The Protection of Personal Information Act 4 of 2013 (POPI) which was signed into law on 19 November 2013 introduces an overarching regulatory framework for investigative and enforcement procedures to be followed by the Information Regulator where an allegation of a breach of the POPI Act is made. Even though the whole of the POPI Act is not in effect as yet, it is important to note how it will be enforced by the already appointed Information Regulator, once the rest of the POPI Act comes into effect.
The investigative procedure is started when any person (it does not have to be the person directly affected by the information breach and can be a competitor of the business) submit a complaint to the Information Regulator in writing alleging non-compliance with the POPI Act or an approved code of conduct (codes of conduct are yet to be established by the Regulator). The Regulator may also on own initiative institute an investigation into the interference with the protection of personal information of a person.
In terms of Section 76 of the POPI Act the Information Regulator has the following options once a complaint is received:
- Conduct a pre-investigation – this would be in minor cases where the complaint might prove to be frivolous, vexatious or could be easily settled.
- Conduct a full investigation – this would be used in more serious matters where it is clear that the complaint might not be easily settled.
- Act as a conciliator.
- Decide not to take any action – The complainant must be informed of the reasons why and has 180 days from receiving the notice to lodge an appeal with the appropriate High Court.
- Refer the complaint to the Enforcement Committee – A committee appointed by the Regulator consisting of at least 1 member of the Information Regulator and at least 1 experienced advocate or attorney.
- Take any further actions it deems necessary in terms of the POPI Act.
Should the Information Regulator decide to conduct a full investigation, it will be afforded the following powers under Section 81 of the POPI Act:
- A person can be summoned to appear before it and can be compelled to give evidence under oath and to produce records relating to the investigation.
- It can enter and search a premise of the business at a reasonable time – subject to obtaining a warrant in terms of Section 82 of the POPI Act.
- It can conduct a private interview with any person found on the premises of the business during the search conducted in terms of the above warrant.
- It can receive and accept evidence on oath, affidavit or in any other format, even if such evidence would normally not have been admissible in a court of law.
Further to the above the Information Regulator, in order to assess whether the business is POPI compliant, may also issue an Information Notice to the business requiring it to provide the Regulator with information relating to its processing activities. The business has the right to appeal such a notice to the High Court within 30 days of receiving it.
Once the Regulator is satisfied that a business has interfered with the lawful processing of a person’s personal information, it may issue an Enforcement Notice requiring the business to:
- Take specific steps within a specific period.
- To stop processing particular Personal Information which will be specified in the notice.
- To stop processing Personal Information for a specific purpose.
- To stop processing Personal Information in a specific manner.
It is important for the business to note that the Enforcement Notice must contain the following:
- It must state the nature of interference by the business with a persons’ lawful protection of Personal Information.
- State the reasons for coming to such a conclusion.
- It can demand the business to take certain action (as stated above in what would be required from the business) within a period which may not be less than 30 days.
- Should the Information Regulator deem it to be a matter of urgency for the business to take certain required action, it may require compliance after 3 days.
As with the Information Notice, the business will also be afforded the right to appeal an Enforcement Notice to the High Court within 30 days of receiving it.
ABOUT THE AUTHOR
Marike Brand obtained her LLB from the University of Stellenbosch and thereafter practised for 3 years as an admitted attorney in commercial civil litigation. She is currently a SEESA Consumer Protection & POPI Legal Advisor at our Cape Town branch.