The Information Regulator is a new regulator that has been created by the Protection of Personal Information Act (POPI Act). POPI gives the Information Regulator teeth – it has extensive powers to investigate and fine responsible parties. Data subjects will be able to complain to the Information Regulator and it will be able to take action on behalf of data subjects. It will regulate both POPI and PAIA. It reports to Parliament and is the South African equivalent of the Information Commissioner in the UK.

Has the Information Regulator been established?

Yes. The sections of POPI that relate to the Information Regulator have already commenced and Treasury has also budgeted for it.

Have the office bearers been appointed?

The President of South Africa officially appointed the office bearers on 26 October 2016 with effect from 1 December 2016. As part of the process, the National Assembly recommended the appointment the office bearers on 7 September 2016. And before that Parliament invited everyone to nominate people and shortlisted candidates for Parliament to appoint as members of the Information Regulator.

The office of the Information Regulator will be made up of Adv Pansy Tlakula as the chair, Adv Cordelia Stroom and Mr Johannes Weapond as full-time members, and Prof Tana Pistorius and Mr Sizwe Snail as part-time members. The recommendation has been referred to the Minister of Justice and Correctional Services. Adv Pansy Thakula should be given the opportunity to see what she can achieve as the chair of the Information Regulator.

Action you can take

Where will the Information Regulator be?

It will have one central office in Gauteng and will have about five permanent office bearers. The Information Regulator needs to publish regulations at some point for POPI to finally become effective, and it will probably establish a website at www.informationregulator.co.za.

What are the responsibilities of the Information Regulator?

The Information Regulator essentially has to protect data subject against harm and ensure that their personal information is protected by responsible parties. Similar to the Public Protector, the Information Regulator can hold responsible parties accountable for not complying with POPI.

The responsibilities include:

  • educating responsible parties on the conditions for lawful processing;
  • ensuring that responsible parties process personal information lawfully;
  • ensuring compliance with the conditions for processing information;
  • monitoring and enforcing POPI compliance by public and private bodies
  • handling with POPI complaints by data subjects;
  • the responsibilities in Part 4 and 5 of the Promotion of Access to Information Act.

What you must do with the Information Regulator

Some responsible parties must get prior authorisation from the Information Regulator before they can process personal information, but those that need to are quite limited. See section 57 for those that need to. There is a good chance that you do not need to get authorisation. If you are not sure, we can help you to work out whether you need to get authorisation or not. Remember, it is a criminal offence if you do not get authorisation when you should have and there is the possibility of a fine or up to 12 months imprisonment. But by far the greater risk is that you might not be able to process personal information. It is not currently possible to get this authorisation, because the regulator does not have the process in place.

The Information Officer of each public and private body (and everyone has one) must be registered with the Information Regulator. Again this is not currently possible.

Image courtesy of the South African Government (May 2014) pursuant to a Creative Commons licence. We have not changed the image.