POPIA: Have you appointed an information officer yet?

POPIA: Have you appointed an information officer yet?

Melanie Coetzee

It has been widely promulgated that the Protection of Information Act (POPIA) will become fully operational by 1 July 2021, but many affected businesses may be unaware of the recent publication of preliminary requirements such the appointment of an information officer by 1 May.

Most businesses are aware of their obligation to develop and implement a POPIA Privacy Policy by no later than 1 July 2021 since the Protection of Personal Information Act 4 of 2013 becomes fully operational then. However, many businesses are unaware of the preliminary requirements implemented by the Information Regulator on 22 February 2021 when it published a notice in terms of which:

  1. Regulation 4 related to the appointment of the business’s INFORMATION OFFICER would become effective on 1 May 2021. In practical terms, this means that:
    • All organisations who collect and process client data must have appointed its internal information officer by then;
    • The information officer must already have started the process of developing the organisation’s privacy rules and started drafting the policy document;
    • The information officer must also have started arranging internal training sessions within the organisation in order that all employees are adequately educated.22 February 2021 IR Notice
  2. Regulation 5 related to INDUSTRY CODES OF CONDUCT became effective from 1 March 2021. Again, in practical terms, this means that:
    • Industry representatives can now apply to the Information Regulator for the issuing of industry specific POPIA Codes of Conduct in the prescribed form and according to the prescribed rules and that these must be submitted by 30 April 2021.Regulations 4 and 5

Obligation to get prior authorisation to collect and process data

In addition, the Information Regulator further published a notice on 11 March 2021 in which it sets out the process for obtaining prior authorisation from the Regulator’s offices in the event that the organisation collects and processes personal information:
1. Which is collected specifically as unique identifiers of the organisation’s data subjects-
a) for a purpose other than the one for which the identifier was specifically intended at collection; and
b) with the aim of linking the information together with information processed by other responsible parties;
2. Criminal behaviour or on unlawful or objectionable conduct of data subject on behalf of third parties;
3. Credit reporting; or
4. Transfer of the special personal information or personal information of children, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

In practical terms, the information officer of the organisation must assess the purposes and usage of personal information collected from the organisation’s client base and once it is decided that the clients’ personal information falls within any of the above categories, the information officer must submit the prescribed application for prior authorisation to continue collecting and using clients’ information for future transactions. These applications must have been submitted by 1 July 2021.11 March 2021 – InfoRegSA-Invite-PriorAuthorisation-20210311

Update on the Whatsapp terms and conditions

With regards to the review of Whatsapp’s updated terms and conditions which was launched by the Regulator in January 2021, a follow-up notice was published on 3 March 2021 and in terms of which report, the Regulator expressed its concern about the usage of telephone numbers by Whatsapp and commented that European Union Whatsapp users were set to enjoy better protection of their personal data as opposed to South African users. WHATSAPP FOLLOW UP 3 MARCH 2021

When it comes to choosing your professional compliance partner to guide and assist your organisation professionally, be discerning in your pick. The POPIA rules and Regulations are being flung into operation faster than the July 2021 date and action is needed in order to keep up with all the legal requirements.

Protection of people’s data is a major issue in the world at present and will remain a focus here in South Africa. It is therefore advisable to get your house in order to avoid facing complaints and possible fines.

This is an edited version of the article published originally on Melanie Coetzee’s blog and is shared here with her permission.

About the author: Melanie Coetzee started her own legal consultancy in October 2021 after more than 20 years in corporate law firms. She specialises in property law and in particular foreign investors, exchange control and all elements compliance related, including FICAA, Privacy Laws and Covid-19.

Comments
  • Mongadi
    Reply

    Who is the information officer? Is it a legal company that I need to contact and have them develop these codes for our company or can it be anyone with knowledge on how systems gather and process information?

Leave a Comment

Start typing and press Enter to search

X