and established an office with a budget and staff can the process of drafting the regulations required to implement the Act commence (and it is almost guaranteed that this independent office will be underfunded)
- only once these regulations are in place will those affected by the Act know what their compliance obligations will be
- only once you know what your compliance obligations are can you design and implement the required response
- the Act will not come into force for another two years and when it does there will be an implementation window of 18 months (at least)
[22 May 2015] Some progress. During the course of the Speech by the Deputy Minister of Justice and Constitutional Development, the Hon JH Jeffery, MP, during the Debate on Vote 21: Justice and Constitutional Development, delivered on 19 May 2015, there were indications that the slow process of enacting the Protection of Personal Information Act is shortly to gain some momentum.
I am pleased to announce that with regards to the appointment of an Information Regulator in terms of the Protection of Personal Information Act, that agreement has been reached with treasury on the grading of the Regulator and a letter will soon be sent to the Speaker, requesting her to initiate the nomination process envisaged in section 41 of the Act. This section requires a multi-party committee of the National Assembly to assist with the nomination of persons who are eligible for appointment as members of the Regulator. The appointment of the members of the Regulator will, in turn, facilitate the commencement of the remainder of the Act.
So – since the last post below – we have managed to determine the salary band in which the Information Regulator will fall, i.e. what members of this body will be paid. The Department will now look to initiate the process for the nomination and selection of such members.
Notwithstanding the dire warnings being issued out by lawyers and consultants, we retain our view that this legislation remains a number of years away from being meaningfully implemented.
[14 April 2014] The President has published a notice in the Government Gazette proclaiming 11 April 2014 as the date on which the following sections of the Protection of Personal Information Act will come into force:
- section 1 (definitions)
- Part A of Chapter 5 (relating to the establishment and operation of an Information Regulator)
- section 112 (regulations by the Minister and the Regulator), and
- section 113 (procedure to be followed in making regulations).
[Updated 28 November 2013] The Protection of Personal Information Act 4 of 2013 as assented to by the President on 26 November 2013.
There is now something definite to study but there remains a long way to go. No commencement date has been set and there is likely to be a lengthy transition period.
[updated 1 March 2013] The Protection of Personal Information was discussed by the Select Committee on Security and Constitutional Development, (National Council of Provinces) on 13 February 2013, receiving submissions from the Parliamentary Research Unit (Content Advisor) and the National Treasury.
The Committee heard that a number of amendments were proposed, many of them technical. The Parliamentary Research Unit, however, indicated that the matters which needed the committee’s consideration related to
– consent, justification and objection, as set out in clause 11(3)(a) of the Bill
– time limits applicable to the retention of records & correction of personal information
– additional wording regarding categories of persons to which exemptions are extended and whether there needs to be in principle recognition of the need to exempt companies who may be able to profit from information at a later stage under clause 32(1)
– the need to review the Bill against updated EU regulations.
Outstanding issues with the Financial Services Board (FSB) regarding sections 38 and 72 were not resolved. The Select Committee called for a full briefing on the Bill.
[updated 15 September 2012] The Portfolio Committee for Justice and Constitutional Development has finalised its deliberations on the POPI Bill, which will now pass through the balance of the Parliamentary process. The Bill is anticipated to be signed into law early in 2013.
There is tentatively excellent news for those with an interest in combating spam is that the Committee voted to retain a more restricted definition of consent in the face of a proposal to introduce an opt-out system. The relevant provisions are set out below:
“consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
RIGHTS OF DATA SUBJECTS REGARDING DIRECT MARKETING BY MEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS, DIRECTORIES AND AUTOMATED DECISION MAKING
Direct marketing by means of unsolicited electronic communications
69. (1) The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the data subject—
(a) has given his, her or its consent to the processing; or
(b) is, subject to subsection (3), a customer of the responsible party.
(2) (a) A responsible party may approach a data subject—
(i) whose consent is required in terms of subsection (1)(a); and
(ii) who has not previously withheld such consent,
only once in order to request the consent of that data subject .
(b) The data subject’s consent must be requested in the prescribed manner and form.
(3) A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1)(b)—
(a) if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
(b) for the purpose of direct marketing of the responsible party’s own similar products or services; and
(c) if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details—
(i) at the time when the information was collected; and
(ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
(4) Any communication for the purpose of direct marketing must contain—
(a) details of the identity of the sender or the person on whose behalf the communication has been sent; and
(b) an address or other contact details to which the recipient may send a request that such communications cease.
(5) “Automatic calling machine”, for purposes of subsection (1), means a machine that is able to do automated calls without human intervention.
Good news for those with an interest in a comprehensive legislative framework for the protection of personal information is that the Protection of Personal Information Bill (“the POPI Bill”) is nearing finalisation. The current status is that a Technical Committee appointed a year ago to do in-depth consideration of certain provisions has reported back and the POPI Bill is expected to be finalised in the Portfolio Committee for Justice and Constitutional Development this year. Thereafter it has to go to the National Assembly, the National Council of Provinces and back to the National Assembly before going to the President for signature.
At this stage there is unlikely to be further opportunity for public comment.