Protection of Personal Information

Public and Private bodies are required to register with the Information Regulator their Information Officers as outlined in  section 55 of POPIA.

Who should be registered as an Information Officer?

Information Officers are, by virtue of their positions, appointed automatically in terms of PAIA and POPIA. Information Officers of public and private bodies must designate and/or delegate any power or duty to Deputy Information Officers, as necessary to make the body as accessible as reasonably possible.

Registering Information Officers

The Information Officers are required, in terms of Section 55(2) of POPIA, to take up their duties only after being registered with the Regulator. The registration of Information Officers can be done on the Regulator’s E-Services Portal

Your duties as the Information officer

Section 55(1) of POPIA sets out the duties and responsibilities of an Information Officer which include the following:-

  • the encouragement of compliance by the Body with the conditions for the lawful processing of personal information.
  • an Information Officer may develop a policy on how employees should implement the eight (8) conditions for the lawful processing of personal information or consider issuing a circular in the case of provincial and national departments;
  • dealing with requests made to the Body pursuant to POPIA.
  • working with the Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA in relation to the body
  • ensuring compliance by a body with the provisions of POPIA

The additional duties and responsibilities of the Information Officers, in terms of regulation 4 of POPIA, are to ensure that

  • a compliance framework is developed, implemented, monitored and maintained;
  • a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of PAIA, as amended;
  • internal measures are developed together with adequate systems to process requests for information or access thereto;
  • internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Regulator; and
  • upon request by any person, copies of the manual are provided to that person upon the payment of a fee to be determined by the Regulator from time to time..

Related Resources

Guidance Note on Information Officers and Deputy Information Officers

Guidance note on direct marketing in terms of the Protection Of Personal Information Act of 2013 (POPIA)

The purpose of this Guidance Note is to guide the responsible parties on how to comply with POPIA when processing personal information of data subjects for direct marketing by means of unsolicited non-electronic communications in terms of sections 11 and unsolicited electronic communications in
terms of section 69 of POPIA.

Processing of personal information of voters, and the countering of misinformation and disinformation during elections.

The purpose of the guidance note is to guide political parties and independent candidates in respect of the scope and applicability of the Protection of Personal Information Act, 4 of 2013 (POPIA) and measures that can be taken to comply with the provisions of POPIA, whilst ensuring the free flow of accurate and reliable information to achieve free and fair elections.

Processing of Special information

The purpose of this Guidance Note is to guide responsible parties who are required to obtain authorization from the Regulator to process special personal information, as provided for in section 27(2) of POPIA.

Processing of Personal Information of Children

The purpose of this Guidance Note is to guide responsible parties who are required to obtain authorisation from the Regulator to process personal information of children, as provided for in section 35(2) of POPIA.

Processing Personal Information in The Management and Containment of COVID-19 Pandemic

Processing of Personal Information of a Voter by a Political Party

The purpose of the document is to guide political parties with regards to the scope and applicability of the Protection of Personal Information Act, 4 of 2013 (POPIA) in relation to political parties.

Guidance Note: Processing of Personal Information of a Voter by a Political Party in terms of the Protection of Personal Information Act, 4 of 2013, 28 Jan 2019

In terms of the provisions of section 61 (2) of the Protection of Personal Information Act (POPIA) No 4 of 2013, the Information Regulator gives notice that is in receipt of a codes of conduct from:

Guidelines

Protection of Personal Information (POPIA) Forms

This Guidance Note is issued to guide responsible parties who are currently processing or intend to process personal information which is subject to prior authorization to ensure compliance with the relevant provisions of the Protection of Personal Information Act 4 of 2013 (POPIA).

POPIA prescribes the eight (8) conditions for the lawful processing of personal information by or for a responsible party. These conditions are not applicable to the processing of personal information to the extent that such processing is exempted in terms of section 37 or 38, from one or more of the conditions concerned in relation to such processing.

