POPI Regulations – Update 2017

The draft POPI regulations (Also known as POPIA) have been published by the regulator and people are invited to comment on them by the 7th November 2017.

The draft POPI regulations consist of 5 pages of regulations and 26 pages of sample forms. These regulations are largely administrative and do not provide much guidance on the interpretation or implementation of POPIA. The responsible party is still accountable to apply the principles of the conditions to their own circumstances.

However, it is useful to take a closer look at the forms to gain an understanding of how the regulator is expecting you to approach parts of the act.

What do the POPI Regulations cover?

  1. The way in which a data subject can object to the processing of their information
  2. How a data subject can request the correction or deletion of information
  3. The duties and responsibilities of information officers
  4. How a public or private body (industry, professional or vocational) can apply for a code of conduct
  5. How to request consent for direct marketing of unsolicited electronic communications
  6. How to submit a complaint or grievance to the regulator
  7. How the regulator will act as a conciliator during an investigation
  8. What the regulator must do before they investigate the matter
  9. How the regulator will keep the relevant parties informed during the investigation
  10. How assessments can be requested and the process followed by the regulator

Important to Note:

Duties and responsibilities of information officers

Information officers must ensure that:

  1. A compliance framework is developed, implemented and monitored
  2. Adequate measures and stands exist to comply to the act
  3. Preliminary assessments are conducted
  4. A Promotion of access to information act manual is available on the website and at the office of the responsible party and available for viewing during normal business hours
  5. Internal measures are developed to process requests for information and access
  6. Awareness sessions are conducted

Direct Marketing Consent

Form 4 provides information on how to go about getting marketing consent. If you have been getting consent, you will need to ensure that going forward your consent is aligned to Form 4 or submit comments to the regulator to get Form 4 changed.

Processing of the health information of a data subject

Opportunity to provide input on more detailed rules concerning the processing of a data subject’s health by:

1 Insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations

  •  assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing;
  • the performance of an insurance or medical scheme agreement; or
  • the enforcement of any contractual rights

2 Administrative bodies, pension funds, employers or institutions working for them

  • the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or
  • the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity

Click here to have a look at the POPI services we offer.  Contact us today for more information about the services we offer.  

POPI Impacts each and every one of us!  Are you ready?