The Protection of Personal Information Bill 2009 (POPI) aims to
bring South Africa in line with international data protection laws.
Currently in its seventh working draft, it has been forwarded to
the Portfolio Committee for final consideration and is widely
anticipated to become law within the next six months.
The impact of this legislation will be far-reaching and will
significantly affect the way companies collect, store and
disseminate personal information.
In this bi-weekly series, members of our Information Law Group
provide some insight into the implications of POPI to assist you in
your preparations for the new legislative regime*.
This edition focuses on the enforcement powers of the Information
Regulator, and in particular the Information Regulator's powers
in respect of obtaining warrants for purposes of searching the
premises occupied by a responsible party.
The Bill provides for the establishment of the Information
Regulator whose primary purpose will be to promote awareness of the
rights of data subjects and enforcing the requirements of the
Bill.
Some of the key duties and functions of the Information Regulator
include:
- monitoring and enforcing compliance by both public and private bodies with the Act; and
- receiving, investigating and attempting to resolve complaints about alleged violations or interferences of the protection of personal information of data subjects.
When investigating a complaint, the Information Regulator may,
subject to obtaining a warrant issued by a judge of the High Court,
a regional magistrate or a magistrate, at any reasonable time,
enter and search any premises occupied by a responsible party (the
public or private body or any other person which, alone or in
conjunction with others, determines the purpose of and means for
processing personal information).
A warrant will be granted if the court is satisfied that there are
reasonable grounds for suspecting that a responsible party is
interfering with the protection of personal information of a data
subject, or an offence under the Act has been or is being
committed.
The power to search premises is not found in European data
protection laws. For example, the UK Information Commissioner has
the power to carry out audits, but these audits can only be
undertaken with the permission of the data controller. The wide
investigative powers that the Information Regulator will have under
POPI will be a further motivation for businesses to ensure that
they have appropriate policies and procedures in place.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.