With the recent hype around POPIA and the implementation date having passed on 01 July 2021, it is natural that business owners feel overwhelmed and confused with all the different abbreviations they frequently encounter.
The Protection of Personal Information Act No.4 of 2013 (“POPIA”) and the Promotion of Access to Information Act No. 2 of 2000 (“PAIA”) hold a special relationship in that both acts can be seen as information laws.
On the one end PAIA is an access to information law and on the other end POPIA is about privacy and the prevention of disclosure of information.
It is important to understand that these two laws are not competing but rather there to help ensure that information is managed and processed correctly.
So, what is the difference and the essence of these two laws?
The aim of POPIA is to control the way in which personal information (of a natural and juristic person) is handled and to regulate how that personal information should be processed to ensure it is done in a responsible way. Processing includes methods of collection, usage, storage, dissemination, alteration, and destruction of personal information.
The purpose of PAIA in turn is to give effect to the constitutional right of access to information held by the State and any information that is held by another person or entity to actively promote a society in which the people of South Africa have effective access to information to enable them to exercise and protect all their rights more fully.
Who must ensure compliance with these acts?
The responsible party (a public or private body or any other person, which, alone or in conjunction with others, determines the purpose of and means for processing personal information) should identify an Information Officer within their company who should encourage compliance with these laws, deal with requests made to the company and report any information breach to the Information Regulator.
The Information Officer of a business will be the Chief Executive Officer, the owner or equal officer, or any person duly authorised by the business. It should be someone who understand and is involved in the way in which the company processes information.
It is important to understand the role of the Information Officer which is more fully discussed in Section 55 /56 of POPIA. These duties include:
- To encourage the business to comply with the conditions for the lawful processing of personal information;
- Dealing with requests made to the business pursuant to POPIA;
- Working with the Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA in relation to the business; and
- Ensuring compliance by the business with the provisions of POPIA.
In terms of POPIA it is compulsory to register the Information Officer with the Information Regulator.
Registration of your Information Officer is a two-step process, firstly requiring that the Information Officer be appointed within the business, this can be done by way of a Director’s Resolution, and secondly that the appointment of the Information Officer must be registered with the Information Regulator. Section 55(2) of POPIA requires that Information Officers must be registered with the Information Regulator before they can take up their duties in terms of POPIA and PAIA. Registration is therefore a prerequisite for the Information Officer to perform their duties.
What are the timelines for registration?
The portal of the Information Regulator is already open for the registration of Information Officers, up until the end of June 2021.
How to determine if your company should have a PAIA manual?
The Minister of Justice and Correctional Services has recently gazetted a notice wherein certain organisations are exempted from having to compile a PAIA manual.
If you are a private company in terms of the Companies Act and you are not in any of the industries or sectors listed below, you don’t need to compile a manual.
If you are a private company in any of the industries or sectors listed below and you have 50 or more employees, you need to compile a manual.
If you are a private company in any of the industries or sectors listed below and your annual turnover is equal to or more than the amount in your respective industries, you need to compile a manual.
|Industry or sector||Turnover Threshold|
|Mining and Quarrying||R22,5 million|
|Electricity, Gas and Water||R30 million|
|Retail and Motor Trade and Repair Services||R45 million|
|Wholesale Trade, Commercial Agents and Allied Services||R75 million|
|Catering, Accommodation, and other Trade||R15 million|
|Transport Storage and Communications||R30 million|
|Finance and Business Services||R30 million|
|Community, Special and Personal Services||R15 million|
The Information Officer shall upon request by any person, provide copies of the manual to that person upon the payment of a fee to be determined by the Regulator from time to time.
It is important to note that your business may be charged with an administrative fine or the appropriate person may be sentenced to imprisonment if a section or sections of these acts are not adhered to. Therefore, it is suggested that the business appoints a person with similar authority such as the Chief Executive Officer as the Information Officer to ensure compliance with these laws.
By Chanique Rautenbach
RMI4law members enjoy the benefit of legal advice from an attorney 24 hours a day. If you wish to join RMI4law, call 0861 668 677.
Legalex (Pty) Ltd, registration number 2003/003715/07, is an authorized Financial Services Provider (FSP 5277) and underwritten by Guardrisk Insurance Company Limited (FSP 26/10/75)