Supervision & Oversight

POPIA Logo

POPIA > CHAPTER 5 > Supervision (Sections 39 – 56)

POPIA > CHAPTER 5 > SECTION 39 > Establishment of Information Regulator
  1. There is hereby established a juristic person to be known as the Information Regulator, which—
    1. has jurisdiction throughout the Republic;
    2. is independent and is subject only to the Constitution and to the law and must be impartial and perform its functions and exercise its powers without fear, favour or prejudice;
    3. must exercise its powers and perform its functions in accordance with this Act and the Promotion of Access to Information Act; and
    4. is accountable to the National Assembly.
POPIA > CHAPTER 5 > SECTION 40 > Powers, duties and functions of Regulator
  1. The powers, duties and functions of the Regulator in terms of this Act are—
    1. to provide education by—
      1. promoting an understanding and acceptance of the conditions for the lawful processing of personal information and of the objects of those conditions;
      2. undertaking educational programmes, for the purpose of promoting the protection of personal information, on the Regulator’s own behalf or in co-operation with other persons or authorities acting on behalf of the Regulator;
      3. making public statements in relation to any matter affecting the protection of the personal information of a data subject or of any class of data subjects;
      4. giving advice to data subjects in the exercise of their rights; and
      5. providing advice, upon request or on its own initiative, to a Minister or a public or private body on their obligations under the provisions, and generally on any matter relevant to the operation, of this Act;
    2. to monitor and enforce compliance by—
      1. public and private bodies with the provisions of this Act;
      2. undertaking research into, and monitoring developments in, information processing and computer technology to ensure that any adverse effects of such developments on the protection of the personal information of data subjects are minimised, and reporting to the Minister the results of such research and monitoring;
      3. examining any proposed legislation, including subordinate legislation, or proposed policy of the Government that the Regulator considers may affect the protection of the personal information of data subjects, and reporting to the Minister the results of that examination;
      4. reporting upon request or on its own accord, to Parliament from time to time on any policy matter affecting the protection of the personal information of a data subject, including the need for, or desirability of, taking legislative, administrative, or other action to give protection or better protection to the personal information of a data subject;
      5. submitting a report to Parliament, within five months of the end of its financial year, on all its activities in terms of this Act during that financial year;
      6. conducting a POPI Compliance assessment, on its own initiative or when requested to do so, of a public or private body, in respect of the processing of personal information by that body for the purpose of ascertaining whether or not the information is processed according to the conditions for the lawful processing of personal information;
      7. monitoring the use of unique identifiers of data subjects, and reporting to Parliament from time to time on the results of that monitoring, including any recommendation relating to the need of, or desirability of taking, legislative, administrative, or other action to give protection, or better protection, to the personal information of a data subject;
      8. maintaining, publishing and making available and providing copies of such registers as are prescribed in this Act; and
      9. examining any proposed legislation that makes provision for the—
        1. collection of personal information by any public or private body; or
        2. disclosure of personal information by one public or private body to any other public or private body, or both, to have particular regard, in the course of that examination, to the matters set out in section 44(2), in any case where the Regulator considers that the information might be used for the purposes of an information matching programme,
        3. and reporting to the Minister and Parliament the results of that examination;
    3. to consult with interested parties by—
      1. receiving and inviting representations from members of the public on any matter affecting the personal information of a data subject;
      2. co-operating on a national and international basis with other persons and bodies concerned with the protection of personal information; and
      3. acting as mediator between opposing parties on any matter that concerns the need for, or the desirability of, action by a responsible party in the interests of the protection of the personal information of a data subject;
    4. to handle complaints by—
      1. receiving and investigating complaints about alleged violations of the protection of personal information of data subjects and reporting to complainants in respect of such complaints;
      2. gathering such information as in the Regulator’s opinion will assist the Regulator in discharging the duties and carrying out the Regulator’s functions under this Act;
      3. attempting to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation; and
      4. serving any notices in terms of this Act and further promoting the resolution of disputes in accordance with the prescripts of this Act;
