The purpose of the Protection of Personal Information Act 4 of 2013 (“POPIA”) is to ensure that all South African businesses and institutions conduct themselves in a responsible manner when collecting, storing, otherwise processing and sharing another entity’s personal information, by holding them accountable should they abuse, neglect or compromise the integrity and confidentiality of personal information in any way.
Here are the latest developments in respect of POPIA of which you should take note:
(1) Grace period for compliance has officially expired
The grace period for businesses to ensure that they become compliant has now officially come to an end (as of 01 July 2021). No matter what you may have heard, the grace period for compliance has not been extended and this means that businesses that are not POPIA compliant, regardless of whether this is intentional or accidental, are open to potentially severe penalties.
The Act makes provision for fines of up to R10 million, potential jail sentences of up to 10 years, depending on the seriousness of the breach, as well as the possibility of having civil claims instituted for breaches of the Act.
(2) The commencement of Section 58(2) of POPIA has been postponed to February 2022
Although the grace period has expired, there appears to be confusion and some misunderstanding regarding the recent announcement from the Information Regulator that the commencement date of section 58(2) of POPIA will be extended to 1 February 2022.
This does not mean that the grace period has been extended or that POPIA is not in full force. This means only that the commencement for the provisions which specifically relate to section 58(2) have been postponed until next year.
Section 58(2) of POPIA states that responsible parties may not carry out information processing activities that the Information Regulator has not been notified of in terms of section 58(1), until the Information Regulator has either completed its investigation or notified the responsible party that a more detailed investigation will not be conducted.
So, that brings us to our next question: What must the Information Regulator be notified of in terms of? Responsible parties are required to notify the Information Regulator in the event that certain types of information (as contemplated in section 57(1) of POPIA) is processed.
Essentially, a responsible party must obtain prior authorisation from the Information Regulator in the event that such party intends to –
- process any of a data subject’s unique identifiers for purposes other than originally intended or for linkage to information processed by another responsible party;
- process information on criminal behaviour or unlawful/objectionable conduct on behalf of third parties;
- process information for credit reporting purposes; and
- transfer certain special personal information or the personal information of children to a third party in a foreign country unable to provide an adequate level of protection.
This clearly refers to specific categories of personal information which require prior notification to the Information Regulator and does not relate to personal information as a whole (as defined in the Act) and which encompasses a great deal more than the categories identified in section 57(1) and which notification duty is postponed until next year.
In essence this means that all businesses are still expected to comply with all of the provisions of POPIA and that they may be held accountable for non-compliance with effect form 01 July 2021. It is merely duties imposed in relation to processing certain types of information that require prior authorisation from the Information Regulator that has been temporarily postponed.
(3) Registration of Information Officer
As already confirmed, the date of implementation of POPIA remains 1 July 2021. However, the registration of Information Officers will be accepted after the due date of 30 June.
However, please take note that failure to register an Information Officer with the Information Regulator will not absolve any Responsible Party from their duties under POPIA. POPIA designates the Information Officer of each responsible party and he/she will be held accountable for non-compliance irrespective of his/her registration status. Furthermore, failure to register will not prevent the business to incur liability for non-compliance either.
Also keep in mind that registration of the Information Officer and his/her deputies with the Information Regulator is merely one aspect in the appointment of such person(s) and the carrying out of their functions under POPIA.
It is therefore clear that failure to have registered your Information Officer will not be a valid excuse to buy time to comply with POPIA until such registration. The grace period expired on 1 July 2021 and the business entity itself and the head of the institution can be held responsible for non-compliance if there is a breach of POPIA.
That being said, it's not too late to start you compliance journey today.
However, its best to remember that information and data protection law is a complex and intricate field. It is therefore advisable that your business obtain the services of specialist POPIA attorneys in order to assist your Information Officer and their deputies in ensuring that they comply with POPIA, including establishing an appropriate risk tailored compliance framework.