Newsletter Details

Regulations relating to the Protection of Personal Information

The Information Regulator published the final Regulations in terms of section 112 (2) of the Protection of Personal Information Act 2013 (“POPIA”) on 14 December 2018.

These Regulations are more comprehensive than the previous draft Regulations and now constitute the final Regulations to POPIA.

Definitions

The definitions of the final Regulations have now been amended to also include “data message”, “signature” and “writing” as is referred to in the Electronic Communications and TransActions Act 25 of 2002 (“ECTA”).

In terms of ECTA, “data” is defined as electronic representations of information and the “data controller” is the person who electronically requests, collects, collate, processes or stores personal information of a data subject. The “data message” is defined as data generated, sent, received or stored by electronic means.

“Writing” for the purpose of the Regulations also include writing in terms of section 12 of the ECTA, stipulating that the requirement in law that a document or information must be in writing is met when the document or information is in the form of a data message and is accessible in a manner usable for subsequent reference.

Objections and requests

Objections, requests for correction or deletion / destruction of records or data must be done either on form 1 or form 2 of the Regulations. The responsible party or designated person of the responsible party must render reasonable assistance as necessary, free of charge, to enable the data subject to make an objection.

Responsibility of information officers

The duties and responsibilities of the Information Officer is set out in section 55 of POPIA as well as clause 4 of the Regulations. Clause 4 of the Regulations are in addition to the responsibilities of section 55.

In terms of section 55, an Information Officer’s responsibilities include the enforcement of compliance with the conditions of lawful processing, to deal with requests made in terms of the Act and working with the Regulator with relation to investigations conducted pursuant to chapter 6 of the Act. Officers in terms of the Act must take up their duties only after the responsible party has registered them with the Regulator.  In addition, an information officer must ensure compliance with five items in terms of the Regulations:

1. A compliance framework is developed, implemented, monitored and maintained by the responsible party (PIA);
2. A personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for lawful processing;
3. A manual is developed, monitored and maintained which complies with POPIA;
4. Internal measures are developed together with adequate systems to process requests for information and access thereto and lastly internal awareness sessions are conducted regarding the provisions of the Act.
5. The Information Officer shall also, upon request by a person, provide copies of the manual to that person on payment of a fee as determined by the Regulator from time to time.

Application for issuing of a code of conduct

Section 61 of the Act deals with the process of issuing codes of conduct. The Regulator may issue a code of conduct under section 60 on the Regulator’s own initiative, but only after consultation with the affected stakeholders or a body representing such stakeholders. Alternatively, on the application by a body which is in the opinion of the Regulator, sufficiently representative of any class of bodies or any industry, profession or vocation. The Regulator must give notice in the Gazette that the issuing of a code of conduct is being considered. This notice must contain a statement that contains the detail of the code of conduct considered, including the draft of the proposed code, and that submissions on the proposed code may be made in writing to the Regulator within a specific period.

The Regulator may not issue a code of conduct unless it has considered the submissions of affected persons and has satisfied itself that all persons affected have had a reasonable opportunity to be heard. The decision must be made within a reasonable period which may not exceed thirteen weeks.

In the event of any person applying for a code of conduct in terms of section 61 (1)(b), such application must be di on form 3 of the Regulations.

Request for a data subject’s consent to process personal information

Responsible parties who wish to process personal information for the purpose of direct marketing by way of electronic communication must in terms of section 69(2) of the Act, submit a request for written consent to that data subject on form 4 of the Regulations (“opt in”).

Section 69 of POPIA regulates direct marketing by means of unsolicited electronic communication. The processing of personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, which includes automatic calling machines, facsimiles, SMS’s, or electronic mail, is prohibited unless the data subject has given his or her consent to the processing or is subject to subsection 3, a customer of the responsible party. If the person is not a customer, the consent form, form 4, must be used prior to electronic marketing.

A responsible party must approach a data subject who has not previously withheld consent only once in order to obtain consent from the data subject.

It should be noted that form 4 has been substantially shortened from the draft Regulations which now requires the information of the data subject, who the responsible party is, the signature and the consent tick box to receive marketing for goods or services by means of electronic communication.

In terms of section 11 (3), a data subject may object at any time, to the processing of personal information for the purposes of direct marketing other than direct marketing by means of unsolicited electronic communication, as referred to in terms of section 69. If the data subject has objected, the responsible party may no longer process this information for the purposes of electronic marketing.

Therefore, direct marketing by means of unsolicited electronic communications may only take place after written consent has been obtained from the data subject. This relates to persons who are not customers of the responsible party. This therefore brings an end to telemarketing either through automated or voice means where a person is not a customer of the responsible party without consent. In such circumstances a person must have completed form 4 and may only be asked once to complete form 4 before such marketing can take place.

In circumstances where unsolicited electronic marketing is taking place, but the person is a customer of the relevant responsible party, subsection 3 of section 69 applies.

