The Latest on POPIA: Codes of Conduct


Recently, the Information Regulator called upon the President to proclaim the commencement of the remaining provisions of POPIA. General consensus is that Responsible Parties should be on alert around 1 April 2020, from which date it is expected a time frame of 12 months will be given for Responsible Parties to comply with POPIA in its entirety.

Your bank knows almost everything about you. Same goes for your cell phone company. Not much different to your car dealership, or even your local supermarket. Our private information is out there, and we hand it over willingly on a daily basis, sometimes without even knowing it.

“What do you know...and what can you do with it?” is a three part series by Zinhle Novazi and Ian Jacobsberg telling you almost everything you need to know about the Protection of Personal Information Act (POPIA), the European Union’s General Data Protection Regulations and what you can expect when the remaining provisions of POPIA come into operation.

The Latest

Recently, the Information Regulator called upon the President to proclaim the commencement of the remaining provisions of POPIA. The general consensus is that Responsible Parties (anyone receiving and dealing with personal information relating to others), should be on alert around 1 April 2020, from which date it is expected a time frame of 12 months will be given for Responsible Parties to comply with POPIA in its entirety. If a Responsible Party fails to comply, the Information Regulator will be empowered to sanction the Responsible Party for non-compliance. The timeline for compliance is set out in Section 114 of POPIA.

Other Interesting Developments

Draft guidelines to develop Codes of Conduct in terms of Chapter 7 of POPIA

In the middle of January 2020, the period for comment closed on the Draft Guidelines to Develop Codes of Conduct for Industries.

What are these codes?

Chapter 7 of POPIA empowers the Information Regulator to issue codes of conduct which will regulate specific industries and how they manage personal information.

What would the purpose be of industry specific codes of conduct?

The Legislature acknowledges that different industries will be required to manage personal data differently. For instance, your bank will have access to different private data than your cell phone company and will use it for different purposes. Industry standards might require more stringent controls in particular areas of data management.

If my industry has a code of conduct, do I comply with the code or with POPIA?

Both. In the original version of the Draft Guidelines section 15.1 clearly stated that a code cannot limit any rights provided in POPIA. However, in the Amended Guidelines, this section was removed. This said, we are of the view that a code will not be enforceable if it derogates from the provisions POPIA. If a Responsible Party is of the view that an industry code of conduct is more lenient than POPIA in certain respects, it is advisable that the Responsible Party act so as to give full effect to the provisions of POPIA.

Are there consequences for breaching your industry’s code of conduct?

Yes as per section 68 of POPIA, the sanctions set out in Chapter 10 of POPIA will apply for breach of a code of conduct. Responsible Parties will need to familiarise themselves with both the requirements set out in POPIA and the relevant code of conduct.

How does having a code of conduct assist the Data Subject?

Firstly, the intention is to provide Data Subjects (persons to whom personal information relates) with transparency as to how their personal information is being managed. Secondly, they may assist with setting out standardised complaints procedures, and provide complainants with a clear path for recourse in the event of breaches. As a result, having a code of conduct in place, will bolster consumer confidence in respect of how their data is managed.

What Should Responsible Parties be aware of going forward?

The introduction of codes of conduct in specific sectors may result in an additional layer of compliance being required, following all of the provisions of POPIA coming into effect. How soon that will follow is uncertain and will depend on leading industry bodies and when the guidelines come into effect. Responsible Parties will need to ensure that they are compliant with both POPIA and any applicable code.