Regulations relating to the Protection of Personal Information Act

The Information Regulator, in terms of its authority under section 112(2) of the Protection of Personal Information Act, has made regulations relating to the protection of personal information. These regulations serve to clarify the procedures required for the Protection of Personal Information Act, 2013. In addition to the responsibilities defined in section 55 of the Protection of Personal Information Act, information officers are required to ensure that:

  1. a compliance framework is developed, implemented, monitored and maintained
  2. a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
  3. a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, No. 2 of 2000;
  4. internal measures are developed together with adequate systems to process requests for information or access thereto; and
  5. internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.

The regulations also specify the forms that must be used by:

Form 1 -  A data subject who wishes to object to the processing of personal information must submit the objection to the responsible party on Form 1

Form 2 -  A data subject who wishes to request a correction or deletion of personal information or the destruction or deletion of a record of personal information  must submit a request to the responsible party on Form 2.

Form 3 - A private or public body which is sufficiently representative of any class of bodies, or of any industry, profession, or vocation that wishes to apply for the issuing of a code of conduct in terms of section 61(1)(b) of the Act, must submit an application to the Regulator on Form 3. 

Form 4 - A responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must in terms of section 69(2) of the Act submit a request for written consent to that data subject on Form 4. 

Form 5 Part I - Any person who wishes to submit a complaint contemplated in section 74(1) of the Act must submit such a complaint to the Regulator on Part I of Form 5. 

Form 5 Part II - Any person who wishes to submit a complaint contemplated in section 74(2) of the Act must submit such a complaint to the Regulator on Part II of Form 5. 

Form 11 - A request for an assessment in terms of section 89(1) of the Act must be submitted to the Regulator on Part 1 of Form 11.