ASSESSMENTS

  1. What is an Assessment?
    POPIA mandates the Regulator with, amongst other things, the power to monitor and enforce compliance with the Act. This can be achieved by conducting an assessment in terms of section 89 of POPIA which can be instituted by the Regulator, or a data subject who has requested that the Regulator assess whether an instance of processing by a responsible party is compliant with POPIA
  2. When will a responsible party be assessed?
    The Regulator will conduct an assessment on its own initiative based on a number of considerations, including but not limited to:
    2.1 The number of complaints lodged with the Information Regulator. An influx of complaints received or specific complaints that recur can be indicative of an underlying non-compliance issue that needs to be addressed.
    2.2 The number or risk rating of security compromises that you have reported to the Information Regulator. An influx of security compromise notifications received or specific security compromises that are high risk or recur can be indicative of an underlying non compliance issue that needs to be addressed.
    The Regulator will also conduct an assessment on request by or on behalf of the responsible party, data subject or any other person, where appropriate.
  3. What can a responsible party expect during an assessment?
    3.1 The Information Regulator will formally issue an assessment notice to the responsible party advising that they will be assessed in terms of Section 89 of POPIA and will provide dates on which the on-site assessment will take place. (Usually a two-day on-site assessment.)
    3.2 Upon confirmation from the responsible party, the Information Regulator will issue a formal agenda for the on-site assessment which will guide the responsible party to prepare for the assessment.
    3.3 During the on-site assessment, the agenda items will be dealt with, and thorough analysis of documents and oral submissions will take place.
    3.4 Upon finalisation of the on-site assessment, the Information Regulator will formally engage with the responsible party for more information and supporting evidence on matters discussed during the on-site assessment.
    3.5 Once the Information Regulator is satisfied with all the information and supporting evidence provided, and have finalised its assessment, the Information Regulator will formally provide the responsible party with the result of its assessment in terms of Section 91 of POPIA.
    3.6 The responsible party will be given an opportunity to comment on the interim report of the Regulator.
    3.7 The interim report, together with the comments of the responsible party, will serve before the Members of the Regulator and the final report, which is the equivalent of an enforcement notice in terms of section 91(3) of POPIA, will be issued.
  4. Can I request the Regulator to conduct an assessment on a responsible party?
    4.1 Section 89 of POPIA provides data subjects, responsible party or any other person with a right to request the Regulator to conduct an assessment on whether an instance of processing complies with POPIA.
  5. How do I request the Regulator to conduct an assessment on a responsible
    party?
    5.1 Complete a Form 11 (contained in the POPIA Regulations) and submit it via email to POPIAComplaince@inforegulator.org.za
  6. What happens after the report (Enforcement Notice in terms of section
    91(3) of POPIA) is finalised?
    6.1 The Regulator will issue the Enforcement Notice to the responsible party affording it an opportunity to comply with the recommendations which the Regulator deems fit, within a specified timeframe.
  7. What happens if a responsible party does not adhere to the recommendations contained in the Enforcement Notice?
    7.1 Should the responsible party fail to respond to the Enforcement Notice and/or fail to adhere to the recommendations issued by the Regulator, the Regulator may issue an Infringement Notice in terms of section 109 of POPIA.
  1. What is Personal Information?
    Personal information is information that relates to an identifiable, living, natural person or juristic person. This may include:
    (a) Identity Number;
    (b) Physical Address;
    (c) Phone Number;
    (d) Email address;
    (e) Biometric information e.g. fingerprints, blood type and DNA analysis;
    (f) Information relating to education, financial, medical criminal or employment history of a person.
  2. Who is a responsible party?
    Any organisation, whether public or private, irrespective of its size, or any individual which processes personal information of data subjects, is a responsible party and has a duty to comply with the lawful conditions for processing in terms of POPIA.
  3. What is the purpose of POPIA?
    The purpose of POPIA is to give effect the constitutional right to privacy, to regulate the manner in which personal information may be processed, to establish the 8 lawful processing conditions and to provide remedies to data subjects
  4. What is the mandate of the Information Regulator?
    The Regulator has a dual mandate to ensure respect for and to protect, enforce and fulfil the right to privacy in terms of POPIA, and the right of access to information in terms of the Promotion of Access to Information Act 2 of 2000 (PAIA)
  5. What is the difference between POPIA and PAIA?
    POPIA provides for protection of personal information by responsible parties. It does not deal with the protection of confidential or other information that does not constitute personal information.
    PAIA gives effect to the constitutional right of access to any information held by the State and any information that is held by another person and that is required for the exercise or protection of any rights. This may include but is not limited to personal data.
  6. What constitutes the processing of personal information?
    Processing includes, but is not limited to, the collection, receipt, recording, organisation, collating, storage, updating, modification, dissemination, merging, linking, erasure, or destruction of personal information.
  1. Who may lodge a complaint to the Regulator?
