Update on POPIA and the Information Regulator (South Africa)

It is almost 5 years since the Protection of Personal Information Act (POPIA/POPI Act) was signed into law and it has still not fully commenced. Does this mean that we should ignore it and hope that it will die? On the contrary, laws of this nature are growing in number internationally and privacy cultures are maturing with expectations that personal information will be protected as the norm.  Read on to find out more.

The status of POPIA is that following the closure of the invitation for public comment on the Draft POPI Act Regulations on 7 November 2017, the Information Regulator South Africa (IRSA) advised that they would consolidate all public comment and submit it to Parliament in April 2018 for approval.  The current status is that they have the consolidated public comments received and that the revised draft regulations have been endorsed by the State Legal Advisor.  The next step is to submit them to Parliament for approval.

The IRSA team is still being established, at present there are 5 members in the team, some of whom are part time members.  This is not an adequate complement for the IRSA to fulfil the required function.  They are planning to recruit additional members and to have an adequate number of resources by the end of 2018. They expect to be operational by early 2019.  The POPI Act/POPIA transition period of 12 months is expected to fully commence at this time.

In spite of the above, the IRSA is a legal regulatory body in terms of Section 39 of the Act as this section commenced in April 2014.   The IRSA has been involved in investigating a number of key personal information compromises (breaches) during the past few months.  The most recent of these compromises are:

Liberty Life – millions of customers’ personal information was accessed by an unauthorised external party who accessed the company’s email system. While the financial loss does not appear to have been significant, the damage to their reputation was major. Furthermore, the IRSA stepped in and questioned what organisational and technical measures Liberty have implemented to address the requirements of the Protection of Personal Information Act (POPIA).

MiWay – a conversation between a sales representative from the insurance company MiWay and King Goodwill Zwelithini was leaked which contravened POPIA.  Once again the IRSA stepped in and questioned the measures they have implemented to protect personal information from a legal perspective.

To reiterate, the IRSA is in place from a legal perspective in terms of section 39 of POPIA which commenced in April 2014. They are, therefore, empowered to investigate complaints and to investigate the measures organisations have put into place to protect personal information.  Organisations are, therefore, encouraged to implement appropriate and reasonable measures for protecting personal information as they could be challenged by the IRSA should a compromise occur.