In all instances, the Act refers to the POPI Act No. 4 of 2013.
You can download the Act here.
The Act provides for the establishment of an Information Regulator, who is responsible to supervise the implementation of the Act. It is important to note that every public and private body must appoint an Information Officer within their organisation to work with the Information Regulator, regarding compliance with the Act. As well as to assist during investigations by the Information Regulator.
First, let’s have a look at the Information Regulator.
PART A: THE INFORMATION REGULATOR
Establishment of an Information Regulator:
A legal person is appointed as an Information Regulator which has jurisdiction throughout the Republic and is independent and subject only to the Constitution and the law. The Information Regulator must be impartial, and perform its functions and exercise powers without fear, favour or prejudice. Powers and functions must be performed in accordance with the Act and the Promotion of Access to Information Act. The Information Regulator is accountable to the National Assembly.
1. Powers, Duties & Functions:
1.1 The Information Regulator must provide education by:
- promoting an understanding and acceptance of the conditions for the lawful processing of personal information and the objects of those conditions.
- undertaking educational programs to promote the protection of personal information, on behalf of the Regulator or in co-operation with other persons or authorities acting on behalf of the Regulator.
- . making public statements regarding matters affecting the protection of personal information of a data subject or any class of data subjects.
- giving advice to data subjects in the exercise of their rights.
- providing advice – upon request or by its own initiative – to a Minister or public or private body on their obligations under these provisions. As well as on any matter relevant to the operation of the Act.
1.2 The Information Regulator must monitor and enforce compliance by:
- public and private bodies with the provisions of the Act.
- undertaking research into and monitoring
developments ininformation processing and computer technology to ensure that adverse effectsof these developments on the protection of personal information canbe minimized. As well as reporting to the Minister regarding such researchand monitoring.
- examining any proposed legislation or proposed
policy ofthe Government that the Regulator considers may affect the protection ofpersonal information of data subjects and reporting the results to the Minister.
- reporting to Parliament on any policy matter
affecting theprotection of personal information. Including the need for or desirabilityof taking legislative, administrative or other action to ensurebetter protection of the personal information of data subjects.
- submitting to Parliament, within five months after
the endof the financial year, a report of all its activities during the financialyear.
- conducting an assessment – on its own initiative
or uponrequest – of a public or private body to ascertain if the processing ofpersonal information is according to the provisions of the law.
- monitoring the use of unique identifiers of data
subjects andreporting to Parliament from time to time the results, including recommendationsand desirability of taking legislative, administrative or otheraction to give better protection to the personal information of a data subject.
- maintaining, publishing and making available
and providingcopies of a register as prescribed by the Act.
- examining any proposed legislation that makes
provision forthe collection of personal information. Or for the disclosure of personalinformation by either a public or private body to another public orprivate body, where information might be used for an Information Matching Program. And to report the results to the Minister and Parliament.
1.3 The Information Regulator must consult with interested parties, by
- receiving and inviting representations from members of the public on any matter affecting the personal information of a data subject.
- co-operating nationally and internationally with other persons and bodies concerned with the protection of personal information.
- acting as an intermediator between opposing parties on any matter relating to any concerns about the action of a responsible party in the interest of protecting the personal information of a data subject.
1.4 The Information Regulator must handle complaints by:
- receiving and handling a complaint about alleged violations regarding the protection of information of data subjects. And reporting to complainants in respect of such complaints.
- gathering information that will assist in discharging and carrying out the functions of the Information Regulator as specified in the Act.
- attempting to resolve complaints through dispute resolution mechanisms such as mediation and reconciliation.
- servicing notices in terms of the Act and further promoting the resolutions of disputes in accordance with the Act.
1.5 The Information Regulator must Conduct research and report to Parliament
- on the desirability of the acceptance of any international instrument relating to the protection of personal information of a data subject.
- on any other matter, including necessary legislative amendments relating to the protection of personal information, that should be drawn to Parliament’s attention
1.6 The Information Regulator must in respect of Codes of Conduct
issue, amend and revoke codes of conduct
- make guidelines to assist bodies to develop or
apply codesof conduct.
- consider upon application, determinations
by adjudicatorsunder approved codes of conduct.
- to facilitate cross-border cooperation in
the enforcementof privacy laws by participating in any initiative aimed at suchcooperation.
