POPI held up again
SA is still to announce a commencement date for the Protection of Personal Information (POPI) Act, more than two years after it was signed into law.
The POPI Act was signed into law by president Jacob Zuma in November 2013, and promotes transparency with regard to what information is collected and how it is to be processed. The law also makes South African companies globally competitive in terms of international data exchange laws.
In terms of the Act, Parliament must now appoint an Information Regulator to enforce the new legislation. Parliament is dragging its feet although it has already asked for nominations for the position of the Information Regulator and candidates were nominated by 14 August.
This delay comes at a time when cyber leaks and hacking threats are on the up globally, with SA being no exception.
On 11 November, Parliament held a meeting on the role of the Information Regulator. Now the August House has asked for another workshop to be set up next year for all relevant stakeholders to discuss various things like: Why POPI is important? How will it protect the poor? Who does it protect? The role of the Information Regulator? How does it fit in with the Protection of State Information Act, as well as the Promotion of Access to Information Act?
Michalsons Attorneys says there are answers for all these questions, and "we're not sure why this workshop is necessary".
The law firm says all of these issues were discussed as part of the 10-year-long legislative process of enacting POPI.
"Why is Parliament now reluctant to appoint the Information Regulator? Could it be that government (public bodies) have realised the Information Regulator is an independent body (like the Public Protector and other Chapter 9 institutions) that could hold government responsible for failing to protect the personal information of people that government processes?
"Government bodies (like SARS, home affairs) process lots of personal information of all South African citizens, who require protection and recourse from transgressions in terms of POPI," says Michalsons Attorneys in a statement.
The firm adds that in the absence of other information, it presumes the process to appoint the Information Regulator is on hold until after the workshop next year. "With local government elections next year in May 2016, we anticipate the POPI commencement date will be in the second half of 2016."
Meanwhile, Francis Cronj'e, a corporate governance expert, who is also CEO of InfoSeal and MD of franciscronje.com, believes the delay can be seen as good news for local businesses in their efforts to become compliant.
"Our experience has shown that very few organisations are POPI-ready and are having difficulties implementing the conditions associated with POPI across their business. Additional time could alleviate those concerns," says Cronj'e.
It does, however, not bode well for those persons awaiting better protection of their personal information, and subsequent delays might cause individuals and organisations alike to doubt the importance of one's right to privacy, he points out.
"From a technological perspective, yes, the pace associated with it is vigorous and not a day lapses without some new progress or advances in the field of information technology. These delays would, however, not cause the Act to necessarily become outdated, as POPI is principle-based and therefore outcome-driven, maintaining a neutral stance on technology, focusing on best practice and standards aligned to it."
Cronj'e notes board responsibilities in terms of King III stress the need to protect personal information and also views it as an important business asset.
"This, coupled with persons' constitutional right to privacy, should prevent organisations from taking a lacklustre approach and POPI delays are no excuse from being pro-active in ensuring the protection of all persons' personal information."