    5. to conduct research and to report to Parliament—
      1. from time to time on the desirability of the acceptance, by South Africa, of any international instrument relating to the protection of the personal information of a data subject; and
      2. on any other matter, including necessary legislative amendments, relating to protection of personal information that, in the Regulator’s opinion, should be drawn to Parliament’s attention;
    6. in respect of codes of conduct to—
      1. issue, from time to time, codes of conduct, amend codes and to revoke codes of conduct;
      2. make guidelines to assist bodies to develop codes of conduct or to apply codes of conduct; and
      3. consider afresh, upon application, determinations by adjudicators under approved codes of conduct;
    7. to facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation; and
    8. in general to—
      1. do anything incidental or conducive to the performance of any of the preceding functions;
      2. exercise and perform such other functions, powers, and duties as are conferred or imposed on the Regulator by or under this Act or any other legislation;
      3. require the responsible party to disclose to any person affected by a compromise to the integrity or confidentiality of personal information, such compromise in accordance with section 22; and
      4. exercise the powers conferred upon the Regulator by this Act in matters relating to the access of information as provided by the Promotion of Access to Information Act.
  2. The Regulator may, from time to time, in the public interest or in the legitimate interests of any person or body of persons, publish reports relating generally to the exercise of the Regulator’s functions under this Act or to any case or cases investigated by the Regulator, whether or not the matters to be dealt with in any such report have been the subject of a report to the Minister.
  3. The provisions of sections 3 and 4 of the Commissions Act, 1947 (Act No. 8 of 1947), will apply, with the necessary changes, to the Regulator.
  4. The powers and duties of the Regulator in terms of the Promotion of Access to Information Act are set out in Parts 4 and 5 of that Act.
POPIA > CHAPTER 5 > SECTION 41 > Appointment, term of office and removal of members of Regulator
  1. Regulator
    1. The Regulator consists of the following members:
      1. A Chairperson; and
      2. four other persons, as ordinary members of the Regulator.
    2. Members of the Regulator must be appropriately qualified, fit and proper persons—
      1. at least one of whom must be appointed on account of experience as a practising advocate or attorney or a professor of law at a university; and
      2. the remainder of whom must be appointed on account of any other qualifications, expertise and experience relating to the objects of the Regulator.
    3. The Chairperson of the Regulator must be appointed in a full-time capacity and may, subject to subsection (4), not perform or undertake to perform any other remunerative work during the period in which he or she holds office as Chairperson.
    4. The ordinary members of the Regulator must be appointed as follows:
      1. Two ordinary members in a full-time capacity; and
      2. two ordinary members in a full-time or part-time capacity.
    5. The members referred to in paragraph (d) who are appointed in a full-time capacity, may, subject to subsection (4), not perform or undertake to perform any other remunerative work during the period in which they hold office.
    6. The Chairperson must direct the work of the Regulator and the staff of the Regulator.
    7. A person may not be appointed as a member of the Regulator if he or she—
      1. is not a citizen of the Republic;
      2. is a public servant;
      3. is a member of Parliament, any provincial legislature or any municipal council;
      4. is an office-bearer or employee of any political party;
      5. is an unrehabilitated insolvent;
      6. has been declared by a court to be mentally ill or unfit; or
      7. has at any time been convicted, whether in the Republic or elsewhere, of any offence involving dishonesty.
  2. Chairperson
    1. The Chairperson and the members of the Regulator referred to in subsection (1)(a) must be appointed by the President on the recommendation of the National Assembly, which recommendation must also indicate which ordinary members must be appointed in a full-time or part-time capacity.
    2. The National Assembly must recommend persons—
      1. nominated by a committee of the Assembly composed of members of parties represented in the Assembly; and
      2. approved by the Assembly by a resolution adopted with a supporting vote of a majority of the members of the Assembly.
  3. The members of the Regulator will be appointed for a period of not more than five years and will, at the expiration of such period, be eligible for reappointment.
  4. The Chairperson of the Regulator or a member who has been appointed in a full-time capacity may, notwithstanding the provisions of subsection (1)(c) or (e), only perform or undertake to perform any other remunerative work during the period that he or she holds office as Chairperson or member with the prior written consent of the Minister.
  5. A person appointed as a member of the Regulator may, upon written notice to the President, resign from office.
    1. A member may be removed from office only on—
      1. the ground of misconduct, incapacity or incompetence;
      2. a finding to that effect by a committee of the National Assembly; and