1.7 The Information Regulator must in general,
- do anything incidental or conducive to the performance of any of the preceding functions.
- exercise and perform functions, power and duties, as imposed by or under the Act or any other legislation.
- require responsible parties to disclose to any person affected by a compromise to the integrity of confidentiality of personal information.
- exercise powers imposed by the Act in matters relating to the access of personal information as provided by the Act and the Promotion of Access to Information Act.
The Regulator may in the public interest or in the legitimate interest of any person or body of persons, publish reports relating to the exercise of the Regulators functions under the Act. Or to any case(s)investigated by the Regulator whether or not the matters have been the subject of a report to the Minister.
2. Appointment, term of office and removal of members:
The Regulator consists of the following members:
- A Chairperson
- Four other persons, as ordinary members.
Members must be appropriately qualified, fit and proper persons. At least one must be experienced as a practicing advocate or attorney or a professor of law at a university. And the remainder must be appointed on account of any other qualifications, experience or expertise relating to the objects of the Regulator.
The Chairman is appointed in a full-time capacity and may not perform or undertake to perform any other remunerative work while holding office as the Chairperson. Two ordinary members are appointed full-time and two in full or part-time capacity. Any members appointed in full-time capacity are not allowed to perform any other remunerative work while holding office.
The Chairman directs the work and the staff of the Regulator. In order to be appointed as a member of the Regulator, the following criteria applies:
- must be a citizen of the Republic.
- must not be a public servant.
- must not be a member of Parliament or any provincial or municipal council.
- must not be an office-bearer or employee of any political party.
- must not be an unrehabilitated insolvent.
- must not have been declared by the court as mentally ill or unfit.
- must not at any time have been convicted in the Republic or elsewhere of any offence involving dishonesty.
The Chairman and other members must be appointed by the President on recommendation of the National Assembly. This recommendation must also indicate whether appointments should be in a full-time or part-time capacity.
The National Assembly must recommend persons nominated by a committee of the Assembly. This committee must be composed of members of parties represented by the Assembly. And approved by the Assembly by a resolution adopted with a majority supporting vote.
The members will be appointed for a period of no longer than five years, and will after the expiration of this period, be eligible for reappointment.
The Chairman or full-time members can only perform other remunerative work with the prior written consent of the Minister.
A member can, upon written notice to the President, resign from office. A member can only be removed from office on grounds of misconduct, incapacity or incompetence. Or based on a finding of such
The President may suspend a member form office at any time after their start of proceedings of the National Assembly for the removal of the member. Or must remove a member form office after a resolution of the Assembly calling for the member’s removal.
A vacancy becomes available if a member becomes subject to a disqualification, because of no longer being compliant with the required categories. Or if a member resigns and the resignation takes effect. As well as if a member is removed from office, dies or becomes permanently incapable of doing the work required.
Any member appointed to fill a vacancy holds office for the rest of the period of his successor. Unless the President, upon recommendation by the National Assembly, appoints the member for a longer period. This extended period can’t exceed five years.
4. Power, duties and functions of Chairperson and other members:
The Chairperson must exercise powers and perform duties and functions as assigned to him by the Regulator in terms of the Act and the Promotion of Access to Information Act. He is accountable to the Regulator.
Members must exercise their power and perform their duties and functions according to the Act or the Promotion of Access to Information Act or both. But one of the members must function only in terms of the Act, while one other member must function only in term of the Promotion of Access to Information Act. All members are accountable to the chairperson.
The Regulator must have regard to certain matters:
- Have due regards to the conditions of lawful processing of personal information.
- Have due regard for the protection of all human rights and social interests that compete with privacy, including the need to the free flow of information and the legitimate interests of the public and private bodies in achieving their objects in an efficient way.
- Take account of international obligations accepted by South Africa
- Consider any developing general
international guidelinesrelevant to improve the protection of individual privacy.
In performing its function regarding Information Matching programs, the Regulator must have particular regard to whether or not the
- the objective of the program relates to a matter of significant public importance.
- use of the program to achieve an objective result in monetary savings that are significant and quantifiable or other comparable benefits to society.
- use of alternative means to achieve the objective that will give the same results.
- public interests in allowing the program to proceed
outweighsthe public interest in adhering to conditions for the lawful processing of personal information, that the program would otherwise contravene.
