In all instances, the Act refers to the POPI Act No. 4 of 2013.
You can download the Act here.
The last part in this series deals with another three functions of the Information Regulator. He determines when an exemption from the conditions of the processing of personal information applies and when pre-authorisation are required. He also provides guidelines and regulates the Codes of Conduct applicable to various industries and professions.
1. Exemption from conditions for the processing of personal information
Photo by Menglong Bao on Unsplash
Processing of personal information is allowed if the Regulator grants an exemption and if the processing is allowed in respect of certain functions.
An exemption can be granted in the following instances:
- The public interest outweighs to a substantial degree any interference with the privacy of the data subject that could result from such processing.
- The processing involves a clear benefit to the data subject or third party that outweighs to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.
Public interest includes the interests of national security; prevention, detection and prosecution of offences; important economic and financial interests of a public body or to foster compliance with legal provisions. As well as historical, statistical or research activity. Also the special importance of the interest in freedom of expression.
The Regulator may impose reasonable conditions in respect of any exemption granted.
Personal information processed for the purpose of the discharging of a relevant function is exempt as far as it is likely to prejudice the proper discharge of such function.
Relevant function means any function of a public body or conferred on any person in terms of the law, which is performed to protect members of the public against:
- financial loss due to dishonesty, malpractice or other improper conduct by, or the incompetence of persons concerned in providing services like banking, insurance, investment or other financial services.
- dishonesty, malpractice or improper conduct by, or the incompetence of persons authorised to carry on any profession or other activity.
2. Prior Authorisation
2.1 Processing subject to prior authorisation:
The responsible party must obtain prior authorisation from the Regulator for any processing if the responsible party plans to process any unique identifiers of the data subject for a different purpose than the one for which the identifier was specifically collected. Or with the aim of linking the information together with information processed by other responsible parties.
Also, for the processing of information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties. As well as the processing of information for credit reporting or to transfer special information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
These provisions can be applied to other types of information processing if such processing carries a particular risk for the legitimate interests of the data subject.
This section doesn’t apply if a code of conduct has been issued and has come to force in specific sector(s) of society.
This authorisation only needs to be obtained once and not each time that personal information is received or processed, except when it will depart from the purpose for which authorisation has been granted.
2.2 Responsible party to notify the Regulator if the processing is subject to prior authorisation:
Information processing contemplated according to the previous section must be notified as such by the responsible party to the Regulator. Processing is not allowed to continue until the Regulator has completed its investigation or until they receive notice that a more detailed investigation will not be conducted. The Regulator must inform the responsible party in writing within four weeks of the notification whether it will conduct a more detailed investigation.
If a detailed investigation is planned, it must indicate the period within which they plan to conduct the investigation but can’t exceed 13 weeks. On conclusion of this investigation, the Regulator must issue a statement concerning the lawfulness of the information processing.
A statement from the Regulator determining that the processing is unlawful constitutes as an enforcement notice.
If a responsible party has suspended the processing of information pending investigation by the Regulator and has not received the Regulator’s decision within the specified time limits, may presume a decision in his favour and continue with the processing.
2.3 Failure to notify of the processing prior to authorisation:
If a responsible party fail to notify the Regulator of processing of information for which prior authorisation is required, it is guilty of an offence and is liable to a penalty.
3. Codes of Conduct
The Regulator must issue the codes of conduct. A code of conduct must incorporate all the conditions for the lawful processing of personal information or set out the obligations that will provide a functional equivalent of obligations set out in those conditions. As well as prescribe how the conditions are to be applied or to be complied with, given the particular features of the sector(s) of society in which the responsible parties are operating.
A code of conduct may apply to any or more of the following:
- any specified information or class of information.
- any specified body or class of bodies.
- any specified activity or class of activities.
- any specified industry, profession, vocation or class of industries, professions or vacations.
A code of conduct must also specify appropriate measures for information matching programs if used in the specific sector. And for the protection of the legitimate interests of data subjects regarding automated decision making.
The code of conduct must also provide for review by the Regulator, as well as for the expiry of the code.
3.1 Process for issuing a code of conduct:
The Regulator issues a code of conduct under his own initiative, but after consultation with affected shareholders or a body representing such stakeholders. Or on an application in a prescribed form, by a body which is according to the Regulator, sufficiently representative of any class of bodies – or any industry, profession or vocation – as defined in the code in respect of such class of bodies, industry or vocation
The Regulator must give notice in the Gazette that the issuing of the code of conduct is being considered. This notice must contain a statement of the details of the code being considered, including a draft of the proposed code, and that a copy can be obtained from the Regulator. Also, that proposed submissions to the code may be made in writing to the Regulator as specified in the notice.