      3. the adoption by the National Assembly of a resolution calling for that person’s removal from office.
    2. A resolution of the National Assembly concerning the removal from office of a member of the Regulator must be adopted with a supporting vote of a majority of the members of the Assembly.
    3. The President—
      1. may suspend a member from office at any time after the start of the proceedings of a committee of the National Assembly for the removal of that member; and
      2. must remove a member from office upon adoption by the Assembly of the resolution calling for that member’s removal.
POPIA > CHAPTER 5 > SECTION 42 > Vacancies
  1. A vacancy in the Regulator occurs if a member—
    1. becomes subject to a disqualification referred to in section 41(1)(g);
    2. tenders his or her resignation as contemplated in section 41(5) and the resignation takes effect;
    3. is removed from office in terms of section 41(6);
    4. dies; or
    5. becomes permanently incapable of doing his or her work.
  2. Vacancies
    1. Where a vacancy has arisen as contemplated in subsection (1), the procedure contemplated in section 41(2) applies.
    2. Any member appointed under this subsection holds office for the rest of the period of the predecessor’s term of office, unless the President, upon recommendation by the National Assembly, appoints that member for a longer period which may not exceed five years.
POPIA > CHAPTER 5 > SECTION 43 > Powers, duties and functions of Chairperson and other members
  1. The Chairperson—
    1. must exercise the powers and perform the duties and functions conferred on or assigned to him or her by the Regulator in terms of this Act and the Promotion of Access to Information Act; and
    2. is, for the purposes of exercising the powers and performing the duties and functions conferred on or assigned to him or her by the Regulator in terms of this Act and the Promotion of Access to Information Act, accountable to the Regulator.
  2. The members referred to in section 41(1)(d)(i) must exercise their powers and perform their duties and functions as follows:
    1. One member in terms of this Act; and
    2. one member in terms of the Promotion of Access to Information Act.
  3. The members referred to in section 41(1)(d)(ii) must exercise their powers and perform their duties and functions either in terms of this Act or the Promotion of Access to Information Act, or both.
  4. The members, referred to in paragraphs (a) and (b), are, for the purposes of exercising their powers and performing their duties and functions, accountable to the Chairperson.
POPIA > CHAPTER 5 > SECTION 44 > Regulator to have regard to certain matters
  1. In the performance of its functions, and the exercise of its powers, under this Act the Regulator must—
    1. have due regard to the conditions for the lawful processing of personal information as referred to in Chapter 3;
    2. have due regard for the protection of all human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the legitimate interests of public and private bodies in achieving their objectives in an efficient way;
    3. take account of international obligations accepted by South Africa; and
    4. consider any developing general international guidelines relevant to the better protection of individual privacy.
  2. In performing its functions in terms of section 40 (1)(b)(ix)(bb) with regard to information matching programmes, the Regulator must have particular regard to whether or not the—
    1. objective of the programme relates to a matter of significant public importance;
    2. use of the programme to achieve that objective will result in monetary savings that are both significant and quantifiable or in other comparable benefits to society;
    3. use of an alternative means of achieving that objective would give either of the results referred to in paragraph (b);
    4. public interest in allowing the programme to proceed outweighs the public interest in adhering to the conditions for the lawful processing of personal information that the programme would otherwise contravene; and
    5. programme involves information matching on a scale that is excessive, having regard to—
      1. the number of responsible parties or operators that will be involved in the programme; and
      2. the amount of detail about a data subject that will be matched under the programme.
  3. In determining whether the processing of personal information for exclusively journalistic purposes by a responsible party who is, by virtue of office, employment or profession, not subject to a code of ethics as referred to in section 7(1), constitutes an interference with the protection of the personal information of the data subject in terms of section 73, the Regulator must have particular regard to the factors referred to in section 7(3)(a) to (d).
POPIA > CHAPTER 5 > SECTION 45 > Conflict of Interest
  1. If any member of the Regulator or any person appointed by the Regulator in terms of this Act has a material interest in any matter which could conflict with the proper performance of his or her duties in terms of this Act or the Promotion of Access to Information Act, he or she must disclose that interest, as prescribed, as soon as practicable after the relevant facts came to his or her knowledge.
    1. If a member of the Regulator or person referred to in subsection (1)—
      1. is present at a meeting of the Regulator or committee referred to in section 49 or 50 at which a matter contemplated in that subsection is to be considered, the member or person concerned must disclose the nature of his or her interest to the meeting before the matter is considered; or
