With great anticipation since 2013, South Africa's Protection of Personal Information Act (POPIA) is days away from its full commencement on 1 July 2021, or is it?
Information security, privacy, and data protection are the main drivers behind the creation and implementation of POPIA in South Africa. Signed by the South African President on 19 November 2013 and published in the Government Gazette on 26 November 2013, POPIA along with the Cyber Crimes Act which was also signed into law earlier in 2021, is part of South Africa’s plan to monitor, regulate and rein control over Mzansi’s cyberspace.
Information officers registration delays
The Information Regulator (South Africa), is the office mandated to enforce the Act. Accountable to the National Assembly, its powers and functions include issuing codes of conduct for different sectors. Paramount is its compliance enforcement with provisions of the act, towards both public and private entities.
In an unexpected turn of events, eight days before the full commencement of the Act, the Information Regulator kicked the can down the road even further. In a media statement, the regulator cited technical glitches in its IT systems that resulted in the suspension of portal registration of all principal information
officers and deputy information officers.
“The Regulator is currently looking into alternative registration processes and will communicate this in due course. We understand that our portal malfunctioning has caused a lot of anxiety and panic and for that we really do apologise,” said Advocate Pansy Tlakula, Chairperson of the Information Regulator (South Africa).
Information officers carry the burden of liability for any contravention of provisions of the act, requiring compliance from entities. Downtime of its registration portal created enormous panic and havoc, as businesses rushed to make the 1st July deadline. POPIA with no liability officer diminishes the
effectiveness of the Act. In its media statement, it's unclear when an alternative registration process will commence, as cited by the Information Regulator.
Processing of information related to data subjects
In a second blow to full commencement, the regulator further suspended the application of section 57(1)till 1 February 2022. Section 57(1) requires data handlers to obtain prior authorization from the Regulator before processing any information related to data subjects in specific categories.
These categories include:
- Processing data outside scope of consent given by data subject.
- Processing data with intention of linking data of 3rd parties together.
- Processing data on criminal behaviour.
- Processing data for purpose of credit reporting.
It's clear from these recent events, the green light for POPIA will still take time, the time I regard South Africa’s cyberspace does not have. Data breaches are on the sharp rise as internet traffic increases and South Africa’s third covid-19 wave will further accelerate broadband appetite.
The Information Regulator of South Africa must get its act together.
Subscribe to our Daily Brief newsletterShare this via:
Insights and analysis into how business and technology impact Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.