    Any person may submit a complaint to the Regulator in the prescribed manner and form alleging interference with the protection of the personal information of a data subject.
  2. How to lodge a complaint A complaint submitted to the Regulator must be in writing by completing
    a. An online complaint Form available on the website of the Regulator.
    b. The complaints Form 5 to the Regulations
    c. Complaints must be submitted to the POPIA designated email address: popiacomplaints@inforegulator.co.za
    d. You may enter the premises of the Regulator within our operating hours.
    e. The Regulator will help any person who wishes to make a complaint, to put that complaint in writing.
  3. What should be included in the complaint form?
    When making a complaint you should:
    a. Provide full details of the complainant (full names, address and contact details)
    b. Provide full details of the responsible party (full names, address and contact details)
    c. Provide a brief description of the matter and why you think the responsible party has processed your personal information in contravention of POPIA.
    d. Provide further documentation or information that may support your complaint (screenshots, documents, recordings etc..).
    e. Ensure that your complaint form is signed and dated.
  4. On what basis would the Regulator reject a complaint?
    a. The Regulator shall not accept a complaint in which the cause of action arose before 1 July 2021.
    b. The Regulator will not accept a complaint which is pending before another Regulatory Body/Tribunal, or which falls under the exclusive jurisdiction of another Regulatory Body or Tribunal.
    c. The Regulator will not accept a complaint lodged more than three (3) years after the claim has lapsed from the date when the subject matter of the complaint arose and the date when the complaint was made.
    d. The Regulator will not accept a complaint which is purely personal or household in nature, for example, between spouses and family members.
    e. The Regulator will not accept a complaint against the Cabinet and its Committees or the Executive Council of a Province;.
    f. The Regulator will not accept a complaint against the judicial functions of a Court.
    g. The Regulator will not accept a complaint regarding processing done by banks prior to such complaints being lodged with the bank as per the Code of Conduct issued by the Regulator in 2022.
  5. Can I review a decision made after a complaint has been finalised?
    Should a person be dissatisfied with the decision and reasons provided, an application should be made within 14 (fourteen) days from the date of the decision to the Information Regulator by completing a Form 20, which can be found in the Rules Of Procedure-Handling POPIA complaints.
    As part of the application, new and relevant information pertaining to the complaint which was previously unknown and/or not submitted, which has a material effect on the decision made, should be submitted.
  1. What is a Code of Conduct?
    The Code of Conduct issued by the Regulator is a set of rules developed and approved by the Regulator that specifies how personal information should be processed within a particular sector, activity, or industry.
    The Code of Conduct must incorporate all of the conditions for lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions.
  2. May the Regulator initiate a Code of Conduct?
    The Regulator’s may on its own initiative, but after consultation with affected stakeholders or a body representing such stakeholders, initiate a Code of Conduct
  1. What is direct marketing?
    Direct marketing is a form of advertising which allows businesses and organisations to communicate directly to customers through a variety of media channels. POPIA defines direct marketing as means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
    (a) promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
    (b) requesting the data subject to make a donation of any kind for any reason.
  2. Does POPIA regulate direct marketing?
    Yes, if direct marketing is done ‘by means of unsolicited electronic communication,’ section 69 of POPIA will apply. If direct marketing is done by means other than unsolicited electronic communication, section 11(3)(b) of POPIA will apply.
  3. What are the types of direct marketing regulated by POPIA?
    POPIA draws a distinction between two forms of direct marketing namely:
    a. Direct marketing by means of unsolicited electronic communication in terms of section 69 of POPIA; and Examples of this type of direct marketing.
    • Marketing via email
    • Marketing via SMS
    • Marketing via telephone.
    b. Direct marketing, other than direct marketing by means of unsolicited electronic communication to which the data subject may object in terms of section 11(3)(b) of POPIA.
    Examples of this type of direct marketing
    • Marketing by personal contact
    • Post or hand-delivered mail
  4. What constitutes electronic communication?
    • Telephone
    • Automated Calling Machine
    • Facsimile
    • SMS
    • Email
    • Push Notifications
  5. What does not constitute electronic communication?
    • Post
    • In-person communication
  6. Can a responsible party market to you without consent?
    Responsible parties must obtain consent from data subjects when conducting direct marketing through unsolicited electronic communication (section 69). The first communication to a data subject must be to ask for consent.
    Exception: When the data subject is a customer of the responsible party or has not previously withheld consent
  7. When can a responsible party market to you without your consent?
    Where the direct marketing is marketing other than direct marketing by means of unsolicited electronic communication such as in person or by mail (section 11(3)(b)).
  8. Can I lodge a complaint with the Regulator relating to direct marketing?
    You can lodge a complaint with the Regulator pertaining to the unlawful processing of your personal information in relation to direct marketing by completing a Form5
  9. What other documents should be submitted?
