Newsletter Details

POPI Regulations and

the duties of the Information Officer

 The time has arrived !!

By Johanette Rheeder

The information Regulator, Adv Pansy Tlakula was appointed on 1 December 2016 in terms of the Protection of Information Act (POPI) 4 of 2013 and is amongst others, empowered by POPI to monitor and enforce compliance by public and private bodies with the Act.

The Information Regulator is an independent body established by section 39 of the Act and is subject to only the law and the Constitution. One of her first tasks as set out in by the National Assembly is to make regulations, the arrival of which the whole of South Africa has been waiting for with “baited” POPI anticipation.

The Information Regulator has now, under section 112(2) of POPI, made the draft regulations relating to the Protection of Personal Information, as published under GG 41105, GoN 709, dated 08 Sep 2017. The deadline for submissions is 7 November 2017 and can be sent to  inforeg@justice.gov.za.

The draft regulations deal with inter alia the duties and responsibilities of the Information officer (IO) of the responsible party. In terms hereof, subject to the provisions of section 55 of the Act, an information officer must ensure that certain actions take place.

This appointed person, must ensure that a preliminary assessment (gap analysis) is conducted and a compliance framework is developed, implemented and monitored. Therefore, the Information officer is the dedicated person in a business responsible for the gap analysis and the implementation of remedial action to ensure compliance and the implementation and monitoring thereof on a continuous basis.

Once the compliance framework is in place, the IO must ensure that continuous and adequate measures and standards exist and stay in place in order to comply with the 8 conditions for the lawful processing of personal information.

The IO is also responsible for developing a manual for the purpose of the Promotion of Access to Information Act and POPI, providing certain detail such as the purpose of the processing, a description of the categories of data subjects and of the information or categories of information collected relating thereto, the recipients or categories of recipients to whom the personal information may be supplied, the planned trans-border or cross border flows of personal information, if any.

The manual must also contain a general description of security measures, allowing a preliminary assessment of the suitability of the information security measures to be implemented and monitored by the responsible party;

The manual must be made available on the website of the responsible party and at the office or offices of the responsible party for public inspection during normal business hours of that responsible party.

The IO must ensure that internal measures are developed together with adequate systems to process requests for information or access thereto.

Awareness sessions must be conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.

The IO, or a person designated by him or her, can upon request of any person provide copies of the manual, to that person upon payment of not more than R 3.50 per page.

From the above draft regulations it is clear that companies need to start preparing for implementation and that the first steps are to appoint the IO, do awareness training and a detailed gap analysis to get compliance ready!