South Africa’s Information Regulator has called for comments on an amendment to the regulations relating to the protection of personal information.
The draft regulations set out the procedure to follow in certain circumstances contemplated in the Protection of Personal Information Act (POPIA), including how:
- A person may object to the processing of their personal information;
- A person may request the correction, destruction, or deletion of their personal information;
- Businesses may request a person’s consent to process their personal information for unsolicited electronic direct marketing; and
- A person can submit a complaint to the Information Regulator.
Below, legal firm Webber Wentzel outlined some of the key proposals and what they will mean for individuals and businesses.
Objecting to the processing of personal information
The draft regulations have introduced flexibility on how people can object to their personal data being processed, allowing them to do so ‘in any manner that may be expedient’.
“Organisations are required, under the draft regulations, to explicitly tell people about their right to object to the processing their personal information, in a manner that is distinct from other information communicated to those persons. This may require some businesses to revisit their privacy policies,” Webber Wentzel said.
Requesting that personal information be corrected, destroyed, or deleted
The draft regulations provide that if a person requests an organisation to correct, destroy or delete their personal information, the organisation must notify that person of the action taken in 14 days.
“The draft regulations now include a definition that “days” are calendar days. Businesses would be required to ensure that they are able to properly consider and respond to these requests within 14 calendar days,” Webber Wentzel said.
Unsolicited electronic communications
The draft regulations provide some latitude to organisations requesting a person’s consent to process their personal information for direct marketing through unsolicited electronic communication.
“The current POPIA regulations require that written consent be given in a prescribed form attached to the existing regulations.
“However, the draft regulations would permit an organisation to obtain consent using a form substantially similar to Form 4 or ‘in any manner that may be expedient’.
Webber Wentzel said that this development would alleviate some of the administrative burdens for businesses in ensuring compliance with this consent requirement.
Complaints to the Information Regulator
The draft regulations provide a straightforward procedure on how affected parties may submit complaints to the Information Regulator, with clarification on:
- Which parties may submit a complaint;
- The information which must be included in the complaint;
- Where and how to submit a complaint – including how to submit a complaint on behalf of another person
- How to submit a complaint without revealing one’s identity.
Commentary by Peter Grealy, Karl Blom and Nozipho Mngomezulu of law firm Webber Wentzel.