    Collect everything that confirms the direct marketing was unlawful or unwanted.
    Useful items:
    Screenshots or exports of SMS, WhatsApp, email, or call logs (dates & times).
    Copies of the message text, marketing links, or recordings (if lawfully recorded).
    Proof you did not give consent (or evidence you withdrew consent).
    Proof of any attempts to opt-out/unsubscribe (and the sender’s response, if any).
    Any correspondence you sent to the company asking them to stop and their reply (if any).
    Your ID (or proof of authority if you’re lodging on behalf of someone).
    The POPIA Form 5 itself requests documentary evidence/affidavits be attached where relevant.
  1. What is an Exemption Application?
    It is an application that is made by the responsible party where they want to process personal information in breach of conditions of lawful processing in terms of the provisions of POPIA where:
    • the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from such processing; or
    • the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from such processing.
  2. Who must apply for Exemption application?
    It is the responsible party who processes personal information in breach of the conditions for the lawful processing of processing of personal information who must make an application to the Regulator in the prescribed form.
  3. What is the process the responsible party must follow when applying for exemption?
    Step 1: How to make an application.
    The responsible party must complete an Exemption Application Form which can be obtained from the Information Regulator SA website or as an attachment to a Guidance Note on Exemptions Applications.
    Step 2: Requirements of the application process.
    • A fully and correctly completed application form.
    • Motivation to the application
    • Information officer registration certificate
    • Signed application form
    Step 3: Submission of the application
    The application can be submitted through the designated email address of the Regulator: POPIACompliance@inforegulator.org.za
  4. When can the responsible party expect the outcome of the application from the Regulator?
    The Regulator has 13 weeks to consider and communicate the outcome of the application to the responsible party. The Regulator will communicate the outcome of the application using the communication channels as provided for in the application form. Where the Regulator requests additional information, the period granted to the responsible party to furnish the Regulator with the information will be kept in abeyance when the 13 weeks processing time is considered. The responsible is allowed to continue to process personal information while the application is still considered by the Regulator.
  5. What happens after the application is granted?
    he Regulator will communicate the outcome of the application using the communication channels as provided for in the application form. The Regulator will publish the granting of the application in the government gazette.
  6. What happens after the application is rejected?
    The Regulator will communicate the outcome of the application using the communication channels as provided for in the application form.
  7. What are the circumstances of processing of personal information that require prior authorisation from the Regulator?
    Section 58 requires the responsible party to notify the Regulator if processing is subject to prior authorisation. The processing will be subject to prior authorisation if the responsible party is involved in the following:
    (a) where it profiles people;
    (b) Where it processes information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
    (c) where it processes information for the purposes of credit reporting; or
    (d) where it transfers special personal information or the personal information of children to a third party in another country that does not have an adequate level of protection for the processing of personal information as referred to in section 72 of POPIA.
  8. How do I obtain prior authorisation from the Regulator?
    Prior authorisation application and/or notification for processing or intention to process personal information, as referred to in section 57(1) and 58(1) of POPIA should be requested by completing the application form for prior authorisation which is published on the Regulator’s website. All such applications must be submitted through the following channels: Email: popiacompliance@inforegulator.org.za Application for prior authorisation is not applicable to the processing of personal information which is subject to prior authorisation that took place prior to 1 July 2021.
  9. What is the prescribed timeline for processing the application for prior authorisations?
    Where a Regulator receives a notification of information processing which is subject to prior authorisation, the Regulator will inform the responsible party which applied for a prior authorisation in writing within four (4) weeks of the notification as to whether or not the Regulator will conduct a more detailed investigation. In the event that the Regulator decides to conduct a more detailed investigation, the Regulator will inform the responsible party in writing of the reasonable period within which it plans to conduct a detailed investigation, which period will not exceed thirteen (13) weeks.
  10. What happens if I fail to notify the Regulator of any processing that is subject to prior authorisation?
    The responsible party who fails to notify the Regulator of any processing that is subject to prior authorisation in terms of section 58(1) of POPIA is guilty of offence. Any person convicted of an offence is liable to a fine not exceeding R10 million or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.
  1. Who makes an application to process Personal Information of Children?
    It is a responsible party who want to process personal information of children.
  2. What is the process the responsible party must follow when applying to process Personal Information of Children?
    Step 1: How to make an application.
