In anticipation of the coming into effect of the remaining provisions of the Protection of Personal Information Act 4 of 2013 (“POPIA”) on 1 July 2021, there have been several notable developments in the office of Information Regulator which provide much awaited practical guidance to organisations to ensure that they are POPIA compliant.
Commencement dates of the POPIA Regulations and Guidelines to Develop Codes of Conduct
On 26 February 2021, a notice was published in the Government Gazette Notice 75 of 2021 which proclaimed the effective dates of the following:
- The Guidelines to Develop Codes of Conduct in terms of section 65 of POPIA which will become effective on 1 March 2021;
- The Regulations issued in terms of section 112(2) of POPIA, namely:
- Regulation 5 pertaining to the ‘Applications for issuing code of conducts’ will become effective on 1 March 2021;
- Regulation 4 pertaining to the ‘Responsibilities of Information Officers’ will become effective on 1 May 2021; and
- The balance of the Regulations will become effective on 1 July 2021.
The main objective of the Guidelines to Develop Codes of Conduct is to standardise the Information Regulator’s approach to the development and issuing of codes of conduct for the regulation of specific industries, professions and/or sectors as provided in terms of Chapter 7 ‘Codes of Conduct’ of POPIA. The codes of conduct will (amongst others) prescribe how the conditions for lawful processing of personal information are to be complied with, given the features of a particular industry or sector.
Notably, Regulation 4 expands on the duties and responsibilities of Information Officers (e.g. to develop, implement and monitor a compliance framework and to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information) and Information Officers should take note that these duties and responsibilities commence with effect from 1 May 2021 (2 months prior to the commencement date of the balance of the Act and the Regulations).
Standard for making and dealing with Complaints under approved codes of conduct
On 1 March 2021, the Information Regulator published a standard for making and dealing with complaints under codes of conduct approved in terms of section 63(2)(a)(ii) of POPIA (“Standard for dealing with Complaints“). The purpose of the Standard for dealing with Complaints is to ensure that any proposed code of conduct, which sets out the procedure for making and dealing with complaints, complies with the prescribed standard set by the Information Regulator. The Information Regulator did not proclaim the effective date of the Standard for dealing with Complaints, however as it is supplementary to the Guidelines to Develop Codes of Conduct, we believe that the Standard for dealing with Complaints jointly become effective on 1 March 2021.
Once a code of conduct has been developed and issued by the Information Regulator in terms of section 63 of POPIA any failure to comply with such a code of conduct will be deemed to be a breach of the conditions for the lawful processing of personal information and trigger the applicable enforcement mechanisms in terms of POPIA. It is a requirement that all proposed codes must include procedures for making and dealing with complaints, which meet the Standard for dealing with Complaints and the Guidelines to Develop Codes of Conduct, to the satisfaction of the Information Regulator.
The Standard for dealing with Complaints provides that any procedure for making and dealing with complaints in a code of conduct should be fair, transparent, impartial and responsive, be publicly available and easily accessible, be written in plain English as well as any other official language, provide for timeous resolution of complaints, prescribe the requirements and grounds for lodging a complaint, and prescribe the complaints procedure.
Checklist to the Guideline to Develop Codes of Conduct
On 3 March 2021, the Information Regulator also issued a checklist to accompany the Guideline to Develop Codes of Conduct (“Guideline Checklist“) and is a continuation of the Information Regulator’s approach to the development and issuing of codes of conduct. Businesses are advised to ensure that all information and/or documents requested in the Guideline Checklist form part of their submission to the Information Regulator prior to submitting a proposed code of conduct.
In view of the above, it is important to note that:
- From 1 March 2021, public and/or private organisations may submit code of conducts drafted in terms of the Guidelines to Develop Codes of Conduct for consideration by the Information Regulator, whilst ensuring that have submitted all information and/or documents requested in the Guideline Checklist;
- Organisations submitting code of conducts to the Information Regulator should ensure that any procedure for making and dealing with complaints comply with the Standards for Complaints prescribed by the Information Regulator;
- Although the duties and responsibilities outlined in sections 55 and 56 of POPIA for Information Officers will only commence on 1 July 2021 and the draft guidelines relating to registration of Information Officer have yet to be finalised and published by the Information Regulator, organisations should be proactively implementing arrangements for the appointment of their Information Officers, and where applicable the delegation of duties to the Deputy Information Officers, to ensure that the responsibilities in Regulation 4 are taken up by such Information Officer, and appointed Deputy Information Officers by 1 May 2021; and
- Organisations should ensure that their Information Officer and Deputy Information Officers (as applicable) receive training in respect of the duties, responsibilities and consequences as set out in POPIA.