The Protection of Personal Information Act (POPI) was signed into law by President Zuma in November 2013. In terms of Section 39 of the Act, an Information Regulator must be established. On 7 September 2016, the National Assembly approved the nominations of Chairperson, Advocate Pansy Tlakula and four other persons as members of the Regulator. The four other appointments consist of full-time members Advocate Lebogang Stroom and Johannes Weapond and part-time members Professor Tana Pistorius and Sizwe Snail.
The POPI Act sets out the powers and duties of the Regulator as:
- providing education,
- monitoring and enforcing compliance,
- consulting with interested parties,
- handling complaints,
- conducting research and to report to Parliament,
- issuing codes of conduct,
- facilitating cross-border cooperation in the enforcement of privacy laws,
- and in general, to exercise duties conferred upon it by the Act and the Promotion of Access to Information Act (PAIA).
What to Expect
The nominations are still to be confirmed by the President.
There are certain regulations under the Act which are still to be brought into effect. In anticipation of the entire Act commencing, advisors should be assessing the type of personal information that they keep as well as the personal information that they request in their day-to-day business dealings. This information could relate to clients, staff or other service providers. Once a list of this personal information has been compiled, a business must ask what each type of personal information is used for and whether it is essential. So as a point of departure, it is understanding what personal information the business has or requests, what happens to that personal information and who has access to it.
Since the announcement of nominations of the Regulator being approved, it is anticipated that the commencement of the rest of the Act is not too far way. When the commencement date is published, businesses will have a one-year period to ensure that their processes are in line with the requirements of POPI. This means that businesses will not be fined or penalised for non-compliance within that time period. The period of one year may be extended by the Minister on request or of his/her own accord and after consultation with the Regulator. This will be by notice in the Gazette in respect of different class or classes of information and bodies by an additional period not exceeding three years.