    The responsible party must complete the application form to process Personal Information of Children which can be obtained from the Information Regulator SA website or as an attachment to a Guidance Note on Personal Information of Children Application.
    Step 2: Requirements of the application process.
    • A fully and correctly completed application form.
    • Motivation to the application
    • Information registration certificate
    Signed application form Step 3:
    Submission of the application The application can be submitted through the designated email address of the Regulator: POPIACompliance@inforegulator.org.za
  3. When can the responsible party expect the outcome of the application from the Regulator?
    • The Regulator has 13 weeks to consider and communicate the outcome of the application to the responsible party.
    • The Regulator will communicate the outcome of the application using the communication channels as provided for in the application form.
    • Where the Regulator requests additional information, the period granted to the responsible party to furnish the Regulator with the information will be kept in abeyance when the 13 weeks processing time is considered.
    • The responsible is allowed to continue to process personal information while the application is still considered by the Regulator.
  4. What happens after the application is granted.
    The Regulator will communicate the outcome of the application using the communication channels as provided for in the application form.The Regulator will publish the granting in the government gazette.
  5. What happens after the application is rejected.
    The Regulator will communicate the outcome of the application using the communication channels as provided for in the application form.
  1. What is a Personal Information Impact Assessment (PIIA)?
    A personal information impact assessment is a procedure which describes the It should be undertaken by organisations at the early stages of the development of any project, processing activity or establishment of a new business process. It is used by the responsible party to evaluate the potential privacy risks and impacts associated with the collection, use, disclosure, and management of personal information.
  2. What is the purpose of a personal information impact assessment?
    A personal information impact assessment is done to ensure that adequate measures and standards exist to comply with the conditions for lawful processing of personal information also ensure that a compliance framework is developed, implemented, monitored and maintained.
  3. How are risks identified and assessed
    You need to consider the potential impact and harm your processing may cause. You need to consider the likelihood and severity of the possible harm, for you to assess if the risk is high risk or not.
  4. Why is PIIA necessary?
    To:
    – Ensure that adequate measures and standards exist.
    – Know where the biggest impact will be.
    – Know where to focus your efforts.
    – Know the scope of the remedial work that needs to be done and how best to do it.
  5. Who needs to do a Personal Information Impact Assessment?
    In terms of Regulation 4 of POPIA, information officers must ensure that a personal information impact assessment (PIIA) is conducted to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.
  6. How do I conduct a Personal Information Impact Assessment?
    During a PIIA, the responsible party conducts a detailed examination of how personal information is obtained, processed, stored, and shared throughout its lifecycle. This involves identifying the types of personal information collected, the purposes for which it is utilised, the individuals or entities with whom it is shared, and the measures in place to safeguard its confidentiality and integrity.
  1. Who makes an application to process Special Personal Information?
    It is a responsible party who want to process special personal information.
  2. What is the process the responsible party must follow when applying to process Special Personal Information?
    Step 1: How to make an application.
    The responsible party must complete the application to process Special Personal Information which can be obtained from the Information Regulator SA website or as an attachment to a Guidance Note on Special Personal Information.
    Step 2: Requirements of the application process.
    • A fully and correctly completed application form.
    • Motivation to the application
    • Information registration certificate
    • Signed application form
    Step 3: Submission of the application
    The application can be submitted through the designated email address of the Regulator: POPIACompliance@inforegulator.org.za
  3. When can the responsible party expect the outcome of the application from the Regulator?
    • The Regulator has 13 weeks to consider and communicate the outcome of the application to the responsible party.
    • The Regulator will communicate the outcome of the application using the communication channels as provided for in the application form.
    • Where the Regulator requests additional information, the period granted to the responsible party to furnish the Regulator with the information will be kept in abeyance when the 13 weeks processing time is considered.
    • The responsible is allowed to continue to process personal information while the application is still considered by the Regulator.
  4. What happens after the application is granted.
    The Regulator will communicate the outcome of the application using the communication channels as provided for in the application form. The Regulator will publish the granting in the government gazette.
  5. What happens after the application is rejected.
    The Regulator will communicate the outcome of the application using the communication channels as provided for in the application form.
  1. What constitutes a security compromise?
    A security compromise is considered to have occurred when there are reasonable grounds to believe that any unauthorised person has accessed or acquired personal information under the control of a responsible party including information processed by a third party on behalf of the responsible party, or if personal information has been intentionally or accidentally lost, shared or destroyed.
