Industry awaits controversial Tlakula to stir POPI
The effective date for the Protection of Personal Information (POPI) Act could be before the end of this year, following the recommendation of Pansy Tlakula as chairperson of the newly-formed information regulator.
The industry has welcomed the much-delayed recommendation of Tlakula, as POPI will enable SA to be globally competitive on privacy matters and international data exchange laws.
POPI was signed by the president on 19 November 2013 and published in the Government Gazette on the 26 November 2013. On 10 May 2016, the Portfolio Committee on Justice and Correctional Services shortlisted five candidates for the office of information regulator.
The National Assembly recommended the appointment of the office bearers on 7 September 2016. As part of the process, Parliament invited everyone to nominate people and shortlisted candidates for Parliament to appoint as members of the information regulator. The office of the information regulator will be made up of advocate Tlakula as chairperson, advocate Cordelia Stroom and Johannes Weapond as full-time members, and professor Tana Pistorius and Sizwe Snail as part-time members.
POPI gives the information regulator teeth - it has extensive powers to investigate and fine responsible parties, says law firm Michalsons. Data subjects will be able to complain to the information regulator and it will be able to take action on behalf of data subjects, it adds. The information regulator reports to Parliament and is the South African equivalent of the information commissioner in the UK.
The sections of POPI that relate to the information regulator have already commenced and Treasury has also budgeted for it.
However, Tlakula has had her fair share of controversies. In 2013, public protector Thuli Madonsela released a report in which she claimed the then IEC chairperson and her executive committee had committed gross maladministration with the procurement of new headquarters in Centurion.
She found that Tlakula wasted R6 million on fixtures and furniture for the new building, that the procurement process for the new building was irregular, and that Tlakula had a conflict of interest with the chairman of the company that was part of the consortium that got the bid.
"The only thing that I have a problem with is the fact that advocate Tlakula's notion of conflict of interest has impaired which then means that she is not as ethical that I personally would like her to be," Madonsela said.
Tlakula resigned from the IEC in 2014.
Francis Cronj'e, an information governance expert and MD of franciscronje.com, says Tlakula's experience at the IEC will be beneficial to POPI from an administrative point of view as well as in fast-tracking the setting up of the regulator's office and eventual implementation of the law. This will be achieved if she follows a strict adherence to relevant administrative legislation.
"It is important that the position is filled by someone with her experience from an administrative perspective." says Cronj'e. "Effective administrative oversight will be key in ensuring the regulatory functions of the information regulator is fulfilled together with the other four members which could be strengthened by additional assistance from other recognised experts in the field of POPI and PAIA."
Law firm Michalsons says Thakula should be given the opportunity to see what she can achieve as the chairperson of the information regulator.
"The information regulator essentially has to protect data subjects against harm and ensure their personal information is protected by responsible parties. Similar to the public protector, the information regulator can hold responsible parties accountable for not complying with POPI," the firm says.
ICT veteran Adrian Schofield is sure Tlakula is capable of filling the role of chairperson of the regulator more than adequately. "I hope that the confirmation of her appointment and of her fellow members is completed speedily, as this facet of implementing the legislation has been delayed for too long."
He points out that as soon as the regulator is operational, responsible entities that are obliged to do so will have to obtain authorisation for processing personal information. "Every entity's information officer will have to register with the regulator. This is the other side of the PAIA coin - the Promotion of Access to Information Act required every entity to have an information officer to whom persons could apply to have access to information. That officer will now have to register with the information regulator - and presumably accept responsibility for compliance with POPI as well as PAIA.
"Getting all that up to speed will obviously take some time but entities that process personal information must ensure their procedures are compliant immediately, if they are to avoid the risk of prosecution," says Schofield.
Xperien CEO Wale Arewa is excited by the recommendation. He says it impacts both the consumer and the economy positively. "It will force companies to change their processes to ensure the personal information and data they collect is protected.
"The small guy whose rights have been violated by a data breach will now have recourse to take on corporate companies. This was previously unthinkable, considering the cost implications of putting together a case for high court litigation. Many aggrieved consumers have resigned to the bully tactics of cavalier corporate companies," he explains.
The new regulations will make it easier and less risky for multinationals to do business in SA, says Arewa. He adds that many have resisted doing business due to a lack of data protection laws, that could leave them exposed to a data breach and its dire consequences.