The Information Regulator (IR) has finally published the proposed amendments to the regulations issued in terms of the Protection of Personal Information Act (POPIA). It has also published the Rules of Procedure governing how a complaint must be submitted to and handled by the regulator.
On 9 September, the regulator invited members of the public to comment on the draft regulations, but the regulations could not be located online, no doubt because the regulator’s online system was affected by the ransomware attack on the Department of Justice and Constitutional Development.
The proposed regulations have now been published and can be found at https://justice.gov.za/inforeg/legal/20211012-InfoRegSA-InvtieToComment-RegulationsAmendment.pdf.
The deadline for the submission of comments has been extended to 15 November.
The draft regulations set out the procedure to follow in certain circumstances contemplated in POPIA, including how:
- Data subjects may object to the processing of their personal information;
- Data subjects may request the correction, destruction, or deletion of their personal information;
- Responsible parties may request a person’s consent to process their personal information for unsolicited electronic direct marketing; and
- Data subjects may submit a complaint to the IR.
Peter Grealy, Karl Blom and Nozipho Mngomezulu of law firm Webber Wentzel have highlighted the following aspects of the draft regulations:
Objecting to the processing of personal information
The draft regulations have introduced flexibility on how people can object to their personal information being processed, allowing them to do so “in any manner that may be expedient”.
Organisations are required to tell people explicitly about their right to object to the processing their personal information, in a manner that is distinct from other information communicated to those persons. This may require some businesses to revisit their privacy policies.
Requesting that personal information be corrected, destroyed, or deleted
The draft regulations provide that if a person requests an organisation to correct, destroy or delete their personal information, the organisation must notify that person of the action taken in 14 days. The draft regulations include a definition that “days” are calendar days. Businesses would be required to ensure that they are able to properly consider and respond to these requests within 14 calendar days.
Requesting a person’s consent for direct marketing by unsolicited electronic communication
The draft regulations provide some latitude to organisations requesting a person’s consent to process their personal information for direct marketing through unsolicited electronic communication. The current POPIA regulations require that written consent be given in a prescribed form attached to the existing regulations. However, the draft regulations would permit an organisation to obtain consent using a form substantially similar to Form 4 or “in any manner that may be expedient”. This development would alleviate some of the administrative burden for businesses in ensuring compliance with this consent requirement.
Complaints to the Information Regulator
The draft regulations provide a clear procedure on how affected parties may submit complaints to the IR, with clarification on which parties may submit a complaint; the information that must be included in the complaint; where and how to submit a complaint (including how to submit a complaint on behalf of another person) and how to submit a complaint without revealing one’s identity.
Transitional provisions and codes of conduct
The Draft Regulations contain transitional provisions, in terms of which anything done under the current POPIA regulations is deemed to have been done under the draft regulations. This means organisations that have already applied to the IR for the issuing of a code of conduct, using the prescribed form attached to the current POPIA regulations, would not need to submit a fresh application to the IR on the amended prescribed form attached to the draft regulations.
Rules of Procedure
The Rules of Procedure governing how a complaint must be submitted to and handled by the regulator. The rules are designed to:
- Promote access to the regulator by data subjects who allege interference with the protection of their personal information, or responsible parties who are aggrieved by a decision of an adjudicator.
- Facilitate co-operation by responsible parties and data subjects.
- Clarify the procedures for lodging complaints with the IR in terms of section 74(1) and (2) of the Act.
- Clarify how complaints must be submitted to the IR in terms section 75 of the Act.
- Clarify what the regulator must do when receiving a complaint in terms of section 76 of the Act.
- Clarify the time frames for taking actions provided for in the rules.
- Clarify the time frames for data subjects and responsible parties to respond to the findings of the regulator.
- Clarify the steps the regulator may take if a person or responsible party fails to comply or adhere to the stipulated time frames in an Information Notice or Enforcement Notice.
- Clarify the imposition of administrative fines as referred to in section 109(1) of the Act.
New email addresses
The IR has announced that it has set up new email addresses.
General enquiries should be sent to email@example.com.
If your PAIA request is denied, or there is no response from a public or private body for access to records, a complaint can be lodged with PAIAComplaints@inforegulator.org.za.
If you feel that your personal information has been violated, a complaint can be lodged at POPIAComplaints@inforegulator.org.za.
Manual registration of information officers
The registration portal for the registration of information officers is under construction. Manual applications can be submitted to Registration.IO@inforegulator.org.za.
There are two email addresses:
POPIACompliance@inforegulator.org.za should be used for POPIA compliance matters such as:
- Applications for prior authorisations;
- Applications for exemption;
- Applications for the processing of information of children;
- Applications for the processing of special information;
- Applications for codes of conduct; and
- Security compromise notices (data breaches).
The PAIACompliance@inforegulator.org.za address should be used for:
- Requests for assessment of non-compliance with PAIA;
- Submission of PAIA annual report by public and private and bodies; and
- Requests for access to the records of the IR.