The information regulator has published its annual performance plan for 1 April 2021 to 31 March 2022. It has also presented them in different formats to different audiences. For example, the regulator held a readiness stakeholder engagement on 15 June 2021. If you are planning what action your organisation needs to take for data protection and access to information in South Africa, it is really helpful to know what the regulator plans to do. In this article, we summarise the important plans and explain what they could mean for you. The regulator has said that they feel it is essential to be open about their challenges.
“The journey is going to be bumpy but we will be holding each other’s hands” Adv Pansy Tlakula on 15 June 2021
The regulator also said that the right to privacy is real, and the regulator is ready to step up and protect it.
Fixing the registration of information officer portal
The regulator is aware of the problems or glitches (for example this one) and their IT team is addressing them as part of phase 2 of the development. The problems should be done within the next two weeks. The regulator has confirmed that no action will be taken against people who do not register because the portal was not working.
The regulator will not hold organisations accountable if their systems are not working.
The regulator is also looking at a plan B for when the portal is down, which will be manual registrations.
Template for a PAIA Manual
You don’t need to submit your PAIA manual to anyone
The regulator will publish a PAIA manual template on their website as soon as possible. It is currently in the final approval process. It will be user friendly and people will be able to populate it. The regulator reminds everyone that there is no such thing as a POPIA manual.
There is no such thing as a POPIA Manual
We welcome this news. Too many organisations (especially small ones) have spent money to get a PAIA manual that they are in any case exempt from having to have. Hopefully this template will help organisation that have to have a manual, put one in place quickly and cost effectively.
Exemption from having to have a PAIA Manual
Many organisations (especially SMEs) are currently exempt up until 1 July 2021 from having to have a PAIA Manual. The regulator has asked the Minister to extend the current exemption until 31 December 2021.
There is no PAIA manual deadline
Notice on prior authorisation
In its annual performance plan, the regulator said it is going to issue a new notice on prior authorisation (which they say will provide clear direction) within the next two weeks (so by 1 July 2021). Don’t confuse this with the Guidance Note on application for Prior Authorisation that they have already issued.
The regulator has confirmed that the deadline for those that need to get prior authorisation for high-risk processing activities (section 58(2)) will be extended until 1 February 2022. The regulator has said it will do this in terms of section 114(3). The regulator will publish the notice on its website by 18 June 2021 and in the gazette by 25 June 2021. If you need prior authorisation, you can carry on processing until then whilst the regulator processes your application. You should apply in time to give the regulator sufficient time to process them.
You should apply no later than 31 December 2021.
Template for notifying the regulator of a breach
The regulator will publish a template that responsible parties can use to notify the regulator of a breach. The regulator is going to need software, a portal or a system to receive all the notifications they will be getting.
Guidance note on exclusions and exemption from POPIA
The regulator says it is going to issue a guidance note on exclusions and exemption from the conditions for processing of personal information as provided for in section 36 and section 38 of POPIA before 1 July 2021. Hopefully, this will help organisations to work out whether they are excluded or exempt from the application of POPIA. We need this before 1 July 2021. Update: The regulator has published this guidance note.
Guidance note on the personal information of juristic persons
The regulator says it is going to issue a guidance note on juristic persons and their information officer. This will be very helpful.
Guidance note on legitimate interests
The regulator is going to issue a guidance note on what is a legitimate interest. This will be very useful for Michalsons and organisations when they do a legitimate interest assessment (LIA).
Guidance note on direct marketing
The regulator is going to issue a guidance note on direct marketing as provided for in section 69 of POPIA. This will be the equivalent to the ICO direct marketing code of practice.
Guidance note on security measures
The regulator is going to issue a guidance note on the meaning of “appropriate, reasonable technical and organisational measures” as provided for in section 19(1) of POPIA. The regulator indicated they might do this before 1 July 2021.
This is a mistake – the regulator simply isn’t in a position to do this. It is an impossible task. It is not how information security works. I doubt this will ever be published, but let’s wait and see.
Guide on how to use PAIA
The regulator will publish a guide for the public on how to use PAIA. We assume this will be an updated version of the SAHRC guide. Note that this is not a guide on how to comply with PAIA, but rather a guide for the public on how to gain access to the information your organisation holds.
Actions you can take regards this regulator annual performance plan
- Find out more about the Information Regulator and how to comply with POPIA by asking us to advise you on Privacy and Data Protection.
- Comply with the laws on access or freedom of information that apply to you by asking us to answer your questions on Access to Information Law.
- Be alerted to any new developments by subscribing to our newsletter.
- Consider the existing guidance notes that the regulator has published by reading our articles.
