The Information Regulator in South Africa published the final POPI regulations on 14 December 2018 (or POPIA regulations or POPI Act Regulations as some people call them). The regulations say that “These Regulations shall be called the Regulations relating to the Protection of Personal Information, 2018” but we think most people will simply call them the POPI Regulations. In this article, we summarise them, enable you to download them and help you decide what action to take.

The Information Regulator’s final POPI regulations

For those who were hoping that these POPI regulations were going to provide practical guidance on how to comply with POPIA, I’m afraid you will be disappointed. They are only eight pages long (plus 35 pages of forms). These regulations are largely administrative in nature and do not help organisations to interpret POPIA or make it easier for them to comply. There are no clear controls and the accountability is still left with the responsible party to apply the conditions to their circumstances. This is very much in line with what we have been saying for years – the regulations are not going to substantially change what you must comply with.

For those who were fearful that the POPIA regulations were going to create extra compliance requirements, I’m pleased to say you will be relieved. There are very few extra requirements, except for the impact that the forms might have.

When will these final POPI Regulations commence?

The POPIA regulations are final and commence on 1 July 2021 with the except of:

  • Regulation 4 (Responsibilities of information officers) which will be effective on 1 May 2021
  • Regulation 5 (Application for issuing code of conduct) which will be effective on 1 March 2021.

Actions you could take:

What do the final POPIA regulations deal with?

You can read a list of the regulations, and a summary of and our commentary on the most important regulations on our main POPIA regulations page.

The process that led to these POPI Act Regulations

The Information Regulator published draft POPI regulations and invited people to comment on them by 7 November 2017. The regulator held public consultations on the regulations in all the major centres of South Africa. We attended the sessions. We sent our written submission to the Regulator on 7 November 2017 on behalf of the members of the Michalsons Data Protection programme. If you would like a copy of our written submission, please ask our support desk for it. The Information Regulator reviewed the comments submitted to it and published the final version of the regulations on 14 December 2018.

Rules on the processing of health information

One interesting thing for anyone who processes health information is that in the draft regulations (but not the final ones) the regulator invited them to comment on whether the regulator should prescribe rules and what those rules should be. This is especially relevant to:

  • insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations,
  • administrative bodies, pension funds, and employers (or institutions working for them).

Minster’s POPI Regulations

There are two people who have the power to make regulations. The regulator is one – the other is the Minister of Justice and Constitutional Development who has the limited power to make POPI Regulations (under section 112(1)) about:

  • establishing the Information Regulator, and
  • fees that data subjects must pay to:
    • a responsible party for accessing the personal information it processes, and
    • the Regulator when complaining to the Regulator.

That is it – the Minister has quite limited powers to make regulations. We expect that the Minister will only publish these regulations during 2019. The Information Regulator has already met with the Minister to discuss these regulations.