  2. What are examples of security compromises?
    Security compromises are usually either accidental, deliberate or incidental viz.
    Human error (– emails sent in error, personal information accidentally displayed, shared verbally, delivered to a wrong address).
    Loss or theft (viz. misplacing of records, theft of physical files, laptop, hard drive or cell phone, burglary, hijacking of security vans).
    Fraud/misrepresentation (viz. disgruntled employee, industrial sabotage or espionage, opportunistic crime, impersonation).
    Cyber-security incidents (viz. brute force attacks, ransomware, phishing attacks).
  3. Do I have to report all security compromises or only the high-risk ones?
    POPIA does not have a threshold for reporting of security compromises. All security compromises must be reported irrespective of the deemed level of risk.
  4. Who needs to report a security compromise that happened at an Operator?
    Section 22 makes provision for the responsible party to notify the security compromise, as it remains responsible for the control of the personal information held by it. An operator is obliged to notify the responsible party if there has been a security compromise impacting the personal data controlled by the responsible party. An operator only needs to notify of a breach if the personal information for which it is a responsible party rather than solely an operator, suffers a security compromise.
  5. What are the requirements in the event of a security compromise?
    In the event that a security compromise occurs, POPIA requires that the responsible party inform the Information Regulator, as well as the person or persons whose data has been compromised (“data subjects”) as soon as reasonably possible after the breach has been discovered. Responsible parties are also required to conduct their own investigations in order to determine the nature and scope of the breach and the potential impact thereof, as well as take steps to mitigate any adverse consequences.
  6. How may a security compromise notification be reported to the data subject?
    A security compromise notification must be reported to the data subject writing using one of the following ways:
    (a) By post to the last known physical or postal address of the data subject;
    (b) By email to the last known e-mail address of the data subject;
    (c) Placed in a prominent position on the website of the responsible party;
    (d) Published in the news media;
    (e) Communicated in any other manner as directed by the Regulator.
  7. How may a security compromise notification be reported to the Regulator?
    As of 1 of April 2025 all security compromise notifications in terms of section 22 POPIA should be reported on the Information Regulator eService’s Portal. To access the eServices portal, visit the Information Regulator website. https://inforegulator.org.za/ Click on the “eServices” banner on the homepage or go directly to: https://eservices.inforegulator.org.za.
  8. How to report a Security Compromises online:
    A step-by-step Guide can be accessed on the following link: https://eservices.inforegulator.org.za/compromises/docs/guide.pdf
  9. What happens if one fails to follow the prescribed process of a security compromise notification?
    Failure to follow the prescribed notification process may result in the notification being regarded as non-compliant and the Regulator may initiate an investigation or assessment.
  1. What are appropriate security safeguards?
    Section 19 of POPIA states that the responsible party must secure the integrity and confidentiality of the personal information by taking reasonable, technical and organisational measures to prevent the loss, damage or unauthorised destruction of the personal information as well as the unlawful access or processing of the information.
    Section 19 further obliges the responsible party to identify foreseeable internal and external risks, establish and maintain appropriate safeguards, regularly verify the safeguards are being implemented and ensure the safeguards are continually updated.
    The responsible party must also consider generally accepted information security practices required in terms of regulations, and specific industry or professional rules
  2. What are organisational measures?
    Organisational measures are usually governance practices, policies and processes that secure the integrity and confidentiality of personal information. They often support technical measures. These measures may include:
    2.1. Personal information impact assessments (PIIA): Regulation 4 sets out the responsibilities of information officers to, inter alia, ensure that a PIIA is done to provide adequate measures and standards to comply with the conditions for the lawful processing of personal information.
    2.2. Policies and procedures -They provide clear guidelines for accessing, using, and protecting personal information and information systems.
    2.3. Cybersecurity awareness training – Educating employees on cybersecurity best practices such as recognising cybersecurity threats and creating strong passwords.
    2.4. Security compromise response plan-Developing a plan to detect, respond and to recover from security compromises effectively.
  3. What are technical measures?
    Technical measures are tools, technologies, and techniques employed to protect computer systems, networks, and personal information from security compromises. These measures may include:
    3.1. Access Controls: Access control mechanisms enforce restrictions on who can access personal information or perform certain actions within a system or network.
    3.2. Encryption: Encryption converts data into a coded format that can only be read with the correct decryption key. It protects personal information from unauthorised access if intercepted by hackers, ensuring data confidentiality and integrity.
    3.3. End point security: Endpoint security protects individual devices (endpoints), such as desktops, laptops, servers, mobile devices, and other endpoints connected to the network, from various cyber threats.
