The Protection of Personal Information Act, 2013 (Act 4 of 2013)
The Protection of Personal Information Act, 2013 (POPIA Act) aims to promote the protection of personal information processed by public and private bodies by, among others, introducing certain conditions for the lawful processing of personal information so as to establish minimum requirements for the processing of such information.
The Information Regulator (South Africa) is, among others, empowered to monitor and enforce compliance by public and private bodies with the provisions of the POPIA Act.
The Information Regulator (South Africa)
Section 41(1) of the POPIA Act provides that the Information Regulator consists of a Chairperson and four other persons, as ordinary members of the Information Regulator. Section 41(1) further provides that the members of the Information Regulator must be appropriately qualified, fit and proper persons -
(i) at least one of whom must be appointed on account of experience as a practising advocate or attorney or a professor of law at a university; and
(ii) the remainder of whom must be appointed on account of any other qualifications, expertise and experience relating to the objects of the Information Regulator.
The following may, in addition to the above, be mentioned in connection with the establishment of the Information Regulator:
(i) The Chairperson and two ordinary members have been appointed in a full-time capacity while the other two ordinary members have been appointed in a part-time capacity for a period of five years ((section 41(1)(c) and (d) and (3) of the POPIA Act)).
(ii) The Information Regulator must establish its own administration to assist it in the performance of its functions and, to this end, the Information Regulator must appoint a suitably qualified and experienced person as the chief executive officer and such other members of staff as the Information Regulator may deem appropriate (section 47 of the POPIA Act)).
(iii) The funds of the Information Regulator will consist of such sums of money that Parliament appropriates annually for the use of the Information Regulator and the fees collected by the Information Regulator (section 52(1) of the POPIA Act). Insofar as the financial reporting of the Information Regulator is concerned it should be noted that the-
(a) chief executive officer of the Information Regulator is, for purposes of the Public Finance Management Act, 1999 (Act 1 of 1999), the accounting officer of the Information Regulator ((section 52(3) of the POPIA Act)); and
(b) Auditor-General must audit the Information Regulator’s financial records annually ((section 52(5) of the POPIA Act)).
The President, on the recommendation of the National Assembly, appointed the following persons as Chairperson and members of the Information Regulator with effect from 1 December 2016, for a period of five years:
(i) Adv Pansy Tlakula (Chairperson);
(ii) Adv Lebogang Cordelia Stroom-Nzama (full-time);
(iii) Adv Johannes Collen Weapond (full-time);
(iv) Prof Tana Pistorius (part-time); and
(v) Mr Sizwe Lindelo Snail ka Mtuze (part-time).
The full time members shall fulfil their responsibilities in terms of section 43(2)(a) of the POPIA Act as follows:
(i) Adv Lebogang Stroom-Nzama is responsible for the Promotion of Access to Information Act of 2000; and
(ii) Adv Collen Weapond is responsible for the Protection of Personal Information Act.
Powers, functions and duties of the Information Regulator
The Information Regulator is, among others, empowered to monitor and enforce compliance by public and private bodies with the provisions of the POPIA Act. The Information Regulator is also responsible for issuing codes of conduct for different sectors and to make guidelines to assist bodies with the development and application of codes of conduct.
Chapter 7 of the POPIA Act introduces Codes of Conduct. The development of codes of conduct will contribute to the proper implementation of the conditions for the lawful processing of personal information, as reflected in Chapter 3 of the POPIA Act, in each sector. Section 60 of the POPIA Act, among others, provides that a code must prescribe how the conditions are to be complied with within specific sectors as far as the processing of personal information is concerned.
Chapter 10 provides for complaints to be lodged with the Information Regulator by persons regarding any interference with the protection of their personal information. Interference with the protection of the personal information of a data subject consist, in terms of section 73, of—
(i) any breach of the conditions for the lawful processing of personal information set out in Chapter 3 of the POPIA Act;
(ii) non-compliance with any obligations created in terms of the POPIA Act; or
(iii) a breach of the provisions of a code that has been issued in terms of section 60.
The remaining provisions of the Chapter deal with the powers of the Information Regulator as far as investigation of complaints is concerned.
The Schedule to the POPIA Act is intended to effect certain amendments to existing legislation, among others, to ensure that all the responsibilities of the South African Human Rights Commission in terms of the Promotion of Access to Information Act, 2000, are assigned to the Information Regulator. The amendments reflected in the Schedule further aim to establish the Information Regulator as the sole functionary, apart from the courts, that may consider complaints against decisions that have been taken by public or private bodies in respect of requests for access to records of the bodies concerned.