- the program involves information matching on a scale that is excessive, having regard to:
- the number of responsible parties or operators that will be matched
- the amount of detail about a data subject that will be matched.
When determining if the processing of personal information for
5. Conflict of interest:
If any member or person appointed by the Regulator has a material interest in any matter which could conflict with the proper performance of his duties in terms of the Act or PAIA, he or she must disclose this interest as prescribed – as soon as possible after being informed of such interest.
If such member is present in a committee meeting or enforcement meeting – where a matter of conflicting interest is to be considered – the member much disclose the nature of his or her interest before the matter is considered.
If the member fails to make a disclosure as required and is present at such a meeting of the Regulator or committee, or participate in the proceedings in any other way, the proceedings must be reviewed, varied or set aside by the Regulator or committee – as soon as the conflict of interest is discovered, without the participation of such member.
Such a member or person can’t be present during any liberation;or take part in any decision related to the matter in question. Any disclosure must
The member or person may perform all duties relating to the matter if a decision has been made that the interest is trivial or irrelevant. Or must be relieved of his duties relating to the matter, and such duties must be performed by another member who has no such conflict of interest.
6. Remuneration, allowances, benefits and privileges of members:
A member of the Regulator – not subject to the provisions of the Public Services Act or who is not a judge of the High Court of SA or a magistrate -will be entitled to remuneration, allowances (including travel and subsistence expenses), benefits and privileges as the Minister in consultation with the Minister of Finance may determine. This might differ for different members based on different positions held and function performed by them.
The Regulator must establish an administration to assist in the performance of its functions. Therefore, he must appoint or secure the secondment in terms of:
- A suitably qualified and experienced person as a chief executive officer (CEO) of the Regulator. The CEO will assist, subject to the Regulator’s direction and supervision, with the performance of all financial and administrative functions arising in terms of POPIA and PAIA. As well as exercising all powers delegated by the Regulator. The Regulator will also appoint other members or staff as necessary to assist the Regulator and CEO with such work as may arise through the
- performance of such functions.
The CEO may appoint a senior member of his staff as acting CEO, to perform his functions when absent. A member of the Regulator can’t be appointed as acting CEO. If a vacancy occurs in the office of the CEO, the Regulator must appoint an acting CEO.
The Regulator must provide for the advancement of persons disadvantaged by unfair discrimination when appointing staff. And employ equal opportunity employment practices. This is aimed to ensure that his staff, when viewed collectively, represents a broad cross-section of the population of the Republic.
The Regulator must pay his staff such remuneration, allowances and provide them with such pension and other employment benefits as is consistent with that paid in the public sector. To determine such remuneration, allowances and benefits, the Regulator must consult with the Minister of Finance.
The Regulator may upon request, be assisted by officials in the Public Service, seconded to his office. Provided that such secondment may not exceed twelve months and the initial period may only be extended once for a subsequent period not exceeding twelve months.
The Regulator may – upon consultation with the Minister – on a temporary basis or for a particular matter which is investigated, employ any person with special knowledge relating to the work of the Regulator. Or obtain the co-operation of any body, to advise and assist the Regulator in the performance of his duties. As well as fixing the remuneration (including reimbursement for travelling), subsistence and other expenses, of such person or body.
8. Power, duties and functions of the CEO:
The CEO is the head of administration and the accounting officer. As such he must apply powers and perform duties and functions as assigned by the Regulator, in order to achieve the objectives of the Regulator. As well as appointing a senior member of his staff as acting CEO in his absence.
The CEO is responsible and accountable to the Regulator for the:
- management of the affairs of the Regulator.
- formation and development of an efficient administration.
- organization and management of, and administrative control over all the members of staff. As well as all seconded persons.
- maintenance and discipline in respect of members of staff.
- execution of decisions of the Regulator
9. Committees of the Regulator
If necessary, for the proper performance of its functions, the Regulator may establish one or more committees, for a period determined by the Regulator, which must consist of:
- members as designated by the Regulator.
- other persons appointed by the Regulator.
The Regulator might at any time extend or revoke the period of an appointment to any such committee.
The Regulator designates a chairperson, and if necessary, a vice-chairperson of a committee. A committee performs functions as assigned by the Regulators. All such functions will be deemed to have been performed by the Regulator. The Regulator may dissolve any committee at any time.
