The effective date for South Africa’s data privacy law – the Protection of Personal Information Act 4 of 2013 (POPIA) is fast approaching and in anticipation of D-day (1 July 2021), organisations need to address their compliance requirements to avoid possible penalties.
Published guidelines to develop codes of conduct
Relating to the aspect of enabling compliance, POPIA makes provision for Codes of Conduct to be issued. Chapter 7 of POPIA sets out the framework details for the issuing of codes of conduct and the Information Regulator (POPIA’s supervisory authority) has in terms of section 65 of POPIA, recently published a Guideline relating to the development of codes of conduct which aims, amongst other things, to:
- assist bodies to develop and issue codes of conduct or to apply for approved code of conduct;
- set-out a complaints procedure in relation to codes of conduct; and
- provide a process for the review, varying and revocation of an approved codes of conduct.
What are codes of conduct?
Codes of conduct are essentially voluntary sector or industry guidelines that seek to apply a unified standard across a particular sector, professional body or industry to assist members thereof, in implementing appropriate measures to ensure compliance with the provisions of POPIA.
Who can issue codes of conduct?
Codes of conduct can be issued through the Information Regulator’s own initiative subject to affected stakeholder consultation, or through the prescribed application process by a body which the Information Officer believes holds sufficient representation of a class of bodies, or of any industry, profession or vocation.
Notification of intention to develop codes of conduct required
Any relevant body, industry or sector that intends developing a code of conduct is required to first notify the Information Regulator of its intention thereof and the Information Regulator must be kept informed throughout the process of the development of the proposed code of conduct.
Minimum requirements for a code of conduct
The requirements of a code of conduct include:
- The incorporation of all of POPIA’s conditions for lawful processing of personal information (to this extent a code of conduct does not replace the relevant provisions of POPIA);
- Any failure to comply with an issued code is deemed to be a breach of the conditions for the lawful processing thereof;
- A code of conduct should be limited to provisions which outline the specific obligations of relevant bodies bound by a code and any mandatory requirements under POPIA; and
- Any matters unrelated to the conditions for the lawful processing of personal information should not form part of a code to be approved by the Information Regulator.
Regulator’s notification that codes of conduct have been issued
Upon a code of conduct being issued the Information Regulator is required to publish a notification to this extent, in the Government Gazette, which indicates amongst other things that such code has been issued and its effective date.
What are the possible benefits of subscribing to a code of conduct?
Possible benefits of adhering to issued codes of conduct include:
- Nurturing and promoting accountability and openness within the particular sector, body or industry to which the codes are issued;
- Assists members of bodies, sectors or industries with guidance on how to implement compliance measures pursuant to POPIA’s conditions for lawful processing within their particular industry (i.e. a sector-specific POPIA compliance framework);
- Abiding by codes of conduct which have been approved by the Information Regulator are effectively an endorsement of good industry practice when it comes to data protection standards within such body, sector or industry;
- Has the potential to build your organisation’s brand and foster trust and confidence with data subjects including your customers, vendors, suppliers and personnel, by showing commitment to safeguard their personal data and upheld their Constitutional right to privacy; and
- Assists in how to approach key data protection implementation areas bearing the general landscape of processing within such sector, industry or body (for e.g., how to approach breach notifications).
The published Guideline to Develop Codes of Conduct is effective from 1 March 2021 and sectors, industries and bodies wanting to develop a set of codes can proceed to draft and apply for issue thereof in terms of the applicable required process set out in the Guideline to Development Codes of Conduct, together with consideration of the provisions of Chapter 7 of POPIA.