The Information Regulator has published the draft POPI regulations (or POPIA regulations as some people call them) and invited people to comment on them by 7 November 2017. The regulator has held public consultations on the regulations and is now in the process of reviewing the comments submitted to it and we are now waiting for the next version of the regulations to be published. In this article, we’ll summarise them, enable you to download them and help you decide what action to take.
The Information Regulator’s draft POPI regulations
Well done to the regulator – they are making steady progress towards the effective implementation of the POPI Act. For those who were hoping that these POPI regulations were going to provide practical guidance on how to comply with POPIA, I’m afraid you will be disappointed. They are only five pages long (plus 26 pages of example forms). These regulations are largely administrative in nature and do not help organisations to interpret POPIA or make it easier for them to comply. There are no clear controls and the accountability is still left with the responsible party to apply the conditions to their circumstances. This is very much in line with what we have been saying for years – the regulations are not going to substantially change what you must comply with.
The POPI regulations have an impact on marketing consents
However, the forms might be useful to some because they set out how to do certain things. For example, form 4 sets out how to get consent to direct market to a data subject. For those who have already been getting marketing consent, it might pose a problem because you must get consent in a way that corresponds substantially with form 4. You’re either going to have to change how you get marketing consent or convince the regulator to change form 4.
What does ‘corresponds substantially’ mean?
For those who were fearful that the POPIA regulations were going to create extra compliance requirements, I’m pleased to say you will be relieved. There are very few extra requirements, except for the impact that the forms might have.
Rules on the processing of health information
One interesting thing for anyone who processes health information is that the regulator has invited them to comment on whether the regulator should prescribe rules and what those rules should be. This is especially relevant to:
- insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations,
- administrative bodies, pension funds, and employers (or institutions working for them).
We think this is a great example of where all these organisations should collaborate collectively to submit comment to the Regulator. We’ll be doing this as part of the Michalsons compliance programme.
What do the POPIA regulations deal with?
- How a data subject can object to processing
- How a data subject can request the correction or deletion of information
- The duties of an information officer (Important!)
- How to apply for the regulator to issue a code of conduct
- How to request marketing consent (Important!)
- How to submit a complaint to the regulator
- How the regulator will act as a conciliator in investigations
- What the regulator must do before it investigates you
- How the regulator will notify people during investigations
- How the regulator will conduct assessments
The duties of Information Officers
Regulation 4 of the POPIA regulations is interesting because it sets out that an information officer must:
- develop, implement and monitor a compliance framework,
- ensure that adequate measures and standards exist,
- conduct preliminary assessments,
- develop a manual and make it available for a cost of no more than R3.50 per page,
- develop internal measures and adequate systems to process requests for access to information, and
- conduct awareness sessions.
Submission of comments
The Regulator has held public consultations on the regulations in all the major centres of South Africa. We attend the full day session in Cape Town. We have sent our written submission on them to the Regulator on 7 November 2017 on behalf of the members of the Michalsons compliance programme. If you would like a copy of our written submission, please ask our support desk for it. The deadline for submitting comments has now passed and we are now waiting for the next version of the regulations to be published.
Action you could take:
- Download the regulations by filling in the form below, read them, assess how they impact your organisation. We can advise you on how they impact your organisation.
- Be alerted to future developments regards data protection compliance by subscribing to our newsletter.
- Get expert assistance by finding out how we can help you to comply with data protection laws.
Minster’s POPI Regulations
There are two people who have the power to make regulations. The regulator is one – the other is the Minister of Justice and Constitutional Development who has the limited power to make POPI Regulations (under section 112(1)) about:
- establishing the Information Regulator, and
- fees that data subjects must pay to:
- a responsible party for accessing the personal information it processes, and
- the Regulator when complaining to the Regulator.
That is it – the Minister has quite limited powers to make regulations. We expect that the Minister will only publish these regulations towards the end of 2017. The Information Regulator has already met with the Minister to discuss these regulations.