      2. fails to make a disclosure as required by this subsection and is present at a meeting of the Regulator or committee, as the case may be, or in any other manner participates in the proceedings, such proceedings in relation to the relevant matter must, as soon as the non-disclosure is discovered, be reviewed and be varied or set aside by the Regulator or the committee, as the case may be, without the participation of the member or person concerned.
    2. A member of the Regulator or person referred to in subsection (1) who is obliged to make a disclosure in terms of this subsection may not be present during any deliberation, or take part in any decision, in relation to the matter in question.
    3. Any disclosure made in terms of this subsection must be noted in the minutes of the relevant meeting of the Regulator or committee.
  2. A member of the Regulator or person referred to in subsection (1) who has disclosed a conflict of interest in terms of subsection (1)—
    1. may perform all duties relating to the matter in question if a decision has been taken that the interest is trivial or irrelevant; or
    2. must be relieved of all duties relating to the matter in question and such duties must be performed by another member of the Regulator or by another person referred to in subsection (1), as the case may be, who has no such conflict of interest.
POPIA > CHAPTER 5 > SECTION 46 > Remuneration, allowances, benefits and privileges of members
  1. A member of the Regulator or a person referred to in section 49(1)(b) or 50(1)(b) who is not subject to the provisions of the Public Service Act, 1994 (Proclamation No. 103 of 1994), or who is not a judge of the High Court of South Africa or a magistrate will be entitled to such remuneration, allowances, including allowances for reimbursement of travelling and subsistence expenses incurred by him or her in the performance of his or her functions under this Act and the Promotion of Access to Information Act, benefits and privileges as the Minister in consultation with the Minister of Finance may determine.
  2. The remuneration, allowances, benefits or privileges of different members of the Regulator may differ according to the different
    1. positions held by them in the Regulator; or
    2. functions performed, whether in a part-time or full-time capacity, by them from time to time.
POPIA > CHAPTER 5 > SECTION 47 > Staff
  1. The Regulator must establish its own administration to assist it in the performance of its functions and to this end the Regulator must appoint, or secure the secondment in terms of subsection (6) of—
    1. a suitably qualified and experienced person as chief executive officer of the Regulator for the purpose of assisting the Regulator, subject to the Regulator’s direction and supervision, in the performance of all financial and administrative functions in terms of this Act and the Promotion of Access to Information Act, work arising from the administration of this Act and the Promotion of Access to Information Act and to exercise any power delegated by the Regulator to him or her; and
    2. such other member of staff as the Regulator may deem necessary to assist the Regulator and the chief executive officer, as the case may be, with all such work as may arise through the performance of its functions.
    1. The chief executive officer may appoint a senior member of staff as acting chief executive officer to perform the functions of the chief executive officer in his or her absence.
    2. A member of the Regulator may not be appointed as acting chief executive officer.
    3. In the event that a vacancy occurs in the office of the chief executive officer the Regulator must appoint an acting chief executive officer.
  2. The Regulator must, in the appointment of the staff of the Regulator—
    1. provide for the advancement of persons disadvantaged by unfair discrimination, with the aim that its staff, when viewed collectively, represents a broad cross-section of the population of the Republic; and
    2. subject to paragraph (a), apply equal opportunity employment practices.
  3. The Regulator may pay to the persons in its employ such remuneration and allowances and provide them with such pension and other employment benefits as are consistent with that paid in the public sector.
  4. In exercising its powers in terms of subsections (1) and (4), the Regulator must consult with the Minister of Finance.
  5. The Regulator may, in the performance of the functions contemplated in subsection (1), at its request, be assisted by officials in the Public Service seconded to the service of the Regulator in terms of any law regulating such secondment: Provided that the secondment of an official to the service of the Regulator may not exceed 12 months and that the initial period of secondment may only be extended once for a subsequent period not exceeding 12 months.
  6. The Regulator may, in consultation with the Minister of Finance, on a temporary basis or for a particular matter which is being investigated by it, employ any person with special knowledge of any matter relating to the work of the Regulator, or obtain the co-operation of any body, to advise or assist the Regulator in the performance of its functions under this Act and the Promotion of Access to Information Act, and fix the remuneration, including reimbursement for travelling, subsistence and other expenses, of such person or body.
POPIA > CHAPTER 5 > SECTION 48 > Powers, duties and functions of CEO