The Regulator may not issue a code of conduct unless all submissions submitted to him has been considered and is satisfied that all persons affected by the proposed code have had a reasonable opportunity to be heard.
The decision as to whether an application for the issuing of a code of conduct has been successful must be made within a reasonable period not exceeding 13 weeks.
3.2 Notification, availability, and commencement of code of conduct:
If a code of conduct is issued, the Regulator must ensure that a notice is issued in the Gazette as soon as reasonably practicable, indicating that the code has been issued and where copies is available for inspection, free or charge and for purchase. As long as it is in force copies must be available on the Regulator’s website, for inspection by members at the Regulator’s office (free of charge) and for purchase or copying by members of the public at a reasonable price at the Regulator’s offices.
A code of conduct comes into force on the 28th day after the date of notification in the Gazette or on such later date as specified in the code. And is binding on every class of body, industry, profession or vocation it refers to.
3.3 Procedure for dealing with complaints:
A code of conduct may prescribe procedures for making and dealing with complaints alleging a breach of the code, but may not limit or restrict any provision relating to enforcement by the Regulator
The Regulator must be satisfied that the procedures meet the prescribed standards and guidelines as issued by the Regulator, relating to the making and dealing of complaints.
The code must provide for the appointment of an independent adjudicator to whom complaints can be made. The adjudicator must have due regard to the conditions for the lawful processing of personal information, protection of human rights and social interests competing with privacy, international obligations accepted by SA and the development of international guidelines to ensure better protection of individual privacy when exercising his powers or performing his duties.
The adjudicator must prepare and submit a report, in a form satisfactory to the Regulator, within 5 months after the end of the financial year of the Regulator, on the operation of the code during the financial year. This report must specify the number and nature of complaints made to the adjudicator under the code during the relevant financial year.
A responsible party or data subject aggrieved by a determination – including any declaration, order or direction made after investigating a complaint – may submit a complaint with the Regulator against the determination upon payment of a prescribed fee. The adjudicators determination continues to have effect unless and until the Regulator makes a determination regarding enforcement relating to the complaint, or unless the Regulator determines otherwise.
3.4 Amendment and revocation of codes of conduct:
The Regulator may evoke or amend a code of conduct according to the provisions of POPIA.
3.5 Guidelines about codes of conduct:
The Regulator may provide written guidelines to assist bodies to develop and apply codes of conduct. As well as relating to making and dealing with complaints and about matters the Regulator may consider in whether to approve the code of conduct. Or whether a variation or revocation of the code of conduct is required.
The Regulator must have due regard to guidelines for processing of personal information for journalistic purposes when considering the approval of a code of conduct where the responsible parties is not subject to a code of ethics.
Before providing guidelines, the Regulator must give everyone that has a real and substantial legitimate interest in the matters covered in the code of conduct an opportunity to comment on them.
The Regulator must publish the guidelines in the Gazette.
3.6 Register of approved codes of conduct:
Photo by Samuel Zeller on Unsplash
The Regulator must keep a register of all approved codes of conduct, deciding the format and how it must be kept. This register must be available to the public in a way that the Regulator determines. Reasonable fees can be charged for making the register available to the public or for providing copies or extracts from the register.
3.7 Review of operation of approved code of conduct:
The Regulator may on its own initiative review the operation of an approved code of conduct. This can happen in any of the following ways:
- Consider the process under the code for making and dealing with complaints.
- Inspect the records of the adjudicator of the code.
- Consider the outcome of complaints dealt with under the code.
- interview and adjudicator for the code.
- Appoint experts to review provisions of the code that the Regulator believes require expert evaluation.
The review can lead to the Regulator revoking the approved code of conduct with immediate effect or at a future date to be determined by the Regulator.
3.8 Effect of failure to comply with a code of conduct:
Failure to comply with a code of conduct is deemed to be a breach of the conditions for the lawful processing of personal information and is dealt with according to provisions for the enforcement of POPIA.
This now completes the series about the POPI Act. Non-compliance carries a fine of R10 million or even up to 10 years imprisonment. I hope that you have gained a better understanding of how the POPI Act will affect your business and that you will start implementing measures to comply. Not many small businesses will be able to survive such a financial blow or even the blow to their hard-earned reputation!