Establishment of an Enforcement Committee:
The Regulator must establish an Enforcement Committee which must consist of at least one member of the Regulator. As well as any persons appointed by the Regulator, for the period determined by the Regulator.
The Regulator must in consultation with the Chief Justice and Minister, appoint a judge of the High Court of SA (whether in active service or not), a magistrate with at least ten years appropriate experience or an advocate with at least 10 years appropriate experience as Chairperson of the Enforcement Committee.
The Chairperson of the Enforcement Committee must manage the work of and attend hearings of the Enforcement Committee. A member may not participate in any proceeding of the Regulator if a decision was taken with regards to a recommendation by the Enforcement Committee. Any person appointed to the Enforcement Committee must be a fit and proper person and must comply with all criteria as specified.
10. Meetings of the Regulator:
Meetings are held at times and places determined by the Chairperson. Three members of the Regulator constitute a quorum for a meeting. The Chairperson regulates the proceeding at the meetings and keeps minutes of the proceedings. If the Chairperson is absent from a meeting, the members present selects one of the persons present to chair the meeting. A decision of the Regulator is taken by resolution agreed to by the majority of members ofany meeting of the Regulator. In case of equality of votes, the Chairperson has a casting vote in addition to his or her deliberative vote.
Funds of the Regulator consists of sums of money appropriated annually by Parliament for the use of the Regulator to properly exercise, perform and discharge its powers, duties and functions according to POPIA and PAIA. As well as any fees required to be paid by data subjects.
The financial year of the Regulator runs from 1 April of any given year to 31 March of the following year. Although the first financial year starts on the date that this Chapter comes into operation, to 31 March of the following year.
The CEO is the accounting officer and must perform his duties in accordance with the Public Finance Management Act. Within six months from the end of each financial year – according to establish accounting practice, principles and procedures – the Regulator must prepare financial statements, comprising:
- a statement reflection, with suitable and sufficient particulars, the income and expenditure of the Regulator for the previous financial year.
- a balance sheet showing the state of its assets, liabilities and the financial position at the end of the financial year.
These financial records must be audited by the Auditor-General yearly.
12. Protection of the Regulator
Any person acting on behalf or under direction of the Regulator is not civilly or criminally liable for anything done in good faith in the performance of duties of the Regulator in terms of POPIA and PAIA.
13. Duty of confidentiality:Any person acting on behalf or under the direction of the Regulator must – during and after his term of office or employment – treat as confidential the personal information which they have any knowledge of, due to the performance of… Click To Tweet
Any person acting on behalf or under the direction of the Regulator must – during and after his term of office or employment – treat as confidential the personal information which they have any knowledge of, due to the performance of official duties. Except if such information is required by law or in the proper performance of required duties.
PART B: INFORMATION OFFICER
1. Duties and responsibilities:
- encourage compliance, by the body, with the conditions for the lawful processing of information.
- deal with
requestmade to the body pursuant to POPIA.
- working with the Regulator in relation to investigations conducted due to prior authorisation relating to the body.
- ensure compliance by the body with POPIA.
- other functions as may be prescribed.
Information officers can only take up their duties in terms of POPIA after the responsible party has registered them with the Regulator.
2. Designation and delegation of deputy information officers:
Each public and private body must make provision as prescribed by POPIA, for the designation of such a number of persons as is necessary to perform the duties and responsibilities prescribed by POPIA. Or any power or duty imposed on an information officer to a deputy information officer of that public or private body.
We can see that the role of the Information Regulator is to provide education and ensure compliance with the POPI Act. This is done through consulting and the handling of complaints. The Information Regulator conducts research to improve the protection of personal information and assist with the provision of codes of conduct.
He is assisted in his duties through the appointment of members and staff. The CEO is in charge of this administration and is responsible for financial duties and management of staff.
Every public or private body must appoint an information officer to liase with the Information Regulator relating to all relevant matters to ensure compliance with the Act, as well as to assist with all investigations.
In the last part of this series we will look at Exemptions, Prior Authorisation and Codes of Conduct.
Source: Government Gazette Vol. 581; No. 37067 November 26, 2013 POPI Act No. 4 of 2013.
Next: POPI Act Part 5: – Exemptions, Prior Authorisation and Codes of Conduct.