The draft South African Regulations relating to the Protection of Personal Information Act No. 4 of 2013 (the “POPI Act”), were published on 8 September 2017. These regulations have been titled the “Regulations relating to the Protection of Personal Information, 2017” (hereinafter the “Draft Regulations”). These Draft Regulations are open for public comment until 7 November 2017. Furthermore, in terms of the Government Gazette No. 41105, interested parties, such as insurance companies, medical schemes, medical scheme administrators, managed healthcare organisations, and others, are invited to voice their comments or concerns in relation to the detailed rules that will apply to the processing of personal information concerning a data subject’s health, pursuant to Sections 32(6) and 32(1)(b) and (f) of the POPI Act.
It is important that businesses dealing with personal and private information of clients, customers, or even employees, are familiar with these regulations. There are a few key points to these regulations which, in my opinion, are important to take note of, specifically with regard to the procedural aspects of the POPI Act, which include the manner in which consumers may object to the processing of their personal information and the manner in which to request their consent to the processing of personal information for direct marketing purposes. For the complete Draft Regulations click here.
Direct marketing
For a while now, direct marketers have been speculating regarding the form of the regulations under Section 69(2) of the POPI Act. This section deals with direct marketing by means of unsolicited electronic communications, and more specifically how individuals may be approached.
Draft Regulation 6 reads that:
“A responsible party may request a data subject’s consent in writing on a form which corresponds substantially with Form 4 to the Annexure for the processing of personal information of that data subject for the purpose of direct marketing as contemplated in section 69(2) of the Act”.
This form 4 consists of two pages, and will surely prove to be very burdensome for any responsible party that conducts direct marketing by electronic means, whether by email or sms.
Duties and responsibilities of information officers
Draft Regulation 4 expands on the duties and responsibilities of information officers, which are defined in the Promotion of Access to Information Act No 2 of 2000 (hereinafter “PAIA”), as the “head” of the private body the following persons in the below cases:
- a natural person: that person or any person duly authorised by that natural person;
- a partnership: any partner or duly authorised person; and
- a juristic person: the chief executive officer, equivalent, acting officer or duly authorised officer.
These information officers are required to be registered with Information Regulators, and their duties, as set out in Section 55 of the POPI Act, include:
a) the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
b) dealing with requests made to the body pursuant to this Act;
c) working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
d) otherwise ensuring compliance by the body with the provisions of this Act.
The regulations however expand on the above duties and responsibilities to include that information officers must also ensure that:
(a) “a compliance framework is developed, implemented and monitored;
(b) adequate measures and standards exists in order to comply with the conditions for the lawful processing of personal information;
(c) preliminary assessments are conducted;
(d) a manual for the purpose of the Promotion of Access to Information Act and the Act is developed, which must be available on an organisation’s website and at its offices for public inspection during normal business hours. Copies of the manual must also be made available upon payment of a fee to be determined by the organisation, which may not be more than R3.50 per page detailing:
(i) the purpose of the processing;
(ii) a description of the categories of data subjects and of the information or categories of information relating thereto;
(iii) the recipients or categories of recipients to whom the personal information may be supplied;
(iv) the planned trans-border or cross border flows of personal information; and
(v) a general description allowing preliminary assessment of the suitability of information security measures to be implemented and monitored by the responsible party.”
It is clear that the Draft Regulations attempt to provide better clarity regarding the procedural steps to be followed in enforcing the obligations placed on the responsible party in the POPI Act.
Conclusion
Based on these developments, the role of every organisation’s information officer is not one to be taken lightly. An information officer’s duties are wide, and their role is one that every organisation needs to review. Furthermore, it is important for a business to obtain legal assistance when considering approaching consumers through direct marketing by electronic means. One should also be familiar with the Draft Regulations in order to determine whether or not you wish to submit any comments prior to 7 November 2017.
Written by André Nortjé, Junior Associate at SchoemanLaw Inc.
EMAIL THIS ARTICLE SAVE THIS ARTICLE ARTICLE ENQUIRY
To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here