The Protection of Personal Information Act (POPI) was signed into law in November 2013, but a commencement date for the Act has not yet been published. This is expected to happen in the first quarter of 2018. Once a commencement date for POPI has been published, businesses will only have 1 year to become fully compliant with the Act.
On Friday 8 September 2017, the Information Regulator issued draft POPI Regulations, which are open for public comment until 7 November 2017. The draft Regulations are mostly administrative and procedural in nature, and do not provide much practical guidance on how businesses should be complying with POPI. They will therefore not substantially change a business’ present POPI compliance journey.
The draft Regulations are relatively short, but do contain several prescribed forms attached as Annexures which will give your Privacy Information Officer an idea of how certain matters relating to POPI compliance and enforcement will occur.
A few key topics of the Regulations are addressed below.
CONSENT TO DIRECT MARKETING
POPI prohibits the processing of personal information for the purposes of direct marketing by unsolicited electronic communications, save to an existing customer (in certain circumstances) or with the consent of the data subject. Until now, it has been envisaged that consent to direct marketing would take the form of an opt-in mechanism or a tick-box. However, the draft Regulations propose that valid consent for direct marketing will need to be provided in a form which “corresponds substantially” with the prescribed form (Form 4 of the draft Regulations). This form presently requires written consent, signature and submission of the form by the data subject to the responsible party by post, fax, or email. Accordingly, unless the Regulations relating to direct marketing communications are revised, the standard click-to-accept or tick-to-accept consent may not be adequate.
THE DUTIES OF INFORMATION OFFICERS
Regulation 4 sets out the duties and responsibilities of an organisation’s information officer in further detail. These duties have a clear focus on compliance and require a new privacy information manual to be developed. The duties and responsibilities of an Information Officer will include developing, implementing and monitoring a compliance framework, ensuring that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information, conducting preliminary assessments, developing a privacy manual, developing internal measures and adequate systems to process requests for access to information, and conducting awareness sessions regarding the provisions of the Act, its Regulations and any codes of conduct or additional information in relation to POPI which is obtained from the Information Regulator.
INDUSTRY CODES OF CONDUCT
The draft Regulations provide that a private or public body which is, in the opinion of the Information Regulator, sufficiently representative of any class of bodies, or of any industry, profession, or vocation may apply to the Information Regulator for the issue of a code of conduct. It is likely that many industries will apply to the Information Regulator for a code of conduct once the Regulations are finalised and published. Industry associations should be approached to submit a joint request to the Information Regulator on behalf of your Industry.
REQUEST FOR COMMENT AND INPUT ON THE PROCESSING OF HEALTH INFORMATION
Regarding the processing of health information, the Information Regulator has invited interested parties to provide comments and inputs in relation to more detailed rules for the processing of health information by certain parties. Section 32(6), read with section 32(1)(b) and (f) of POPI provides that more detailed rules may be prescribed concerning the processing of personal information concerning a data subject’s health by (a) insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, and (b) administrative bodies, pension funds, employers or institutions working for them. Businesses that process any form of health information should refer to sections 32(1)(b) and (f) of POPI and determine if they are interested parties that have been invited to provide input to these rules.
Natasha has a BCom LLB and was admitted as an attorney in 2008. She rose to the level of senior associate at Routledge Modise Attorneys (now Hogan Lovells) before leaving to join Deloitte Legal as a senior manager and subsequently the Life Healthcare Group as Senior Legal Counsel and then Deputy-Head Legal. Natasha left to focus on her commercial practice and joined Caveat Legal in 2017.