Members of the Information Regulator were appointed on 1 December 2016 but the organisation is still a work in progress, according to Advocate Johannes Collen Weapond, full-time member of the Information Regulator, at a workshop earlier this year.
At a media briefing on 20 September 2017 the Information Regulator chairperson, advocate Pansy Tlakula announced the publication of the draft regulations and invited public comment. The draft regulations are available in Government Gazette 41105 published on 8 September 2017 (www.justice.gov.za/inforeg/docs/InfoRegSA-gg41105gon709-DraftReg.pdf).
The closing date for comment is 7 November 2017. The draft regulations will be tabled in Parliament in February 2018 with the anticipated date of publication of the final regulations in April 2018.
The draft regulations include the following:
- Manner of lodging an objection to processing of personal information.
- Request for correction or deletion of personal information or destroying or deletion of record of personal information.
- Duties and responsibilities of information officers.
- Application to issue a code of conduct.
- Request for data subject’s consent for processing of personal information for the purpose of direct marketing by means of unsolicited electronic communications.
- Submission of complaint or grievance.
- Regulator acting as conciliator during an investigation.
The Regulator has not made provision for Regulations relating to section 112(2)(c) of the Protection of Personal Information Act, No 4 of 2013 (POPIA) which provides for the processing of health information by certain responsible parties such as insurance companies, medical schemes and pension funds as provided for in section 32(6) of POPIA. The Regulator is of the view that interested parties should make submissions in this regard.
According to Advocate Tlakula, the organisational structure has been finalised and submitted to the department of Public Services and Administration for processing. The 2017 – 2020 strategic performance plan has been adopted.
According to law firm Michalsons, POPI gives the Information Regulator teeth – it has extensive powers to investigate and fine responsible parties.
Advocate Pansy Tlakula was last year appointed by President Jacob Zuma as full-time member and chairperson of the Information Regulator. The other appointments include Lebogang Cordelia Stroom and Johannes Collen Weapond as full-time members, and Prof. Tana Pistorius and Sizwe Snail Ka Mtuze as part-time members.
Collen Weapond said that as any other regulator in SA, like ICASA and the Public Protector, the Information Regulator also needs to be independent. This can be realised when the Information Regulator gets its own offices. He explained that currently the Information Regulator is occupying offices at the department of justice and constitutional development.
The Department of Public Works has been engaged to source interim and permanent office space. A needs analysis has already been completed. Weapond said that the Information Regulator is looking to get about 80 to 100 individuals during this first phase so that it can be comfortable that all complaints and enquiries of all the South Africa public are sufficiently addressed in an appropriate time frame.
He explained that these individuals will mainly be tasked with spreading awareness about all the functions of the Information Regulator. To this effect a series of public meeting are being arranged during November 2017.
The other challenge is the budget, only R25-million has been allocated this year. The budget allocation covers support and core functions of the Information Regulator and is currently under the control of the department of justice and constitutional development.
Under POPIA, companies face a fine of up to R10-million – or a decade in jail – if they breach its provisions, and could also encounter civil class-action lawsuits. However, the most damaging penalty will be reputational damage, because organisations will have to inform people if their data has been breached. Nonetheless, Weapond said the Information Regulator will not be in a hurry to slap organisations with fines in the first two years. He said that they are still looking for organisations’ buy-in and are taking a friendly approach. This will change after the grace period.
The Regulator has not been sitting back
The Regulator was cited as the seventh Respondent in the Constitutional Court Case of the Black Sash Trust vs Minister of Social Development and Others. In this case, the Black Sash Trust had sought relief with reference to the contract between the South African Social Security Agency (SASSA) and Cash Paymaster Services (CPS) including that the personal information of grant beneficiaries be declared the property of SASSA. The Regulator filed an explanatory affidavit to the effect that the personal information of grant beneficiaries belongs to them and could never vest in a third party. The Regulator sought a declaratory order to this effect. The court held amongst others that the South African Social Security Agency (SASSA) is under a duty to ensure that the payment method it determines “contains adequate safeguards to ensure that personal data obtained in the payment process remains private and may not be used for any purpose other than payment of the grants” and “precludes a contracting party from inviting beneficiaries to opt in to the sharing of confidential information for the marketing of goods and services”.
Although the Regulator is not yet fully operational, it has to date received 107 complaints relating to the unlawful processing of personal information and access to information. The majority of the complaints relate to banking, insurance and telecommunications mainly direct marketing through unsolicited electronic communications.
The Regulator is a Member of Common Threat Network which is the Network for Data Protection Authorities in Commonwealth Countries and is in the process of applying for membership with the Network of African Data Protection Authorities. The Regulator is an accredited member of the International Conference of Data Protection and Privacy Commissioners.
-by Hans van de Groenendaal, features editor, EngineerIT