    3.4. Firewalls: Firewalls are network security devices that monitor, and control incoming and outgoing network traffic based on predetermined security rules. They help prevent unauthorised access to or from organisations computer networks by filtering the traffic and blocking potentially harmful connections.
    3.5. Multi-factor Authentication (MFA): MFA requires users to provide multiple forms of verification, such as passwords, biometric scans, or security tokens, to access a system or application. It adds an extra layer of security beyond traditional password-based authentication, reducing the risk of unauthorised access due to compromised credentials.
    3.6. Security Information and Event Management (SIEM): SIEM solutions collect, analyse, and correlate security event data from various sources across an organisation’s IT infrastructure. They provide real-time monitoring, threat detection, and incident response capabilities to help organisations identify and respond to security threats effectively.
  4. PERSONAL INFORMATION IMPACT ASSESSMENT (PIIA)
    4.1. What is a Personal Information Impact Assessment (PIIA)?
    A personal information impact assessment is a procedure which describes the nature, scope, context and purposes of any processing of personal information. It should be undertaken by organisations at the early stages of the development of any project, processing activity or establishment of a new business process.
    It is used by the responsible party to evaluate the potential privacy risks and impacts associated with the collection, use, disclosure, and management of personal information.
    4.2. What is the purpose of a personal information impact assessment? A personal information impact assessment is done to ensure that adequate measures and standards exist to comply with the conditions for lawful processing of personal information also ensure that a compliance framework is developed, implemented, monitored and maintained.
    4.3. How are risks identified and assessed You need to consider the potential impact and harm your processing may cause. You need to consider the likelihood and severity of the possible harm, for you to assess if the risk is high risk or not.
    4.4. Why is PIIA necessary?
    To:
    • Ensure that adequate measures and standards exist
    • Know where the biggest impact will be
    • Know where to focus your efforts
    • Know the scope of the remedial work that needs to be done and how best to do it.
    4.5. Who needs to do a Personal Information Impact Assessment?
    In terms of Regulation 4 of POPIA, information officers must ensure that a personal information impact assessment (PIIA) is conducted to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.
    4.6. How do I conduct a Personal Information Impact Assessment?
    During a PIIA, the responsible party conducts a detailed examination of how personal information is obtained, processed, stored, and shared throughout its lifecycle. This involves identifying the types of personal information collected, the purposes for which it is utilized, the individuals or entities with whom it is shared, and the measures in place to safeguard its confidentiality and integrity.
  1. What are the duties of an Information Officer?
    An information officer is the person who is responsible for ensuring that a responsible party complies with POPIA. An information officer of a responsible party (or body) must:
    a) encourage compliance with conditions for the lawful processing of personal information,
    b) deal with requests made pursuant to POPIA
    c) work with the Regulator in relation to investigations and/or assessments conducted .
    d) ensure compliance by the responsible party with the provisions of POPIA,
    e) develop, implement and monitor a compliance framework,
    f) ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist,
    g) develop, monitor, maintain and make available a PAIA manual,
    h) develop internal measures and adequate systems to process requests for access to information,
    i) ensure that internal awareness sessions are conducted.
    These responsibilities are set out in section 55 of POPIA and in the POPIA Regulations.
  2. Are all organisations obliged to register an Information Officer and/or Deputy Information Officer?
    All organisations, both public and private bodies, are obliged to register their information officer with the Information Regulator. The information officer will have duties and responsibilities to encourage and ensure compliance with the conditions for lawful processing of personal information, work with the Regulator and deal with requests made to the body only after they have registered with the Regulator in terms of section 55.
    Individuals (Sole Proprietor), small businesses, and firms are also obliged to register their Information Officers if they process personal information.
    Organisations can also designate deputy information officers in line with the Guidance Note on the Registration of Information Officers.
    All Information Officers and Deputy Information Officers must be registered with the Regulator using the eServices Portal: https://eservices.inforegulator.org.za.
  3. How can an organisation register an Information Officer?
    The information officer should be registered with the Information Regulator by the head of the organisation. The Registration Portal- Home Page – Information Regulator platform will enable you to register your information officer. Should you require to deregister your Information Officer, you should submit a request to the Information Regulator via email.
  4. What happens if a company does not register an Information Officer?
    It is not an offence for an organisation to not have an officer registered. However, registering an officer helps the Regulator to maintain contact with the responsible party when complaints and requests for assessments are received. In the absence of a designated Information Officer, the head of the organisation will be held liable for all POPIA related matters.

