South Africa POPIA: Latest developments regarding the Codes of Conduct and POPIA Regulations
In anticipation of the entry into force of the remaining provisions of the Personal Data Protection Act 4 of 2013 (“POPIA”) on July 1, 2021, there have been some notable developments in the Office of the Information Inspectorate that are providing much-anticipated practical advice to organizations to ensure that they Are POPIA Compliant.
Beginning of the POPIA regulations and guidelines for the development of codes of conduct
On February 26, 2021, a notice was published in Government Gazette Notice 75 of 2021 stating the following deadlines:
- The guidelines for the development of codes of conduct within the meaning of Section 65 of the POPIA, which will come into force on March 1, 2021;
- The provisions within the meaning of Section 112 (2) POPIA read as follows:
- Ordinance 5 on “Applications for a Code of Conduct” comes into force on March 1, 2021.
- Rule 4 on the “Responsibilities of the information officer” comes into force on May 1, 2021. and
- The balance of the ordinances will take effect on July 1, 2021.
The main aim of the Code of Conduct Development Guidelines is to standardize the information regulator’s approach to developing and issuing codes of conduct for the regulation of specific industries, occupations and / or sectors, as set out in Chapter 7 “Codes of Conduct” of POPIA. The codes of conduct determine (among other things) how to comply with the conditions for lawful processing of personal data given the characteristics of a particular branch or branch.
In particular, Rule 4 extends the duties and responsibilities of information officers (e.g. developing, implementing and monitoring a compliance framework and ensuring that adequate measures and standards are in place to meet the conditions for lawful processing of personal data) and information The Senior executives should note that these duties and responsibilities begin with effect from May 1, 2021 (2 months prior to the start of the law-regulation balance sheet date).
Standard for filing and handling complaints according to approved codes of conduct
On March 1, 2021, the Information Regulator published a standard for filing and handling complaints under codes of conduct approved under Section 63 (2) (a) (ii) of POPIA (“Standard for dealing with complaints“). The standard for handling complaints is intended to ensure that a proposed code of conduct that sets out the procedure for filing and handling complaints is in line with the standard set by the information regulator. The information regulator did not announce the date the entry into force of the Complaints Handling Standard, but as it complements the Code of Conduct Development Guidelines, we believe that the Complaints Handling Standard will jointly come into effect on March 1, 2021.
Once a code of conduct has been developed and issued by the Information Authority under Section 63 of POPIA, any failure to comply with such a code of conduct will be deemed to be a violation of the terms of lawful processing of personal data and triggers the applicable enforcement mechanisms in relation to POPIA. It is required that all proposed codes include procedures for filing and handling complaints that meet the standard for handling complaints and guidelines for developing codes of conduct to the satisfaction of the information regulator.
The standard for handling complaints stipulates that every procedure for submitting and handling complaints in a code of conduct must be fair, transparent, impartial and responsive, be publicly accessible and easily accessible, be written in plain English and in any other official language, ensure a timely resolution of complaints, prescribe the requirements and reasons for filing a complaint and prescribe the complaint procedure.
Checklist for guidelines for developing codes of conduct
On March 3, 2021, the Information Authority also issued a checklist that was attached to the guidelines for developing codes of conduct (“Policy checklist“) and is a continuation of the information regulator’s approach to developing and issuing codes of conduct. Companies are advised to ensure that any information and / or documents requested in the policy checklist are part of their submission to the information regulator before submitting them to a proposed code of conduct.
In view of the above, it should be noted that:
Starting March 1, 2021, public and / or private organizations can submit codes of conduct for review by the Code of Conduct Development Guidelines for review by the Information Inspectorate, while ensuring that all information and / or documents requested in the Policy Checklist have been submitted ;;
Organizations submitting codes of conduct to the information regulator should ensure that all complaint filing and handling procedures comply with complaint standards prescribed by the information regulator.
Although the duties and responsibilities described in Sections 55 and 56 of the POPIA for information officers will not begin until July 1, 2021, and the draft policy for the registration of the information officer has not yet been finalized and published by the information regulator, organizations should proactively implement arrangements for appointment their information officer and, if necessary, the delegation of tasks to the deputy information officer in order to ensure that the responsibilities in rule 4 are taken over by this information officer and appointed as deputy information officer by May 1, 2021; and
Organizations should ensure that their information officer and, if applicable, their deputy information officer are trained in relation to the tasks, responsibilities and consequences set out in POPIA.