South Africa’s Information Regulator (IR) was established in 2016, as a provision of the Protection of Personal Information Act, or Popi. The IR came into being before Popi was in force, but sections pertaining to the entity were put into effect through a presidential proclamation in April 2014. Popi was signed into law in November 2013 but its full commencement has not yet been announced.

Law firm ENSAfrica has estimated that the commencement date of Popi will be proclaimed between the first week of April 2018 and 1 December 2018.

Meanwhile, the Open Democracy Advice Centre (Odac) has demanded that these delays come to an end. “The Popi Act was passed in 2013 but we are still waiting for the commencement date to be proclaimed by the president. And with the European Union’s general data protection regulations (GDPR) coming into effect on 25 May 2018, Popi can no longer be kept on the back-burner.”

Action needs to be taken, says Odac. It is time for the IR to fulfil its duties to the residents of South Africa and start holding companies and organisations accountable to the Promotion of Access to Information Act (Paia) and the Popi Act.

Jump to the end of this page for Odac’s helpful list of 20 questions all residents should be ready to ask of the IR.

Function of the IR

The IR is intended both to ensure access to personal information and to protect that personal information for all citizens. The IR will thus prevent data subjects – people whose data is being used or examined – from harm, and it can hold to account those responsible for non-compliance.

In an increasingly technology-driven world, concerns around cyber-crime and threats to personal data are only going to grow. Therefore, improving data security, including personal data, and educating people on keeping their data secure or ensuring that is it used responsibly by others, is of paramount importance.

Popi and Paia are two sides of the same coin. Paia provides for the constitutional right of access to information that is held by a private or public body, and is needed by a person or entity for the exercise or protection of any right by the person or entity requesting the information. Paia therefore facilitates transparency in both public and private bodies so that they may be held accountable by those they are meant to serve. And where there is transparency and accountability, corruption cannot thrive.

Popi aims to protect the flow and use of information that should generally not be in the public domain. This includes personal contact details, identity or biometric data, financial information, religious beliefs or affiliations, or residential address, among others.

When will Popi commence?

The five-member IR panel has been appointed, with Advocate Pansy Tlakula as chairperson. She is supported by two permanent and two part-time members. Tlakula has not yet given any hint as to when the rest of Popi will come into effect, but at a briefing held in September 2017 she stated that most of the act will come into force “once the Regulator is fully operationalised”.

In a document held on the IR website, a timetable of activities gives the anticipated date of publication of the final regulations in the Government Gazette as the first week of April 2018 – this after countrywide public consultations were held towards the end of last year.

It is important for residents to understand the function of the IR, and what it can do for them. To this end, Odac has drawn up 20 questions which residents of South Africa want answered by the IR:

  1. How do I find out which companies have access to my personal data?
  2. How do I find out if my personal data has been compromised?
  3. How do I report a company that I think is abusing my personal information?
  4. What rights do I have with regards to protecting my personal data?
  5. Can I ask companies to tell me how much of my personal data they have?
  6. Can I ask businesses to remove my personal data from their systems?
  7. Do I have a right to claim compensation from companies who abuse my personal data?
  8. What rights do I have with regards to getting information about the purposes for which my personal data will be processed?
  9. Do I have the right to restrict or object to the processing of my personal data?
  10. Do I have the right to object the processing of my personal data for direct marketing purposes?
  11. Will the Information Regulator set-up a complaints channel for people to report data violations?
  12. How do citizens know if organisations are Paia and Popi compliant?
  13. How will the Information Regulator ensure that companies communicate transparently with people about the processing of their personal data?
  14. How will the Popi Act be regulated and enforced once it is signed into legislation?
  15. What authorisation process is in place to ensure responsible parties can process personal information?
  16. What is the process for gaining access to information from public and state-owned enterprises?
  17. What are the criteria for requesting access to information from public and state-owned enterprises?
  18. How do we encourage sharing of public information for greater transparency and accountability from public and state-owned enterprises?
  19. What is the process for registering an information officer with the Information Regulator?
  20. How will the Information Regulator enable compliance with other regulatory bodies, for example the GDPR?