The partial commencement of the Protection of Personal Information Act, 2013
On 26 November 2013, the President signed into law the much anticipated Protection of Personal Information Act, 2013 (POPI Act). However, the commencement date has yet to be proclaimed.
On 11 April 2014, President Zuma proclaimed the commencement date of a limited number of sections in the POPI Act, which include section 1 (definitions), Part A of Chapter 5 (information regulator), section 112 (regulations) and section 113 (procedure for making regulations). The questions to be asked when only certain provisions in an act commence, is whether there is an impact? Specifically in respect of the POPI Act, the commencement of Part A of Chapter 5, section 112 and 113 is indicative of the processes being put in place by government in order to ensure that the anticipated commencement date of the remaining sections are met with the relevant support, in the form of regulations and the establishment of the information regulator.
However, section 1 and its commencement on 11 April 2014 may not be a provision from which we merely gauge government's anticipation of and preparation for the commencement date of the POPI Act. Section 1 may have an immediate and tangible business impact. It contains the definitions that apply to the POPI Act and includes material definitions such as "personal information", "data subject", "operator", "processing" and "responsible party", to mention but a few. As section 1 is now a matter of law, it must follow that these definitions are now the generally accepted definitions, as far as the subject matter covered by those definitions is concerned, and can be adopted, on that basis in commercial agreements that cover such subject matter. It is feasible for organisations to engage in processes to align the provisions of current and future commercial agreements with the definitions in section 1 of the POPI Act.
It is commonly accepted, however, that the sections of the POPI Act that did not commence in April 2014, including those that codify the "conditions" in terms of which "personal information" must be "processed" and the consequences of failing to adhere to these conditions have not yet commenced and are, therefore, unenforceable.
Any endeavour to align current commercial agreements with those provisions of the POPI Act that have not yet commenced would require agreement between the parties and would be enforceable via such agreement only.
Conversely terms in agreements that seek to exclude or limit the provisions of the POPI Act, which should rightly be applied, will be of no force and effect, even if concluded prior to the commencement date of the POPI Act.
The partial commencement of the POPI Act should be seen as an opportunity to determine the effect it has on one's own organisation, and the preparatory steps required to ensure compliance with the provisions of the POPI Act, on its commencement.
In this regard, there have been calls from various quarters for information technology infrastructure to be upgraded in order to comply with the provisions of the POPI Act. While this is a pivotal aspect in achieving compliance with the POPI Act, it is by no means the initial step that should be taken on the road to compliance, nor is it a step that should be taken in isolation.
A thorough understanding of the POPI Act, the import of the various compliance obligations, the consequences of non-compliance with these obligations and the steps required to achieve compliance should be understood before any key decisions in respect of information technology infrastructure or otherwise are made.
Once the provisions of the POPI Act and the complimentary obligations are identified and understood, it is advisable to develop a framework within which compliance with the various facets of the POPI Act will be implemented. Such framework should be informed by a number of policies and procedures addressing the various aspects such as the "processing", destruction of personal information and data retention, among others. Undertaking any compliance obligations in isolation, such as the upgrading of information technology infrastructure, absent an understanding of the total impact of the POPI Act, may not result in complete compliance with the provisions of the POPI Act.
Compliance with the provisions of the POPI Act has a material impact on policies, procedures, employees, third party service providers, and systems (of which information technology infrastructure forms a part) within an organisation. A failure to devote sufficient attention to each aspect individually will no doubt lead to compliance gaps.
Given that the POPI Act currently provides a compliance grace period of 12 months from the date of commencement, advice regarding preparation for compliance should be sought.