On 8 September 2017, the Information Regulator published draft Regulations under the Protection of Personal Information Act 2013 (POPI) and invited comments from the public to be submitted by 7 November 2017.
The draft Regulations cover several different procedures to be followed in relation to processing of personal information (including consent for direct marketing by means of unsolicited electronic communications), application by industries or professions for codes of conduct, submission of complaints or grievances and the proceedings during investigations and assessments.
Extended duties and responsibilities of Information Officers have also been set out in the draft Regulations.
An ‘information officer’ is described in POPI as:
“… in relation to, a –
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act;”
Section 55 of the POPI Act states that the duties and responsibilities of the Information Officer include the requirements to:
- encourage compliance with the lawful processing of personal information by the entity and general compliance with the provisions of the Act;
- deal with any requests made in terms of POPI;
- work with the Regulator in respect of any investigations that relate to the entity.
The draft Regulations expand these responsibilities and require that the Information Officer also ensures that:
- a compliance framework is developed, implemented and monitored;
- adequate measures and standards exist to ensure compliance;
- preliminary assessments are conducted;
- a manual for POPI and the Promotion of Access to Information Act (PAIA) is developed and made available on the entity’s website and at the office(s) of the responsible party;
- internal measures are developed to process requests for or access to information; and
- awareness sessions are conducted.
POPI applies to all entities operating in South Africa, including authorised financial services providers (FSPs). FSPs should ensure that they have identified the Information Officer and that he/she understands the role and responsibilities imposed by the Act.
All comments must be marked for the attention of Ms M Mphelo and can be sent either:
- By email to firstname.lastname@example.org or
- By post to The Information Regulator, Private Bag X81, Pretoria, 0001