The chief executive officer—

  1. is the head of administration and the accounting officer, as referred to in section 52(3), of the Regulator;
  2. may appoint a senior member of staff as acting chief executive officer as referred to in section 47(2);
  3. is responsible for the—
    1. management of the affairs and operations of the Regulator;
    2. formation and development of an efficient administration;
    3. organisation and management of, and administrative control over, all the members of staff appointed in terms of section 47(1)(b) and all the persons seconded in terms of section 47(6);
    4. maintenance of discipline in respect of the members of staff; and
    5. execution of the decisions of the Regulator,
    6. and is for those purposes accountable to the Regulator and must report thereon to the Regulator as often as may be required by the Regulator; and
  4. must exercise the powers and perform the duties and functions which the Regulator may from time to time confer upon or assign to him or her in order to achieve the objects of the Regulator, and is for those purposes accountable to the Regulator.
POPIA > CHAPTER 5 > SECTION 49 > Committees of Regulator
  1. The Regulator may, if it considers it necessary for the proper performance of its functions establish one or more committees, which must consist of—
    1. such members of the Regulator as the Regulator may designate; or
    2. such members of the Regulator as the Regulator may designate and other persons appointed by the Regulator, as referred to in section 47(7), for the period determined by the Regulator.
  2. The Regulator may at any time extend the period of an appointment referred to in subsection (1)(b) or, if in its opinion good reasons exist therefor, revoke any such appointment.
  3. The Regulator must designate the chairperson and, if the Regulator deems it necessary, the vice-chairperson of a committee established under subsection (1).
    1. A committee referred to in subsection (1) must, subject to the directions of the Regulator, perform those functions of the Regulator assigned to it by the Regulator.
    2. Any function so performed by a committee referred to in subsection (1) will be deemed to have been performed by the Regulator.
  4. The Regulator may at any time dissolve any committee established by the Regulator.
  5. The provisions of sections 40(4) and 51 will apply, with the necessary changes, to a committee of the Regulator.
POPIA > CHAPTER 5 > SECTION 50 > Establishment of Enforcement Committee
  1. The Regulator must establish an Enforcement Committee which must consist of—
    1. at least one member of the Regulator; and
    2. such other persons appointed by the Regulator, as referred to in section 47(7), for the period determined by the Regulator.
  2. The Regulator must—
    1. in consultation with the Chief Justice and Minister, appoint a—
      1. judge of the High Court of South Africa, whether in active service or not; or
      2. magistrate with at least 10 years’ appropriate experience, whether in active service or not; or
    2. appoint an advocate or attorney with at least 10 years’ appropriate experience, as Chairperson of the Enforcement Committee.
  3. The Chairperson of the Enforcement Committee must manage the work of and preside at hearings of the Enforcement Committee.
    1. A member referred to in subsection (1)(a) may not participate in any proceedings of the Regulator in terms of which a decision is taken with regard to a recommendation by the Enforcement Committee as referred to in section 93.
    2. A person referred to in subsection (1)(b) must be a fit and proper person and must comply with the criteria, referred to in section 41(1)(g), for appointment as a member of the Regulator.
POPIA > CHAPTER 5 > SECTION 51 > Meetings of Regulator
  1. Meetings of the Regulator must be held at the times and places determined by the Chairperson of the Regulator.
  2. Three members of the Regulator constitute a quorum for a meeting.
    1. The Chairperson may regulate the proceedings at meetings as he or she may think fit and must keep minutes of the proceedings.
    2. If the Chairperson is absent from a meeting the members present shall elect one of their number to preside at that meeting.
    1. Subject to subsection (2), a decision of the Regulator is taken by resolution agreed to by the majority of members at any meeting of the Regulator.
    2. In the event of an equality of votes regarding any matter the Chairperson has a casting vote in addition to his or her deliberative vote.
POPIA > CHAPTER 5 > SECTION 52 > Funds
  1. Funds of the Regulator consist of—
    1. such sums of money that Parliament appropriates annually, for the use of the Regulator as may be necessary for the proper exercise, performance and discharge, by the Regulator, of its powers, duties and functions under this Act and the Promotion of Access to Information Act; and
    2. fees as may be prescribed in terms of section 111(1).
  2. The financial year of the Regulator is the period from 1 April in any year to 31 March in the following year, except that the first financial year of the Regulator begins on the date that this Chapter comes into operation, and ends on 31 March next following that date.
  3. The chief executive officer of the Regulator is for purposes of the Public Finance Management Act, 1999 (Act No. 1 of 1999), the accounting officer and must execute his or her duties in accordance with that Act.
  4. Within six months after the end of each financial year, the Regulator must prepare financial statements in accordance with established accounting practice, principles and procedures, comprising—
    1. a statement reflecting, with suitable and sufficient particulars, the income and expenditure of the Regulator during the preceding financial year; and
    2. a balance sheet showing the state of its assets, liabilities and financial position as at the end of that financial year.
  5. The Auditor-General must audit the Regulator’s financial records each year.
POPIA > CHAPTER 5 > SECTION 53 > Protection of Regulator

