by Peter Grealy and Dario Milo from Webber Wentzel
The Information Regulator has published guidance for organisations on applying for exemptions from POPIA and appointing information officers, ahead of the 30 June 2021 deadline for compliance
In the penultimate week before the Protection of Personal Information Act, 2013 (POPIA) comes into full force and effect, the information regulator has published some important documents. We have unpacked some of the key aspects communicated by the information regulator.
Exemption from POPIA compliance
The information regulator has released a guidance note to assist an organisation that:
- wishes to apply for an exemption from one or more of the eight conditions for lawful processing of personal information; or
- by virtue of the function performed by it, is automatically exempt from some of these conditions.
Note: An exemption does not mean that your organisation is entitled to use personal information freely and without complying with the remainder of POPIA. In either of the above instances, an organisation will only be exempt from complying with some POPIA provisions. An exemption application which has been approved by the information regulator may also have a number of conditions imposed by the regulator.
|
Application for exemption from compliance with the processing conditions |
Automatic exemption from certain provisions in POPIA |
|
Who does this apply to? |
Organisations that process personal information which is in the public interest, where such processing outweighs the data subject's right to privacy. This will be assessed by the information regulator on a case-by-case basis. "Public interest" is an action, process or outcome that generally benefits the public at large, not just one person or a few persons. POPIA provides that the public interest includes various scenarios, such as the interests of national security and the prevention, detection and prosecution of offences (amongst others). |
Organisations that process personal information which has a clear benefit to the data subject or a third party, where such processing outweighs the data subject or third party's right to privacy. Neither POPIA nor the guidance note contain a definition of "clear benefit". The applicant must explain (i) why its processing of personal information in breach of POPIA benefits a data subject or third party; (ii) the nature of the benefit; and (iii) how it outweighs the privacy rights of a data subject or third party. |
Organisations that process personal information to discharge a relevant function. A relevant function means a function of a public body or a function which is given to a person by law to protect members of the public against (i) financial loss in providing financial services or managing bodies corporate; or (ii) improper conduct or incompetence of a person that carries on a profession or other activity. |
Example |
A public body which is tasked with investigating fraud and corruption can apply for an exemption from some POPIA provisions, as the public interest in eradicating fraud and corruption outweighs any privacy rights of the individuals being investigated. |
An organisation that processes university students' personal information for the sole purpose of granting bursaries to selected students can apply for an exemption from some POPIA provisions, as the university students benefit financially from their personal information being processed. |
A body established under law to regulate the affairs of accountants may be automatically exempt from certain POPIA provisions, when processing is performed to protect the public against dishonesty or malpractice of accountants. |
How to obtain the exemption |
You must submit an application form in the prescribed format to the information regulator. |
You must submit an application form in the prescribed format to the information regulator. |
No application form is required, but you must document your reasons for being automatically exempt. |
When does the exemption come into effect? |
On publication in the Gazette. |
On publication in the Gazette. |
Automatically. |
Information officer registration
There is no longer a deadline for registering your organisation's information officer (IO) and deputy information officer (DIO). Due to technical glitches with the registration portal, the information regulator is investigating other "alternative registration processes".
Your organisation will not incur penalties if it does not register an IO or DIO by 30 June 2021. This creates a conundrum, as POPIA automatically assigns the role of IO to the head of a private body such as a company, or to the IO or DIO of a public body in terms of the Promotion of Access to Information Act, 2000. However, POPIA also provides that an IO's duties only commence once he or she has been registered.
The information regulator has clarified that a chief executive officer of an organisation can be the IO for multiple entities. This statement addresses concerns raised by a large number of entities which, for example, wish to appoint one IO for all the members of a group of companies. Until now, the registration portal would not allow the same person's details to be used more than once, resulting in each company in a group having to appoint its own (different) IO.