A year after the Information Regulator’s enforcement powers came into effect on 1 July 2021, it has finally established an enforcement committee to take on matters related to the Protection of Personal Information Act (Popia) and the Promotion of Access to Information Act (Paia).
That’s bad news for private and public entities accused of being sloppy with personal information or that have failed to comply with Paia applications.
Based on the global data privacy standard, the European Union’s General Data Protection Regulation, Popia protects the right to privacy, as set out in Section 14 of the Constitution by holding every company, public entity and organisation accountable for how they collect, store, process and use data.
Paia upholds the Constitutionally guaranteed right to access information. Section 32(1) of the Bill of Rights provides for the right of access to information held by the state; and any information held by another person that is required for the exercise or protection of any rights.
Popia requires every responsible party (i.e. the person accountable for the processing of personal information within a public body or organisation, ultimately the CEO, municipal manager or director-general) to appoint and register an information officer with the Information Regulator.
Paia, meanwhile, holds those information officers responsible for providing access to personal information, while Popia obliges them to comply with data processing. The latter also requires information officers to ensure compliance with Popia and to assist the regulator with investigations.
The two pieces of legislation, therefore, balance the right to privacy with the right to access to information.
The Enforcement Committee, which will be chaired by advocate Helen Fourie SC, with Simonè Margadie as the alternative chairperson, comprises 14 independent members with expertise in law, information security, education, finance accounting, auditing, actuarial science, forensics and criminal investigations.
It will make findings on Paia and Popia complaints and make recommendations to the Regulator.
Visit Daily Maverick’s home page for more news, analysis and investigations
During the induction of the committee on 22 July 2022, Information Regulator advocate Pansy Tlakula hailed the inauguration as a “historic moment” for the body because, for the first time since its establishment in 2016, it can now enforce its powers and “provide an effective remedy to the complainants whose right to privacy and the right of access to information have been infringed”.
In a statement, the regulator called the establishment of the Enforcement Committee a “shot in the arm” for the body’s efforts to deal with the increasing volume of complaints about the processing of personal information or the denial of access to information by responsible parties (ie. public or public entities).
“In the twelve months since the enforcement powers of the regulator came into force, 150 access to information complaints and 544 protection of personal information complaints have been submitted to the regulator. The Enforcement Committee will play a critical role in resolving some of these cases if they are not resolved at the earlier phases of the case management processes, such as the pre-investigation, investigation and mediation phases.”
Tlakula told Business Maverick that the regulator’s investigators can either conduct investigations based on complaints or initiate their own investigations. Once those are completed, they submit their reports to the Enforcement Committee, which will make a finding and possibly recommend a sanction, for an action to be taken or to be stopped. The members will then issue an enforcement notice. “What that means is that we are now fully fledged and can implement our powers,” Tlakula said.
The regulator has just completed its own investigation into municipalities and metros’ Paia manuals, which explain how the public can access records held by the body. Paia manuals have been compulsory since 1 January 2022. The findings of that investigation will be revealed next month, when the first enforcement notices are likely to be issued.
“We’ve decided to present these reports to the Enforcement Committee, which will determine if the specific municipalities or metros are compliant.”
If the committee determines that they are not, it will be bound to comply. “We could just as well have gone to the municipality and said, your Paia manual does not comply, please fix it. But if they don’t fix it, we’d have no recourse whereas when we go to the Enforcement Committee and we present that report, it will give a recommendation that it must be remedied within a specific period.”
Failure to comply with an enforcement notice is a criminal offence and the Information Regulator does not have an appeal process — the only recourse is through the courts.
“Say there’s a data breach: If we decide to do our own assessment and find that the company or government body did not have adequate security measures in place to protect the personal information in their possession, and they fail to provide the requested information, we can issue an information notice that they comply. If they don’t, we can then submit that matter to the Enforcement Committee, which will issue a final recommendation that is a binding finding on action to be taken.”
Tlakula said previously, while Paia still fell under the South African Human Rights Commission, requests for access to information were often ignored, forcing the lodger to go to court. Now, the Enforcement Committee decides.
“An infringement notice can lead to prosecution criminally or to payment of an administrative file. If you want to challenge either the enforcement or the infringement notice, you have to go to court.”
On the TransUnion breach — which left 54 million South Africans exposed in March 2022, Tlakula said the regulator was conducting its own assessment but has yet to receive a complaint from the public.
“My information was also part of that TransUnion breach. You know, and in the past three days, I’ve been receiving emails and SMSes from people who claim I have contacted them for debt rescue or such, when I’ve never contacted anybody.”
The regulator can only act once there is a complaint. DM/BM