Article provided by SEESA
With all the compliance acts that came into effect over the last few years, business owners could easily get confused with all the different abbreviations they frequently encounter.
Two of these acts that have a similar ring to it are the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA).
The wording of these acts makes it clear that both have to do with the information. On the one hand, there is an act that aims to protect personal information and on the other, an act that regulates how to access information.
In essence, what is the difference?
POPIA mainly sets out the requirements in respect of protecting the information that relates to (but not limited to) an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.
The purpose of PAIA is:
To give effect to the constitutional right of access to – any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights – subject to justifiable limitations.
Who must ensure that the business complies with these acts?
The information officer who is or elected by the responsible party.
The information officer of a business will be the chief executive officer, owner or equivalent officer, or any person duly authorised by the business.
“Responsible party” means a public or private body or any other person, which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
“Information officer” of, or in relation to, a:
Public body means an information officer or deputy information officer as contemplated in terms of Section 1 or 17 of POPIA; or
Private body means the head of a private body as contemplated in Section 1, of PAIA.
It is therefore important to take note of:
The role of the Information Officer; and Registration with the Information Regulator is compulsory in terms of POPIA.
Sec 55 / 56 of POPIA – Duties and responsibilities of Information Officer:
The Information Officer’s responsibilities include:
- The encouragement of compliance, by the business, with the conditions for the lawful processing of personal information;
- Dealing with requests made to the business pursuant to this Act;
- Working with the Regulator in relation to investigations conducted pursuant to Chapter 6 of this Act in relation to the business;
- Ensuring compliance by the business with the provisions of this Act.
The Regulations relating to the protection of personal information stipulates additional roles and responsibilities of the information officer, and according to section – 4 (1) An information officer must, in addition to the responsibilities referred to in section 55(1) of the Act, ensure that-
- A compliance framework is developed, implemented, monitored and maintained
- A personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- A manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act ;
- (d) Internal measures are developed together with adequate systems to process requests for information or access thereto; and
- (e) Internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
(2) The information officer shall upon request by any person, provide copies of the manual to that person upon the payment of a fee to be determined by the Regulator from time to time.
It is important to note that the business may be charged with an administrative fine or the appropriate person may be sentenced to imprisonment in the event that a section or sections of these Acts are contravened. Therefore, it is suggested that the business appoints a person with authority such as the chief executive officer as the information officer to ensure that the sections as discussed hereafter are adhered to.
The effective date of POPIA was on 1 July 2020. There is a 12-month grace period which means that the POPIA deadline of 1 July 2021 is around the corner.
Responsible parties and Information officers must make sure they comply with the requirements of POPIA.
SEESA’s Legal Advisors are specialised to assist your business systematically with this process as this cannot be done overnight. This is a continous process that includes internal training, implementing and amending policies, security and destruction processes must be reviewed and updated. Quarterly POPIA meetings and risk assessments must be executed.
About The Author:
Douw Krüger is a Consumer Protection and POPI legal advisor that started his career at SEESA’s Kimberley office 5 years ago. He also has in-depth practical experience in BEE- and Labour legislation. He obtained his LLB degree in Law and Advanced Certificate in Labour Law at the University of the Free State in 2012.
References used:
popia.co.za
Promotion of Access to Information Act, 2000 (Act No. 2 of 2000).
Protection of Personal Information Act No.4 of 2013.