The Information Regulator is a new regulator that has been created by the Protection of Personal Information Act (POPI Act). POPI gives the Information Regulator teeth – it has extensive powers to investigate and fine responsible parties. Data subjects will be able to complain to the Information Regulator and it will be able to take action on behalf of data subjects. It will regulate both POPIA and PAIA. It reports to Parliament and is the South African equivalent of the Information Commissioner in the UK. You can find other authorities in this list of data protection authorities, commissioners or regulators (DPAs).
Has the Information Regulator been established?
Yes, it began its work on 1 December 2016. The sections of POPI that relate to the Information Regulator have already commenced and Treasury has also budgeted for it. The Information Regulator is “independent and is subject only to the Constitution and to the law and must be impartial and perform its functions and exercise its powers without fear, favour or prejudice.” (section 39). The Information Regulator is accountable to the National Assembly.
without fear, favour or prejudice
Have the office bearers been appointed?
The President of South Africa officially appointed the office bearers on 26 October 2016 with effect from 1 December 2016. As part of the process, the National Assembly recommended the appointment the office bearers on 7 September 2016. And before that Parliament invited everyone to nominate people and shortlisted candidates for Parliament to appoint as members of the Information Regulator.
The office of the Information Regulator is made up of Adv Pansy Tlakula as the chair, Adv Cordelia Stroom and Mr Johannes Weapond as full-time members, and Prof Tana Pistorius and Mr Sizwe Snail as part-time members. Adv Pansy Thakula should be given the opportunity to see what she can achieve as the chair of the Information Regulator.
Action you can take
- Be alerted to any new developments by subscribing to our newsletter.
- Find out more about the regulator and how to comply with POPIA by attending one of our public workshops (or having a private in-house one) or legal webinars.
- Find out how we can help you comply with data protection laws.
- Get specialist subject matter expert support to empower you to implement POPIA by joining one of our online Data Protection Programmes.
- Comply with POPIA by getting Michalsons to do some action items for you.
Where will the Information Regulator be?
What are the responsibilities of the Information Regulator?
- provide education,
- monitor and enforce compliance,
- consult with interested parties,
- handle complaints,
- conduct research and to report to Parliament,
- do various things regards codes of conduct,
- facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation, and
- a few other things specified in section 40(1) of POPIA.
One of the functions of the Information Regulator is to protect data subjects from harm and ensure that their personal information is protected by responsible parties. Similar to the Public Protector, the Information Regulator can hold responsible parties accountable for not complying with POPI.
The Information Regulator must “take account of international obligations accepted by South Africa and consider any developing general international guidelines relevant to the better protection of individual privacy.”
What you must do with the Information Regulator
Some responsible parties must get prior authorisation from the Information Regulator before they can process personal information, but those that need to are quite limited. See section 57 for those that need to. There is a good chance that you do not need to get authorisation. If you are not sure, we can help you to work out whether you need to get authorisation or not. Remember, it is a criminal offence if you do not get authorisation when you should have and there is the possibility of a fine or up to 12 months imprisonment. But by far the greater risk is that you might not be able to process personal information. It is not currently possible to get this authorisation, because the regulator does not have the process in place.
The Information Officer of each public and private body (and everyone has one) must be registered with the Information Regulator. Again this is not currently possible.
Image courtesy of the South African Government (May 2014) pursuant to a Creative Commons licence. We have not changed the image.