There will be no deadline for registration of information officers and deputy information officers, meaning that no responsible party will be held liable for not registering by 30 June under the Protection of Personal Information Act (Popia).
In a statement released on Tuesday, the Information Regulator said this decision follows technical glitches with the registration portal and numerous concerns raised by responsible parties regarding the registration process.
“The regulator is currently looking into alternative registration processes and will communicate this in due course. We understand that our portal malfunctioning has caused a lot of anxiety and panic and for that we really do apologise,” Information Regulator chairwoman Pansy Tlakula said.
The registration of a CEO as an information officer for multiple legal entities has been taken into consideration and it will be permissible. The registration portal is currently being configured to accommodate these changes. When the registration portal has been updated, it will be announced.
“Popia enforcement powers as promulgated by the President of South Africa in June 2020 will still be coming into effect as of 1 July 2021. The Information Regulator had thus afforded responsible parties a one-year grace period to be compliant with Popia.”
‘Prior authorisation’
“For responsible parties to be compliant with Popia, they are required among many actions to appoint and register their information officers with the Information Regulator and apply for ‘prior authorisation’ before processing personal information,” the regulator said.
There has been an exponential increase for engagement from responsible parties with the regulator. This as the Popia enforcement powers draw closer and are less than 10 days away.
Furthermore, the regulator has extended the applications for prior authorisation in terms section 57 (1) subject to section 58 (2) to 1 February 2022.
Responsible parties must obtain prior authorisation from the regulator prior to any processing of personal information where that responsible party plans to:
- Process any unique identifiers of a data subject;
- Process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
- Process information for purposes of credit reporting; and
- Transfer special personal information or personal information of children to foreign countries that do not provide an adequate level of protection for processing of personal information.
The Information Regulator as of 30 June will also be taking over the function of the Promotion of Access to Information Act from the South African Human Rights Commission.