By Jerome Veldsman
The Information Regulator published draft regulations relating to the Protection of Personal Information Act on 8 September 2017, and has allowed until 7 November 2017 for comments.
The target date for POPI to become fully effective is apparently early in 2018. All processing of personal information must then be POPI compliant within one year.
Every “public body” (organs of state, and the like) and “private body” (all juristic persons and anyone carrying on any business, profession, or trade) will automatically have an “information officer”, essentially the CEO, proprietor, or the like. And an information officer will have onerous duties. Information officers are encouraged to become familiar with the duties now already.
Under section 112(2) of POPI, there are 13 categories in respect of which the Information Regulator may make regulations. The draft regulations deal with 11 of such categories in 10 paragraphs:
- Manner of objection to the processing of personal information
- Request for correction or deletion of personal information or destroying or deletion of record of personal information
- Duties and responsibilities of information officers
- Application to issue a code of conduct
- Request for data subject’s consent for processing of personal information for the purpose of direct marketing by means of unsolicited electronic communications
- Submission of complaint or grievance
- Regulator acting as conciliator during an investigation
- Pre-investigation proceedings of Regulator
The two categories omitted from the draft regulations are:
– The prohibition on processing personal information concerning a data subject’s health or sex life not applying, in specified circumstances only, to the processing by administrative bodies, employers, insurance companies medical aid schemes, pension funds, medical scheme administrators and managed healthcare organisations.
– Matters that are incidental to the imposition of administrative fines.
The omissions are probably intentional:
– The exceptions to the prohibition on processing personal information concerning a data subject’s health or sex life may well be dealt with in industry codes of conduct.
– The imposition of administrative fines is dealt with comprehensively in POPI.