After a series of technical glitches with the Information Regulator’s registration portal for information officers looking to achieve compliance with the PoPI Act, the 1 July 2021 compliance deadline has been scrapped.
In a statement released on Tuesday, the Information Regulator said that this decision is also based on numerous concerns raised by responsible parties regarding the registration process.
“The regulator is currently looking into alternative registration processes and will communicate this in due course. We understand that our portal malfunctioning has caused a lot of anxiety and panic and for that, we really do apologise,” Information Regulator chair Pansy Tlakula said.
Deadline Extended by 1 Year
With this, the regulator has extended the applications for prior authorisation in terms of section 57 (1) subject to section 58 (2) to 1 February 2022.
“PoPIA enforcement powers as promulgated by the President of South Africa in June 2020 will still be coming into effect as of 1 July 2021. The Information Regulator had thus afforded responsible parties a one-year grace period to be compliant with PoPIA,” Tlakula said.
“For responsible parties to be compliant with Popia, they are required among many actions to appoint and register their information officers with the Information Regulator and apply for ‘prior authorisation’ before processing personal information,” the regulator said.
The registration of a CEO as an information officer for multiple legal entities has been taken into consideration, the regulator says, now allowing CEOs to register as their company’s IO as well.
Announcements will come when the registration portal configurations are updated to accommodate these changes.
The Information Regulator says that it has seen increased engagement from responsible parties with the regulator as the prior deadline was coming closer.
The Regulator says that responsible parties must obtain prior authorisation from the regulator prior to any processing of personal information where that responsible party plans to:
- Process any unique identifiers of a data subject.
- Process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties.
- Process information for purposes of credit reporting.
- Transfer special personal information or personal information of children to foreign countries that do not provide an adequate level of protection for the processing of personal information.
The Information Regulator as of 30 June will also be taking over the function of the Promotion of Access to Information Act from the South African Human Rights Commission.
Organisations still looking to achieve compliance should check out this quick guide.