Read time: 3 minutes

SA Information Regulator checks POPI against international best practices

SA Information Regulator checks POPI against international best practices

South Africa's newly established Information Regulator (IR) will soon conduct a global benchmarking tour in an effort to ensure that it meets global standards ahead of the commencement of all parts of its enabling law, the Protection of Personal Information Act (POPI), in March next year.

The IR was established in December 2016 to manage compliance with POPI.

While it is already taking complaints from the general public from temporary office space provided by the department of justice, the regulator aims to hire up to a hundred people when its full organisational structure is implemented.

Advocate Johannes Weapond, full-time member of IR said, "We will go to the UK and then to the rest of the Europe as part of the first phase where we will compare what we have to how they have been operating. The second phase will see us go to Ghana and see how they set up their regulator and what their regulator deals with. In Ghana, we are already aware, for example, that we call it personal information they call it data protection and that they don't provide for access to information."

Advocate Weapond added that the regulator's Chairperson, Advocate Pansy Tlakula has attended a data protection conference in Ghana ahead of the global benchmarking tour as part of the exchange of information that is already happening between Ghana and South Africa.

He said that the IR's posture and application of data privacy rules will be influenced by South Africa's membership in the Commonwealth Trade Network.

This network is a global alliance of mostly Commonwealth nations who share knowledge on the best ways to roll out privacy safeguards. It is anticipated that the POPI law will have an impact on companies that transfer personal information across borders in their business.

"Ghana is part of that network. Uganda and Gambia are two countries that the network is currently approaching. We have Canada, the Cayman Islands, Mauritius and the Bahamas in the network as well. South Africa and Canada are the co-chairs."

The IR is currently wholly funded by South Africa's ministry of justice until it becomes fully functional.

Slow start

Advocate Weapond said the regulator is already receiving complaints from the public regarding the use of personal information, which have been successfully addressed within a 30-day cycle.

He added that current complaints range from less serious matters like the inclusion of one's birth date on a staff calendar to more complex questions such as whether a degree certificate issued by a University belongs to the academic institution or the graduate.

Advocate Weapond said in the first two years, IR will be lenient when it discovers breaches of POPI in order to allow time for public and private organisations to adjust to requirements of the law.

"We have decided as a regulator that we are not going to issue penalties or take a hard position (that will lead to penalties of up to ten million Rands). We have adopted a friendly approach and more of an assistance role for the first two years after which we will become very tough. For now, we invite everyone to walk with us and learn how to implement what is required in your organisation."

Court ruling

The IR was admitted as the seventh respondent in a recent court case heard by South Africa's Constitutional Court involving the use of information belonging to beneficiaries of the country's social services by a company appointed by the government agency responsible for the distribution of grants.

Weapond said the Court's finding, which was guided by submissions made on behalf of the IR, is by far their greatest highlight.

"The information of the grant recipients must be- and is deemed to be the personal information of the recipients. Their identity number and all other personal information cannot be used for any purpose other than what it was obtained for which is to pay the grants. The people who have that personal information have to work within that guideline and cannot use the information to promote insurance policies and airtime and so forth."

Dr Peter Tobin, CEO of management consulting practice Peter Tobin Consultancy, attended Advocate Weapond's brief and expressed concern over the slow pace that the IR has adopted before it begins its work in earnest.

"It is very encouraging that the regulator is making progress. It is a concern however that the kind of urgency that we should be having as a country about establishing credibility as an international trading partner is dependent on the wheels turning slowly in government. We need to have a much greater sense of urgency without compromising the quality of the work that the regulator does. We need to understand the pressure the country is under to create jobs and to establish ourselves as a growth partner for our European and global trading partners. That is the real drive behind the Protection of Personal Information Act. It has very little to do with the local scenario. We've taken ten years to get the legislation through Parliament and according to the timeline we heard this morning, it will be five more years from when the act was passed before it goes into force."

Daily newsletter