The Information Regulator in South Africa published the final POPI regulations on 14 December 2018 (or POPIA regulations or POPI Act Regulations as some people call them). The regulations say that “These Regulations shall be called the Regulations relating to the Protection of Personal Information, 2018” but we think most people will simply call them the POPI Regulations. In this article, we summarise them, enable you to download them and help you decide what action to take.
The Information Regulator’s final POPI regulations
For those who were hoping that these POPI regulations were going to provide practical guidance on how to comply with POPIA, I’m afraid you will be disappointed. They are only eight pages long (plus 35 pages of forms). These regulations are largely administrative in nature and do not help organisations to interpret POPIA or make it easier for them to comply. There are no clear controls and the accountability is still left with the responsible party to apply the conditions to their circumstances. This is very much in line with what we have been saying for years – the regulations are not going to substantially change what you must comply with.
For those who were fearful that the POPIA regulations were going to create extra compliance requirements, I’m pleased to say you will be relieved. There are very few extra requirements, except for the impact that the forms might have.
When will these Regulations commence?
The POPIA regulations are final but will only commence on a date to be determined by the Regulator by proclamation in the Government Gazette. The commencement date of the POPI Regulations will be aligned with the POPI commencement date.
Actions you could take:
- Download the final POPI Regulations 2018 published on 14 Dec 2018 in three languages and read them.
- Meet your responsibilities as an Information Officer to implement a compliance framework by joining the Michalsons Data Protection programme.
- Assess the impact on your specific organisation by asking Michalsons to do a high-level data protection impact assessment.
- Comply with the conditions for lawful processing in South Africa by asking Michalsons to do a personal information impact assessment for you or by joining the Michalsons Data Protection programme and doing a PIA yourself.
- Obtain consents for direct marketing lawfully by asking us to advise you on how to obtain consents in accordance with these POPI regulations.
- Be alerted to future developments regards data protection compliance by subscribing to our newsletter.
- Comply with data protection laws by finding out how to get expert assistance.
What do the final POPIA regulations deal with?
- How a data subject can object to the processing of their personal information.
- How a data subject can request the correction or deletion of information.
- The responsibilities of an information officer. (Important!)
- How to apply for the regulator to issue a code of conduct.
- How to request marketing consent. (Important!)
- How to submit a complaint to the regulator.
- How the regulator will act as a conciliator in investigations.
- What the regulator must do before it investigates you.
- How the regulator will try to settle complaints.
- How the regulator will conduct assessments.
- How the regulator will notify people during investigations.
The responsibilities of Information Officers
Regulation 4 of the POPIA regulations is interesting because it sets out that an information officer must:
- develop, implement and monitor a compliance framework,
- ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist,
- develop, monitor, maintain and make available a PAIA manual,
- develop internal measures and adequate systems to process requests for access to information, and
- ensure that internal awareness sessions are conducted.
As part of Michalsons Data Protection programme, we have developed a POPIA compliance framework that contains all the latest global developments and best practices.
Request for data subject’s consent to direct market
Regulation 6 and Form 4
The POPI regulations have an impact on direct marketing consents. Regulation 6 says “A responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must in terms of section 69(2) of the Act submit a request for written consent to that data subject on Form 4.” Terms in bold are defined in the POPI Regulations or in the ECT Act. Form 4 sets out how to get consent to direct market to a data subject. Essentially, you must:
- identify the data subject,
- identify the responsible party and provide their contact details,
- identify the person designated to sign for the responsible party,
- enable the data subject to consent to receive direct marketing for specified goods or services by specified methods of electronic communication, and
- get both the person designated by the responsible party and the data subject to sign.
Many people (especially direct marketers) will read regulation 6 and Form 4 with concern, especially the requirements that the consent must be written and signed by both a person designated by the responsible party and the data subject. But when you unpack the regulation it is not as prescriptive as you might fear.
The regulation is hard to unpack because it contains may definitions which themselves contain definitions. “Submit” means submit by data message, electronic communication, registered post, electronic mail, facsimile, and personal delivery.”Written” is in any form of writing, including in the form of a data message that is accessible in a manner usable for subsequent reference. “form” includes “any form which is substantially similar to” Form 4. A “data message” means “data generated, sent, received or stored by electronic means and includes:
- voice, where the voice is used in an automated transaction; and
- a stored record.”
“Sign” or “signature” includes an electronic signature which “means data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature“.
The practical impact
OK, so what does all this mean. At the outset, it is important to remember that this consent is only necessary for direct marketing by electronic communications – if you direct market by physical communication, you do not need consent. For example, you do not need someone’s consent to phone them. Also, you only need consent from prospects, you do not need consent from your customers. If you are going to direct electronic market to someone you don’t know, you must get their consent in the form prescribed by these regulations. Don’t fall into the trap of thinking you have to get this written signed consent from everyone.
The written requirement means that the consent must be made up of data that can be referred to after the consent is given. In other words, there must be some form of record of the consent. Data is very broad and includes voice. So, if a data subject consents on a call, that is written consent. I actually can’t think of a way that the regulation stops you from requesting consent. Can you?
You can submit a request for the consent in virtually any way you chose. You can send them an SMS, email them, talk to them, ask on a website, ask on an app, and ask over the phone. Again, I actually can’t think of a way that the regulation stops you from requesting consent. Can you?
Both parties must sign the consent but you can use any kind of signature. All that is required is that some data (which the person signing intends to serve as a signature) must be associated with the data which makes up the consent. For example, a signature could be data recording that a data subject clicked on a button, or ticked a box, or agreed to terms, or even says “I agree” over the phone.
The form of the request does not need to be in the form of Form 4! I hope you were paying attention because the word form has two meanings. Form means “a particular way in which a thing exists or appears” or it means a Form that you fill in. You’ll be fine as long as the request contains the essence of what is in Form 4 (See the five things we set out above). The request (or consent) must just be substantially similar to Form 4. One could argue that this means that the consent does not need to be on an actual Form. It can basically take any form, like a pop-up notice on a website, or an SMS or an email.
I actually can’t think of a way that the regulation stops you from requesting consent. Can you?
The bottom line
You can get consent however you like and the POPI Regulations do not prescribe any particular method. There might be some practical challenges but most will be overcome. This is good news for anyone who has to get consents from data subjects to direct electronic market to them.
The process that led to these POPI Act Regulations
The Information Regulator published draft POPI regulations and invited people to comment on them by 7 November 2017. The regulator held public consultations on the regulations in all the major centres of South Africa. We attended the sessions. We sent our written submission to the Regulator on 7 November 2017 on behalf of the members of the Michalsons Data Protection programme. If you would like a copy of our written submission, please ask our support desk for it. The Information Regulator reviewed the comments submitted to it and published the final version of the regulations on 14 December 2018.
Rules on the processing of health information
One interesting thing for anyone who processes health information is that in the draft regulations (but not the final ones) the regulator invited them to comment on whether the regulator should prescribe rules and what those rules should be. This is especially relevant to:
- insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations,
- administrative bodies, pension funds, and employers (or institutions working for them).
Minster’s POPI Regulations
There are two people who have the power to make regulations. The regulator is one – the other is the Minister of Justice and Constitutional Development who has the limited power to make POPI Regulations (under section 112(1)) about:
- establishing the Information Regulator, and
- fees that data subjects must pay to:
- a responsible party for accessing the personal information it processes, and
- the Regulator when complaining to the Regulator.
That is it – the Minister has quite limited powers to make regulations. We expect that the Minister will only publish these regulations during 2019. The Information Regulator has already met with the Minister to discuss these regulations.