Skip to main content

PLEASE NOTE: For everyone’s safety, Fasken recommends anyone on-site at our Canadian offices be familiar with the COVID-19 recommendations in place which may include one or more of the following: social distancing, hand sanitizing, wearing a mask in common areas and proof of full vaccination. These measures apply to lawyers, staff, clients, service providers and other visitors.

Bulletin

Buttressing the ambit of data protection: Proposed amendments to the Regulations of the Protection of Personal Information Act, 13 of 2014

Fasken
Reading Time 5 minute read Reading Level Level 1
Subscribe

Overview

The Information Regulator (the “Regulator”) has invited the public to comment on the proposed draft amendments to the Regulations of the Protection of Personal Information Act, 13 of 2014 (the “POPIA Regulations”).  The proposed amendments seek to amend the existing Regulations, which were passed on 14 December 2018.

The main objective of the proposed amendments is to provide effective ways of practical data protection enforcement under the POPIA Regulations by widening the avenues of complaints submissions,  requests and assistance by the Regulator. The proposed amendments also place additional obligations on responsible parties to further strengthen the protection of data subjects under POPIA.

We set out below a summary of the notable proposed amendments to the POPIA Regulations. The amendments are still in draft form and as such are not in effect.

A summary of the notable proposed amendments

 

Regulation 2: Objection to the processing of personal information (“PI”)

(Efficiency and convenience are the overarching principles emphasised by this amendment)

 

Proposed Amendment/s:

  • A data subject who wishes to object to the processing of their PI may submit the objection to the responsible party at any time and free of charge. The objection must be in the prescribed form.
  • Proposed obligations imposed on responsible parties are introduced. In summary, these obligations include that responsible parties must:
    • explicitly bring to the attention of data subjects their right to object; and
    • electronically record telephonic objections by data subjects and to provide such recording to data subjects, upon their request, in any manner, including a transcription thereof, and free of charge.
 

Regulation 3: Requests for correction, deletion and/or destruction of PI

Proposed Amendment/s:

  • Data subjects have the right to request, at any time and free of charge, the correction or deletion of their PI. This is provided that the PI is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.
  • Further, a request for destruction of a record of a data subject’s PI may be made at any time and free of charge, if the responsible party is no longer authorised to retain the PI.
  • Responsible parties have the obligation, within 14 days of receipt of the request, to notify a data subject in writing of the action taken as a result of the request.
 

Regulation 4:  Additional duties and responsibilities of Information Officer

Proposed Amendment/s:
  • Regulation 4, in its current form, states that an Information Officer has the responsibility to ensure that a manual in terms of section 14 and 51 of the Promotion of Access to Information Act, 2000 is developed, monitored, maintained and made available. The proposed amendment seeks to remove this responsibility.
 

Regulation 6: Request for data subject’s consent to process PI

Proposed Amendment/s:

  • Responsible parties are required to:
    • obtain written consent from the data subject on a form substantially similar to Form 4 or in any manner that may be expedient, free of charge and reasonably accessible to the data subject, including e-mail, telephone, fax or SMS;
    • electronically record the request to obtain consent of a data subject telephonically; and
    • provide such recording and a transcription upon request by the data subject free of charge.
  • For the purposes of direct marketing through unsolicited electronic communications, opt-out shall not constitute consent as referred to in section 69 (2) of the Act.
 

Regulation 7: Submission of complaint (interference with PI)

(This amendment introduces significant changes to the process of submitting complaints)

Proposed Amendment/s:

 

Who is qualified to submit a complaint to the Regulator?

  • A data subject whose PI has been interfered with.
  • Any person acting on behalf of a data subject whose PI has been interfered with.
  • Any person with sufficient personal interest in the subject matter of the complaint.
  • A responsible party or data subject who is aggrieved by the determination of an adjudicator.
  • Any person acting in the public interest.

How and where is a complaint submitted?

  • To the Regulator, in writing, and submitted either on an online complaint form available on the website of the Regulator, or on the prescribed complaint form available at the Regulator’s office.

What information should accompany a complaint?

  • While much of the information required under the Form remains the same, the following notable amendments have been introduced:
  • If a complaint is lodged on behalf of another person(s), it must include proof that the person submitting the complaint is authorised to act on behalf of another person.
  • A complaint may also contain any other relevant additional information about the incident or matter concerned, which may include, the place and date of the occurrence and the particulars of the Information Officer.
  • In the event the complainant wishes his or her identity not to be disclosed, valid reasons must be submitted together with the complaint.
 

Regulation 13: Administrative fines

(This is a new regulation dealing with administrative fines imposed on responsible parties served with infringement notices)

Proposed Amendment/s:

  • Responsible parties unable to pay the administrative fine in a lump sum may make arrangements with the Regulator to pay the administrative fine in instalments on a case by case basis.
  • When determining an appropriate payment period, the Regulator must consider factors such as the financial circumstances of the responsible party and any other relevant compelling reasons that may directly or indirectly impact on the responsible party’s affordability.

 

This article was written by associate Emma Alimohammadi and candidate attorney Giscard Kotelo.

Comments can be submitted by email to VSewlal@infoRegulator.org.za or HShelembe@infoRegulator.org.za on or before 15 November 2021.

Author

    Subscribe

    Receive email updates from our team

    Subscribe