The Protection of Personal Information Bill 2009 (POPI) aims to bring South Africa in line with international data protection laws. Currently in its seventh working draft, it has been forwarded to the Portfolio Committee for final consideration and is widely anticipated to become law within the next six months.

The impact of this legislation will be far-reaching and will significantly affect the way companies collect, store and disseminate personal information.

In this bi-weekly series, members of our Information Law Group provide some insight into the implications of POPI to assist you in your preparations for the new legislative regime*.

This edition focuses on the enforcement powers of the Information Regulator, and in particular the Information Regulator's powers in respect of obtaining warrants for purposes of searching the premises occupied by a responsible party.

The Bill provides for the establishment of the Information Regulator whose primary purpose will be to promote awareness of the rights of data subjects and enforcing the requirements of the Bill.

Some of the key duties and functions of the Information Regulator include:

  • monitoring and enforcing compliance by both public and private bodies with the Act; and
  • receiving, investigating and attempting to resolve complaints about alleged violations or interferences of the protection of personal information of data subjects.

When investigating a complaint, the Information Regulator may, subject to obtaining a warrant issued by a judge of the High Court, a regional magistrate or a magistrate, at any reasonable time, enter and search any premises occupied by a responsible party (the public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information).

A warrant will be granted if the court is satisfied that there are reasonable grounds for suspecting that a responsible party is interfering with the protection of personal information of a data subject, or an offence under the Act has been or is being committed.

The power to search premises is not found in European data protection laws. For example, the UK Information Commissioner has the power to carry out audits, but these audits can only be undertaken with the permission of the data controller. The wide investigative powers that the Information Regulator will have under POPI will be a further motivation for businesses to ensure that they have appropriate policies and procedures in place.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.