In May last year it was announced that the appointment of an Information Regulator was on the cards. This important body has the responsibility of protecting data subjects – people whose information is being processed – from harm and ensuring that their personal information is protected by responsible parties – those seeking the processing of data.

The office of the Information Regulator is established in terms of the Protection of Personal Information (Popi) Act, which serves as South Africa’s data protection act. Popi itself is not yet in force, but the section on the regulator was put into effect through a presidential proclamation in April 2014.

The Information Regulator (IR) will be headed by Advocate Pansy Tlakula as the chairperson, with advocates Lebogang Cordelia Stroom and Johannes Weapond as full-time members, and Prof Tana Pistorius, intellectual property law expert, and practising attorney Sizwe Snail as part-time members. Their five-year appointment, which was approved by President Jacob Zuma, takes effect on 1 December 2016.

The legislation stipulates that the five IR staff members may not be members of Parliament, office-bearers in a political party, or public servants. They must have the appropriate qualifications, expertise and experience for the position, and have no prior convictions.

The appointment process took place in the National Assembly, where a multi-party committee recommended the nominated office bearers on 7 September 2016 before the names were put to the vote. Tlakula, the former Independent Electoral Commission chairperson, received 226 votes in favour of her appointment, with 111 against. There were no abstentions.

Before that the public was invited to nominate candidates, who were shortlisted before the final selection was made.

Independence and power

The IR is an independent body which has jurisdiction throughout South Africa and is accountable to the National Assembly.

Popi was gazetted in November 2013. Chapter 5, part A of the act deals with the IR’s functions and powers. Like the Public Protector, the IR can hold responsible parties accountable for not complying with Popi, and has been granted extensive powers to investigate and fine the culprits.

With access to information becoming easier by the day, Popi is necessary to protect people’s personal information and prevent the potential damage they would suffer from, for instance, identity theft or a violation of their private data. Popi sets out conditions regarding the use of personal information, to ensure that South African institutions collect, process, store and share such information in a responsible manner. It holds them accountable should they abuse or compromise your personal information in any way.

However, Popi also affords a measure of protection for companies or government entities when recruiting, as a refusal to give consent for data processing could raise a red flag in terms of making a decision to appoint that person. This would cut down on instances of CV fraud, which is exposed frequently in South Africa.

Popi keeps your information safe

The purpose of Popi can be gleaned from its name – it safeguards against the unlawful collection, retention, dissemination and use of personal information. In doing so, it protects and promotes the constitutional right to privacy.

However, the act recognises that the right to privacy must be balanced with other important rights and interests, because the Constitution also places great value on access to information. To achieve this balance, Popi sets out requirements for the processing of personal information. It also establishes the office of the Information Regulator, whose powers, functions and duties include:

  • Educating responsible parties on the conditions for lawful processing;
  • Monitoring and enforcing compliance of public and private bodies with Popi;
  • Handling Popi complaints from data subjects;
  • Researching and monitoring developments in information processing and computer technology to minimise adverse effects on the protection of personal information;
  • Informing Parliament when there is a need for legislative, administrative or other action to better protect the personal information of particular persons or groups; and

The IR will hear internal appeals under the Promotion of Access to Information Act, to facilitate swift access to information and to justice by avoiding lengthy (and costly) litigation.

To effectively fulfil these functions, the regulator must act independently and be free from any political interference.

Ensuring that data is processed lawfully

There are three role players referred to in Popi, and these may be natural or juristic persons:

  • The data subject: the person who owns the personal information in question;
  • The responsible party: the person who determines why and how information must be processed. These may be profit or non-profit companies, state agencies, companies, or other people;
  • The operator: a person who processes the personal information on behalf of the responsible party.

Under Popi, responsible parties have to follow the requirements related to the processing of personal information. For instance, they should only use operators that can adhere to the conditions of lawful personal information processing set out in chapter 3 of Popi, and they must also ensure the lawfulness of any processing.

If processing is not undertaken lawfully, the data subject may complain to the IR, which will take action on behalf of the data subject.

For instance, if a company has held your personal information for longer than they have been authorised to, transferred it across a national border, processed a child’s information without the permission of the relevant competent person, or used the information for a purpose other than that which you permitted, you have recourse to the IR. If the responsible party has failed to secure the integrity and confidentiality of personal information in its possession or under its control by failing to take measures against unlawful access or loss of the information, the data subject may lodge a complaint.

As a custodian of private information, Corruption Watch has given extensive thought and consideration to the protection of the reporter data we hold. We have put security measures in place that include SSL-encryption on our online report forms, encryption of whistleblower reports prior to storage in our database, and a firewall for all web traffic to help prevent distributed denial-of-service or brute force attacks. We also have a two-step authentication process for back-end access to our website. These steps indicate compliance with condition 7, security safeguards, laid out in chapter 3 of Popi.