South Africa: The development of codes of conduct under POPIA

The effective date for South Africa's data privacy law, the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') is fast approaching and in anticipation of D-Day (1 July 2021), organisations need to address their compliance requirements to avoid possible penalties. PR de Wet and Hayley Levey, from VDT Attorneys Inc, provide an overview of what codes of conduct are and the benefits of subscribing to a code of conduct, following Information Regulator's recent publication of Guidelines to Develop Codes of Conduct, Checklist for Submission of Application for Approval of a Proposed Code of Conduct, and Standard for Making and Dealing with Complaints in a Code of Conduct.

Published guidelines to develop codes of conduct

Relating to the aspect of enabling compliance, POPIA makes provision for codes of conduct to be issued. Chapter 7 of POPIA sets out the framework details for the issuing of codes of conduct and the Information Regulator (POPIA’s supervisory authority) has, in terms of Section 65 of POPIA, recently published the Guidelines to Develop Codes of Conduct (‘the Guidelines’) relating to the development of codes of conduct which aims, amongst other things, to:

  • assist bodies to develop and issue codes of conduct or to apply for approved code of conduct;
  • set-out a complaints procedure in relation to codes of conduct; and
  • provide a process for the review, varying and revocation of an approved codes of conduct.

What are codes of conduct?

Codes of conduct are essentially voluntary sector or industry guidelines that seek to apply a unified standard across a particular sector, professional body, or industry to assist members thereof, in implementing appropriate measures to ensure compliance with the provisions of POPIA.

Who can issue codes of conduct?

Codes of conduct can be issued through the Information Regulator’s own initiative subject to affected stakeholder consultation, or through the prescribed application process by a body which the Information Officer believes holds sufficient representation of a class of bodies, or of any industry, profession or vocation.

Notification of intention to develop codes of conduct required

Any relevant body, industry, or sector that intends developing a code of conduct is required to first notify the Information Regulator of its intention thereof and the Information Regulator must be kept informed throughout the process of the development of the proposed code of conduct.

Minimum requirements for a code of conduct

The requirements of a code of conduct include:

  • the incorporation of all of POPIA’s conditions for lawful processing of personal information (to this extent a code of conduct does not replace the relevant provisions of POPIA);
  • any failure to comply with an issued code is deemed to be a breach of the conditions for the lawful processing thereof;
  • a code of conduct should be limited to provisions which outline the specific obligations of relevant bodies bound by a code and any mandatory requirements under POPIA; and
  • any matters unrelated to the conditions for the lawful processing of personal information should not form part of a code to be approved by the Information Regulator.

Regulator’s notification that codes of conduct have been issued

Upon a code of conduct being issued, the Information Regulator is required to publish a notification to this extent, in the Government Gazette, which indicates amongst other things that such code has been issued and its effective date.

What are the possible benefits of subscribing to a code of conduct?

Possible benefits of adhering to issued codes of conduct include:

  • nurturing and promoting accountability and openness within the particular sector, body, or industry to which the codes are issued;
  • assisting members of bodies, sectors, or industries with guidance on how to implement compliance measures pursuant to POPIA’s conditions for lawful processing within their particular industry (i.e. a sector-specific POPIA compliance framework);
  • abiding by codes of conduct which have been approved by the Information Regulator are effectively an endorsement of good industry practice when it comes to data protection standards within such body, sector, or industry;
  • the potential to build your organisation’s brand and foster trust and confidence with data subjects including your customers, vendors, suppliers, and personnel, by showing commitment to safeguard their personal data and upheld their Constitutional right to privacy; and
  • assisting in how to approach key data protection implementation areas bearing the general landscape of processing within such sector, industry, or body (for e.g., how to approach breach notifications).

The published Guidelines are effective from 1 March 2021 and sectors, industries, and bodies wanting to develop a set of codes can proceed to draft and apply for issue thereof in terms of the applicable required process set out in the Guidelines, together with consideration of the provisions of Chapter 7 of POPIA.

PR de Wet Director
prdw@vdt.co.za
Hayley Levey Associate
hayleyl@vdt.co.za
VDT Attorneys Inc, Pretoria

 


1. See: https://www.dataguidance.com/legal-research/guidelines-develop-codes-conduct-issued-under
2. See: https://www.dataguidance.com/legal-research/checklist-submission-application-approval
3. See: https://www.dataguidance.com/legal-research/standard-making-and-dealing-complaints-code

May 20, 2024
South Africa: The approach to regulating AI compared with the EU

South Africa: The approach to regulating AI compared with the EU

South Africa is actively working towards effective AI regulation, recognizing the need for
specialized legislation due to AI’s unique challenges and potential for consumer
protection and economic growth. The country’s efforts include the Presidential
Commission Report on the Fourth Industrial Revolution, the establishment of the Centre for Artificial Intelligence Research, and the drafting of an AI Blueprint during its AU
chairmanship, advocating for a unified African AI approach.

Merging the pieces when transactions become indivisible

Merging the pieces when transactions become indivisible

On 28 June 2024, the Competition Commission published Draft Guidelines under section 79(1) of the Competition Act to address its approach towards ‘indivisible transactions.’ These guidelines are aimed at providing clarity on how multiple transactions can be evaluated as a single merger filing. In this article, we explore the key elements of the Draft Guidelines and the rationale behind their publication, offering insight into their potential impact on merger control in South Africa.

Sign up to our newsletter

Pin It on Pinterest