The Information Regulator recently published a notice in respect of the proposed coming into effect of the provisions of the Protection of Personal Information Act or POPIA.
While the notice details, in the main, the development of certain codes of conduct, the notice goes further and stipulates the dates for the coming into effect of certain of the regulations published by the Information Regulator on 14 December 2018. The notice, dealing with the coming into effect of the regulations, has now been finally published by the Information Regulator on 26 February 2021.
The notice stipulates that regulation 4 will be effective on 1 May 2021, regulation 5 becomes effective on 1 March 2021 and the balance of the regulations will come into effect on 1 July 2021.
Regulation 4 requires that information officers, the guidelines for whom are yet to be finalised, is required to perform certain functions including compiling a compliance framework and conducting a "personal information impact assessment". The notice states that a "notice will appear in the Government Gazette proclaiming the commencement of the Regulations issued in terms of Section 112(2) of [POPIA]" and formalising the proposed effective dates of the various regulations.
POPIA has had a protracted introduction into law –
- POPIA was assented to by the President of the Republic on 19 November 2013. However, POPIA did not come into force by virtue of section 115(1), which required a presidential proclamation in order to bring POPIA into effect;
- a presidential proclamation followed on 11 April 2014 but confined its application to particular provisions of POPIA, being section 1, the establishment of the Information Regulator and sections 112 and 113, the last-mentioned of which allowed for regulations to be made. The effective date of the sections concerned was 11 April 2014;
- a further presidential proclamation then followed on 22 June 2020, which had the effect of bringing the balance of the provisions of POPIA into force in two tranches –
- the first of which dealt with bulk of the provisions of POPIA, which came into effect on 1 July 2020; and
- the second introduces section 110 and 114(4) with effect from 30 June 2021. Section 110 deals with the amendments to various pieces of existing legislation as a result of the coming into effect of POPIA and section 114(4) deals with the proposed interaction between the Information Regulator and the South African Human Rights Commission.
What is of particular note is that notwithstanding the second of the abovementioned proclamations, POPIA provides a transitional period of one year in the following terms: "[a]ll processing of personal information must within one year after the commencement of this section be made to conform to [POPIA]." Therefore, POPIA is relatively clear in its terms concerning the transitional period within which all persons are required to achieve compliance. In addition, POPIA confines regulatory powers, in respect of the legislated transitional period, only to an extension of the one year period by the Minister of Justice & Constitutional Development in consultation with the Information Regulator. There is no power indicated in POPIA that allows the Information Regulator to shorten the one year transitional period.
The notice, issued by the Information Regulator, is also silent as to the precise provision of POPIA on which reliance is placed for the imposition of what are, effectively, amendments to the one year transitional period. Whilst reference is made to section 112(2) in the notice, section 112(2) does not refer to any power of the Information Regulator to make regulations that ultimately amend the provisions of POPIA. In effect, the proposed regulations, detailing the effective dates of the regulations, where those dates are at odds with the one year transitional period, are ultra vires the provisions of POPIA and subject to potential constitutional challenge.
Bringing into force regulation 5 of the regulations on 1 March 2021 means that private and public bodies may submit an application for the Information Regulator to approve a conduct of conduct in terms of section 61(1)(b) of POPIA. Whilst regulation 5 is not, within and of itself, onerous, regulation 4 is markedly different in effect, both practically and legally.
Regulation 5 presupposes, first and foremost, that private and public entities have appointed an information officer to carry out the functions assigned to such an officer in terms of section 55 of POPIA read with regulation 4. Whilst information officers arguably exist in terms of the Promotion of Access to Information Act, the Information Regulator has other ideas in respect of precisely whom should be fulfilling the role of an information officer for purposes of POPIA compliance. In this regard, the Information Regulator published draft guidelines on the appointment of information officers and invited publish comment on those guidelines for the period between 17 July 2020 to 16 August 2020. The guidelines are yet to be finalised. Therefore, the potential for severe confusion arises as to how one is to achieve compliance with POPIA in the face of looming and now truncated enforcement dates and draft guidelines. Such circumstances give rise to questions around the rationality and reasonableness of altering the one year transitional period.
Regulation 5(1) is not shy about the requirements it imposes on information officers –
"An information officer must, in addition to the responsibilities referred to in section 55(1) of [POPIA], ensure that –
a. a compliance framework is developed, implemented, monitored and maintained;
b. a personal information impact assessment is done to ensure that adequate measures an standards exist in order to comply with the conditions for the lawful
c. processing of personal information;
d. a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act…;
e. internal measures are developed together with adequate systems to process request for information or access thereto; and
f. internal awareness sessions are conducted regarding the provisions of [POPIA], regulations made in terms of [POPIA], codes of conduct, or information obtained from the Regulator."
Bearing in mind that information officers are also legally bound to ensure that a private body complies with the provisions of POPIA, which carries with it the consequences of non-compliance set out in Chapter 10 of POPIA, the appointment of an information officer and his/her conduct as such are not be taken lightly. This further intensifies the examination of the legality of truncating the one year transitional provisions of POPIA by bringing regulation 4 into effect before that one year period has ended.
The one year transitional period is cast in legislation and was clearly intended to allow persons a reasonable opportunity to achieve compliance with POPIA in circumstances where the processing of personal information is intimately integrated into the operations of every private and public entity in the country. Last minute shifts in that timing could simply have the result that overall compliance is compromised, an outcome that is neither desirable for the constitutional future of the information compliance nor for the successful implementation of Act otherwise characterised by delays in enforcement.
Written by Neil Kirby, Director at Werksmans Attorneys