By Lize de la Harpe, legal adviser
In the last edition we discussed the role of the Information Officer.
In this edition we will take a closer look at the powers and duties of the Information Regulator.
Establishment of Information Regulator - section 39
The Information Regulator is an independent body established in terms of section 39 of POPIA. As an independent juristic person, it is subject only to the Constitution and the law. It must exercise its powers and perform its functions in accordance with both POPIA and PAIA (Promotion of Access to Information Act, 2000) and it is accountable to the National Assembly.
The appointment of the Information Regulator
The Information Regulator consists of a Chairperson and four other ordinary members. The act also provides for the appointment of a chief executive officer, management and staff appropriate for the work to be performed by the Information Regulator.
Section 50 of the act makes provision for the establishment of an Enforcement Committee comprising at least one member of the Information Regulator and such other persons as appointed by the Information Regulator. The Enforcement Committee will be chaired by an active or retired judge of the High Court of South Africa, or a magistrate, advocate or attorney with at least 10 years’ appropriate experience.
(*PS: The President appointed Adv Pansy Tlakula as the Information Regulator with effect from 1 Dec 2016, for a period of five years. See full details of the Chairperson and other members at https://justice.gov.za/inforeg/members.html).
Powers, duties and functions of the Information Regulator – section 40
The Information Regulator is responsible for the promotion and protection of the right to privacy as it relates to the protection of personal information and the right of access to information.
The Information Regulator’s duties include:
- monitoring and enforcing compliance by public and private bodies with the provisions of the act;
- providing education by promoting an understanding and acceptance of the Conditions for the lawful processing of personal information;
- consulting interested parties on a national and international basis;
- handling and investigating complaints and, where necessary, imposing administrative fines (*we will discuss offences, penalties and administrative fines in the next edition!);
- conducting research and reporting to Parliament;
- in exceptional circumstances, granting an exemption to a responsible party to process personal information, even if that processing is in breach of a condition for the processing of such information, or any measure that gives effect to such condition;
- assisting in the establishment and development of codes of conduct for different sectors and publishing guidelines to assist bodies with the development and application of codes of conduct (*see discussion of chapter 7 below);
- facilitating cross-border cooperation in the enforcement of privacy laws in other jurisdictions; and
- generally doing everything necessary to fulfil these duties, and to foster a culture which protects personal information in South Africa.
The Information Regulator’s powers in terms of PAIA are dealt with in the Schedule to the act. The Schedule to the act sets out the amendments to PAIA, the most significant of which is the introduction of Chapter 1A, which deals with how the Information Regulator will deal with complaints in terms of PAIA (*these amendments, inter alia, establishes the Information Regulator as the sole office - apart from the courts - that may consider complaints against decisions that have been taken by public or private bodies in respect of requests for access to their records).
Codes of conduct – chapter 7
The processing of personal information is diverse and extends across many different sectors. For this reason (and as mentioned above) the act makes provision for the establishment of codes of conduct that will govern the processing of personal information within defined sectors.
A code of conduct can apply to a specific body, a specific class of information, a specific activity or a specific industry or profession. The Information Regulator may out of its own accord (but after consultation with affected stakeholders) issue a code of conduct or (the far more likely scenario!) on the application of a body representative of an industry, profession, or vocation as defined in the code.
All codes of conduct must:
- incorporate all the Conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions; and
- prescribe how the Conditions for the lawful processing of personal information are to be applied, or are to be complied with, given the particular features of the sector or sectors of society in which the relevant responsible parties are operating.
It’s clear from the above that the issuing of codes of conduct will not mean that a particular sector will have more flexibility in respect of how it processes personal information. The intention is merely to give responsible parties operating within specific sectors governed by such codes of conduct clearer guidance on how to process personal information lawfully.
The protection of personal information is a new concept in South African law and will thus have to be continuously interpreted to provide clarity. As such, the regulation of the protection of personal information will require a flexible approach - the Information Regulator will hopefully assist responsible parties in providing the the legal certainty that is needed. In the next edition we will discuss offences, penalties and administrative fines as set out in Chapter 10 in more detail.