2022 – a year in review
- In September 2022, the Information Regulator launched online portals for both the public and private sectors, facilitating the submission of Section 32 reports in accordance with PAIA. Additionally, these portals enabled the registration of information officers to comply with Section 55(2) of POPIA. The primary objective of these portals was to provide a cost-effective, user-friendly, and efficient platform to support submissions in this regard.
- In October 2022, the Information Regulator approved Codes of Conduct for both the Banking Association of South Africa (BASA) and the Credit Bureau Association (CBA). These Codes of Conduct serve as guidelines for the proper processing of personal information of data subjects within the banking and credit reporting sectors, in accordance with the provisions outlined in POPIA.
- During 2022, the Information Regulator conducted various webinars, conferences, and meetings aimed at promoting and raising awareness around POPIA and PAIA. These events included the African Network of Information Commissions Conference, the Data Protection Africa Summit, the International Day for Universal Access to Information (IDUAI), and a Roadshow held in partnership with the Umshwathi Local Municipality in KwaZulu Natal. The objective of these initiatives was to promote awareness of both POPIA and PAIA through community engagement.
- The Information Regulator released its Strategic Plan for the period of 2022/23 to 2026/27. This plan outlines the measures that the Information Regulator will undertake to achieve its vision for 2027. With its enforcement powers, the Information Regulator aims to effectively enforce POPIA and to provide efficient remedies to complainants. The ultimate goal of the strategic plan is to empower individuals by implementing the Information Regulator’s mandate, raising awareness around the significance of asserting the right to privacy, and the interaction between the right to privacy, and the right of access to information. The plan consists of three parts, namely:
- Part A addresses the Information Regulator’s dual mandate as outlined in Section 14 (the Right to Privacy) and Section 32 (the Right of Access to Information) of the Constitution of the Republic of South Africa, 1996 (Constitution). This dual mandate seeks to guarantee respect for, protection of, enforcement, and fulfilment of the rights to privacy and of access to information. Part A also includes references to relevant case law related to POPIA and PAIA, which serve as useful guidelines for the application and interpretation of these Acts.
- Part B encompasses the Information Regulator’s strategic focus and aims to identify and evaluate both internal and external elements and factors that may affect the implementation plan. These factors include political, economic, social, technological, environmental, and legal aspects, collectively referred to as the ‘PESTEL Analysis.’ This analysis enables the Information Regulator to identify its strengths and weaknesses and understand its environment while ensuring a balance between privacy and access to information.
- Part C monitors the Information Regulator’s performance in terms of achieving its goals and fulfilling its mandate against identified indicators. The purpose of Part C is essential as it allows the Information Regulator to closely monitor its performance and to ensure the successful implementation of the strategic plan.
- As reported in an August 2022 Media Statement released by the Information Regulator, another significant milestone was the establishment of the Enforcement Committee as required in Section 50 of POPIA. The committee is chaired by Adv Helen Fourie SC, and Ms. Simonè Margadie as the alternative Chairperson. The primary responsibility of the Committee is to review and consider complaints that are referred to it, arising under both POPIA and PAIA, for its consideration and recommendations. In accordance with Section 92 of POPIA, the Regulator may refer a complaint or other matters to the Enforcement Committee for examination. Furthermore, as outlined in Section 93 of POPIA, the Enforcement Committee must consider all matters referred to it by the Information Regulator and provide findings or recommendations to the Information Regulator. This establishment marks a significant stride in ensuring that complaints referred to the Information Regulator are duly addressed and thoroughly investigated.
What to expect from the Information Regulator in 2023
Finalization of the Rules of Procedure of the Enforcement Committee
In February 2023, the Regulator issued an invitation for Public Comments on its Draft Rules of Procedure for the Enforcement Committee in terms of Section 92(2) of POPIA. Interested parties were requested to provide their feedback on or before March 24, 2023. The most relevant chapters of the Draft Rules are outlined below.
In terms of Chapter 2 of the Draft Rules, the purpose of the Rules is:
- to promote access to the Information Regulator through the establishment of the Enforcement Committee and to address any complaints concerning the protection of data subjects’ personal information;
- to provide a procedure regarding the manner and form in which a complaint can be referred to the Enforcement Committee;
- to provide clarity on the role players involved when a complaint has been referred to the Enforcement Committee;
- to set out the procedure on how evidence may be led before the Enforcement Committee; and
- in general, to prescribe the procedure to be followed by the Enforcement Committee.
Chapter 4 makes provision for the powers of the Enforcement Committee as well as the powers of the Chairperson presiding over hearings and proceedings of the Committee.
Chapter 5 sets out the proceedings of the Enforcement Committee. Specifically, subrules 5.1-5.13 outline the procedures that the Enforcement Committee should follow when adjudicating a complaint or any matter referred matter. This includes the types of matters that may be referred to the Enforcement Committee, notification requirements for involved parties, presentation of evidence to the Enforcement Committee, the period within which the Enforcement Committee may make a finding in order to submit its recommendation to the Information Regulator, procedures for expediting urgent matters, the rights of the parties before the Enforcement Committee, and application to the Enforcement Committee.
Chapter 7 provides that the Enforcement Committee is required to submit any findings and recommendations on any matter referred to it or the Information Regulator within a reasonable period, as prescribed in subrule 5.9.4.