Any person acting on behalf or under the direction of the Regulator, is not civilly or criminally liable for anything done in good faith in the exercise or performance or purported exercise or performance of any power, duty or function of the Regulator in terms of this Act or the Promotion of Access to Information Act.

POPIA > CHAPTER 5 > SECTION 54 > Duty of confidentiality

A person acting on behalf or under the direction of the Regulator, must, both during or after his or her term of office or employment, treat as confidential the personal information which comes to his or her knowledge in the course of the performance of his or her official duties, except if the communication of such information is required by law or in the proper performance of his or her duties.

POPIA > CHAPTER 5 > SECTION 55 > Duties and responsibilities of Information Officer
  1. An information officer’s responsibilities include—
    1. the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
    2. dealing with requests made to the body pursuant to this Act;
    3. working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
    4. otherwise ensuring compliance by the body with the provisions of this Act; and
    5. as may be prescribed.
  2. Officers must take up their duties in terms of this Act only after the responsible party has registered them with the Regulator.
POPIA > CHAPTER 5 > SECTION 56 > Designation and delegation of deputy information officers

Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of—

  1. such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
  2. any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.
POPIA > CHAPTER 5 > Supervision

Protection of Personal Information Act (POPI Act) or POPIA South Africa | POPI Act Compliance | Information Regulator | Chapters | Sections | POPI Act Compliance Plan | POPIA Chapters 1-12 | POPIA Sections 1 – 115 | POPI Act Documents

Translate
error: Protected Content
POPIA