South Africa: The development of codes of conduct under POPIA
The effective date for South Africa’s data privacy law, the Protection of Personal Information Act, 2013 (Act 4 of 2013) (‘POPIA’) is fast approaching and in anticipation of D-Day (1 July 2021), organisations need to address their compliance requirements to avoid possible penalties. Herewith an overview of what codes of conduct are and the benefits of subscribing to a code of conduct, following Information Regulator’s recent publication of Guidelines to Develop Codes of Conduct1, Checklist for Submission of Application for Approval of a Proposed Code of Conduct2, and Standard for Making and Dealing with Complaints in a Code of Conduct3.
Published guidelines to develop codes of conduct
Relating to the aspect of enabling compliance, POPIA makes provision for codes of conduct to be issued. Chapter 7 of POPIA sets out the framework details for the issuing of codes of conduct and the Information Regulator (POPIA’s supervisory authority) has, in terms of Section 65 of POPIA, recently published the Guidelines to Develop Codes of Conduct (‘the Guidelines’) relating to the development of codes of conduct which aims, amongst other things, to:
- assist bodies to develop and issue codes of conduct or to apply for approved code of conduct;
- set-out a complaints procedure in relation to codes of conduct; and
- provide a process for the review, varying and revocation of an approved codes of conduct.
What are codes of conduct?
Codes of conduct are essentially voluntary sector or industry guidelines that seek to apply a unified standard across a particular sector, professional body, or industry to assist members thereof, in implementing appropriate measures to ensure compliance with the provisions of POPIA.
Who can issue codes of conduct?
Codes of conduct can be issued through the Information Regulator’s own initiative subject to an effected stakeholder consultation, or through the prescribed application process by a body which the Information Officer believes holds sufficient representation of a class of bodies, or of any industry, profession or vocation.
Notification of intention to develop codes of conduct required
Any relevant body, industry, or sector that intends developing a code of conduct is required to first notify the Information Regulator of its intention thereof and the Information Regulator must be kept informed throughout the process of the development of the proposed code of conduct.
Minimum requirements for a code of conduct
The requirements of a code of conduct include:
- the incorporation of all of POPIA’s conditions for lawful processing of personal information (to this extent a code of conduct does not replace the relevant provisions of POPIA);
- any failure to comply with an issued code is deemed to be a breach of the conditions for the lawful processing thereof;
- a code of conduct should be limited to provisions which outline the specific obligations of relevant bodies bound by a code and any mandatory requirements under POPIA; and
- any matters unrelated to the conditions for the lawful processing of personal information should not form part of a code to be approved by the Information Regulator.
Regulator’s notification that codes of conduct have been issued
Upon a code of conduct being issued, the Information Regulator is required to publish a notification to this extent, in the Government Gazette, which indicates amongst other things that such code has been issued and its effective date.
What are the possible benefits of subscribing to a code of conduct?
Possible benefits of adhering to issued codes of conduct include:
- nurturing and promoting accountability and openness within the particular sector, body, or industry to which the codes are issued;
- assisting members of bodies, sectors, or industries with guidance on how to implement compliance measures pursuant to POPIA’s conditions for lawful processing within their particular industry (i.e. a sector-specific POPIA compliance framework);
- abiding by codes of conduct which have been approved by the Information Regulator are effectively an endorsement of good industry practice when it comes to data protection standards within such body, sector, or industry;
- the potential to build your organisation’s brand and foster trust and confidence with data subjects including your customers, vendors, suppliers, and personnel, by showing commitment to safeguard their personal data and upheld their Constitutional right to privacy; and
- assisting in how to approach key data protection implementation areas bearing the general landscape of processing within such sector, industry, or body (for e.g., how to approach breach notifications).
The published Guidelines are effective from 1 March 2021 and sectors, industries, and bodies wanting to develop a set of codes can proceed to draft and apply for issue thereof in terms of the applicable required process set out in the Guidelines, together with consideration of the provisions of Chapter 7 of POPIA.