Chapter 8 states that the Information Regulator must consider all the findings and recommendations of the Enforcement Committee within no less than 15 working days. After this consideration, the Information Regulator may issue the responsible party with an Enforcement Notice in accordance with Section 95 of POPIA.
Institution of action against responsible parties
The Information Regulator has adopted stern action against government bodies in terms of POPIA. It is expected that the Information Regulator will continue to enforce its mandate against both public and private bodies in 2023. Some notable actions taken thus far include:
The South African Police Service
In August 2022, the Regulator initiated an investigation into the alleged violation of POPIA by members of the South African Police Service (SAPS) regarding the unauthorized release of personal information of victims attacked in Krugersdorp. This information, which included names, ages, home addresses, ID numbers, and violations suffered, had been shared among SAPS officials via a direct messaging platform and circulated to the public on social media. In accordance with Section 90 of POPIA, the Information Regulator issued an Information Notice to SAPS, requesting specific information necessary for the investigation, with a deadline of August 15, 2022.
After SAPS requested an extension to respond to the Information Notice, the Information Regulator granted an extension until August 24, 2022. However, on that date, SAPS only provided partial information requested in the Information Notice and indicated that they would only be able to deliver further information once their own investigation was concluded. The Information Regulator found the SAPS’ response to be insufficient, and subsequently issued a summons, as provided in Section 81 of POPIA, to compel SAPS to provide the outstanding information required by the Information Regulator.
Advocate Pansy Tlakula, Chairperson of the Regulator stated: “We do not take kindly to the non-responsiveness or inadequate responses to issued Information Notices by responsible parties, because this interferes with the Regulator’s ability to conduct investigations into reported matters or those initiated by us. This has a serious inditement for the Regulator to provide necessary recourse to the victims of whom the right to privacy was possibly violated.”
On April 5, 2023, the Information Regulator held a media briefing to disclose the outcomes of various investigations and assessments conducted in accordance with the relevant Acts. The Information Regulator reported that an Enforcement Notice was issued to SAPS, following its consideration of the Enforcement Committee’s report in this regard.
The Regulator decided that SAPS, as the responsible party, had unlawfully and unreasonably processed the personal information of data subjects without their consent. Additionally, SAPS failed to comply with the duty to notify the Information Regulator and the data subjects of the security compromise, as mandated by POPIA. The Information Regulator noted that the personal information contained in the original message shared by SAPS officials was excessive and irrelevant for the purpose for which it was distributed, being to alert other stations of the serious crimes committed. Furthermore, the responsible party had failed to take appropriate, reasonable, and technical measures to prevent the unlawful processing of the personal information of data subjects, as required by POPIA.
The Information Regulator has, among others, ordered the responsible party to notify the data subjects of the security compromise relating to their personal information and to publish a public apology to data subjects in the most prominent newspapers and on social media platforms. Furthermore, SAPS is required to investigate the conduct of its members responsible for the unlawful processing of personal information and to include training on POPIA in all SAPS training programs. For further details, the complete media statement is available on the Information Regulator’s website.
The National Department of Health and the National Institute for Communicable Diseases
During 2022, the Information Regulator also closely monitored POPIA compliance within the National Department of Health (NDoH) and the National Institute for Communicable Diseases (NICD). The Information Regulator requested reports from the NICD and the NDoH to assess their compliance with POPIA and a Guidance Note that was issued by the Information Regulator on the processing of personal information in the management and containment of the COVID-19 pandemic, with specific reference to personal information collected, retained, and destroyed during this time.
In a media statement released by the Information Regulator in February 2023, it was disclosed that the NDoH and NICD did not comply with the Information Regulator’s request. Despite the formal Information Notice issued in terms of Section 90 of POPIA in November 2022, they failed to respond. As a result, the Information Regulator was therefore forced to refer the matter to the Enforcement Committee in terms of Section 92(1) of POPIA.
Tlakula indicated that “This Guidance Note was issued in terms of POPIA and requires that the NDoH submits its report to Parliament as indicated. Compliance is not optional. Personal information that was collected during the pandemic included special personal information of people such as COVID test results and there must be accountability for how that personal information has been handled. We have been lenient with the NDoH on this point, but we would be failing the data subjects if we, as the Regulator, do not take action to ensure that there is compliance and accountability.”
At the time of publication, no further statement has been released on the finding and recommendation of the Enforcement Committee. However, following such finding, the Information Regulator may issue an enforcement notice in terms of Section 95 of POPIA. The abovementioned actions taken by the Information Regulator show its dedication to acting in accordance with its mandate, in ensuring the protection of personal information and holding institutions such as the SAPS, NDoH, and NICD accountable for their actions.
From the above, it is clear that the Information Regulator has made great strides in 2022 and we expect that it will continue to do so in 2023. This includes the expected finalization of the Rules of Procedure of the Enforcement Committee, ongoing enforcement of compliance with POPIA and PAIA, efforts to create awareness, hosting webinars and conferences, and increasing community engagement as part of the implementation of its Strategic Plan for 2022/23 to 2026/27.
PR de Wet (Director)
Mishka Cassim (Candidate Attorney)
This article is published in collaboration with OneTrust Global, DataGuidance.