Form 1
This form must be completed by a data who wishes to object to an instance where the responsible party has a lawful basis to process the personal information of a data subject without obtaining consent. However, this objection may be done anytime during the instance of processing.
Who completes this form? The data subject
Who should this form be submitted to? The responsible party who is processing the personal information.
Form 2
This form is completed by a data subject to request a responsible party to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised to retain. Where can this form be found? The form may be found on the Regulator’s website or in the PAIA manual of the Responsible party. Who completes this form? The data subject Who should this form be submitted to? The responsible party If the responsible party fails to comply with the request within the reasonable time, the data subject must complete Form 5 and submit it to the Regulator POPIA prescribed email address.
Form 3
This form is completed by a private body or public body which is sufficiently representative of any class of bodies, or of any industry, profession, or vocation as defined in the code in respect of such class of bodies or of any such industry, profession or vocation that wishes to apply for the issuing of a code of conduct in terms of section 69(2) of the Act. Who completes this form? The public body or public as mentioned above. Who should this form be submitted to? IR POPIA prescribed email address or website.
Form 4
This form is completed by the responsibility party who wishes to process personal information of a data subject for the purpose direct marketing by electronic communication must in terms of section 69(2) of the Act submit a request for written consent to that data subject. Where is this form found? This form is found in the POPIA Regulations. Who completes this form? The responsible party Who is this form submitted to? The Data Subject
Form 5
This form is submitted by any person wishing to lodge a complaint alleging that there has been unlawful interference with the protected personal information of a data subject in terms of section 74(1) of the Act. Who completes this form? Any person or a data subject. Who is this form submitted to? The form must be sent to POPIACompliance@inforegulator.org.za.
Form 11
This form is completed by any responsible party, data subject or any person who requests IR to conduct a section 89 assessment. Where is this form found? This form is found in the POPIA Regulations. Who completes this form? Any responsible party, data subject or any person Who is this form submitted to? POPIACompliance@inforegulator.org.za.