In these circumstances, “opt out” applies whereas unsolicited electronic marketing for non-customers opt in applies. For current customers, marketing may only take place in the context of the sale of a product or service which is part of or similar to the products of service of the responsible party and if the data subject has been given a reasonable opportunity to object free of charge and without formality, to the use of his electronic details. This opportunity should be provided to the data subject at each instance of direct marketing.

Regarding unsolicited electronic marketing, whether for a customer or non-customer, such responsible party may immediately object to such marketing and / or withdraw consent under which circumstances no further marketing may take place.

Submissions of complaints

Any person may submit a complaint to the Regulator in terms of section 74(1) alleging an interference with the protection of personal information of a data subject. Any person who wants to lay a complaint must submit a complaint to the Regulator on part 1 of form 5.

Part 2 of form 5 is dedicated to a complaint in terms of section 74(2) of the Act which deals with a complaint to the Regulator in the event of the responsible party being aggrieved by determination of an adjudicator.

Regulator Acting as a conciliator during investigations

In the event of the Regulator deciding to Act as a conciliator in a conciliation meeting between a complainant and a responsible party, the Regulator must inform the parties on form 6 of the Regulations. This takes place in terms of the rights of the Regulator in terms of section 76(1) of POPIA determining that the Regulator may at any time during an investigation of a matter convert and act as a conciliator in relation to the interference with the protection of personal information. The Regulator may consolidate separate complaints should such complaints relate to the same interference by the same responsible party in order to deal with the complaints in i conciliation proceeding.

The Regulator may request for relevant documentation relating to the complaint and may confer with the parties in person or through electronic communications.

The Regulator may issue a conciliation certificate in terms of form 7 within a reasonable period after the conclusion of the conciliation and if the complaint is not resolved, the Regulator may proceed with the complain in terms of section 76 of the Act.

Pre-investigation proceedings

In terms of section 79, before proceeding to investigate any matter, the Regulator must inform the complainant of the Regulator’s intention to conduct an investigation as well as a responsible party to whom the investigation relates. It must also inform them of the details of the complaint, the subject matter of the investigation and the rights of the responsible party to submit a written response in relation to a complaint or the subject matter of the investigation.

In terms of regulation 9, should the Regulator intend to investigate a matter in terms of chapter 10 of the Act (dealing with enforcement) the Regulator must in terms of section 79 first inform the parties in terms of part i of form 8 of such pre-investigation.

The subject matter of the investigation as well as the right to submit a written response must be informed of to the responsible party in part ii of form 8.

Settlement of complaints

The Regulator has the right to settle complaints in terms of section 79 before it fully investigates, alternatively refers the matter to the compliance committee. If it appears that a complaint can be settled during the process of a conciliation or pre-investigation, the Regulator may confer with the parties in person or by electronic communications or through any other means deemed appropriate in order to obtain settlement and if appropriate to obtain satisfactory insurances in terms of the Act. It is for the Regulator to decide whether it wants to convene a settlement meeting, if so, it must inform the parties on form 9 of such a meeting. The Regulator has the same powers as a conciliator. The Regulator must issue a settlement certificate on form 10. In the event of no settlement or assurance being secured by either of the parties or in the event of either of the parties not attending such settlement meeting, the Regulator must proceed with such matter as provided for in section 76 of the Act. Therefore, the Regulator may on its own initiative commence an investigation into the interference with the protection of personal information as referred to in section 70(3) of the Act.

Assessments

“Assessments” are regulated in terms of section 89 of the Act. A request for an assessment must be submitted to the Regulator, within a reasonable period, in part i of form 11. The Regulator must inform the requester on part ii of form 11 whether it has decided to conduct an assessment on its own initiative or as is requested.

The period of the assessment will be determined by the Regulator on a case by case basis and the Regulator, within a reasonable period, must notify the requester or the responsible party of any decision made in form 12.

The Regulator may on its own initiative or at the request make an assessment as to whether an instance of processing of personal information complies with the provision of the Act.

The matters to which the Regulator may have regard with regard to an assessment include (1) the extent to which the request appear to it to raise a matter of substance; (2) any undue delay in making the request; and (3) whether or not the person making such request is entitled to make an application in terms of section 23 or 24 in respect of personal information.

Informing the parties of the developments regarding an investigation

During an investigation the Regulator must within a reasonable period keep the complainant, the data subject and the responsible party informed of the developments of the investigation and inform the parties of the results of the investigation. The notifications contemplated must be served on the designated addresses of the parties advising them on forms 13 to 19 of an enforcement notice or the referral to the enforcement committee or that an enforcement notice has been served or that an enforcement notice has been cancelled or that an appeal has been lodged against an enforcement notice or that an appeal has been allowed and that an enforcement notice has been substituted or that an appeal has been dismissed.(forms 13 - 19)

Conclusion and implementation

It should be noted that in terms of regulation 13, the Regulations which are finally promulgated, shall commence on a date to be determined by the Regulator by proclamation in the Government Gazette. Therefore, although the Regulations are final, the commencement date has not yet been determined.

LabourSmart: www.laboursmart.co.za

Article prepared by Johanette Rheeder BLC LLB LLM

Director: Johanette Rheeder Inc