The Information Regulator has published amended guidelines for the development of codes of conduct (amended guidelines) in terms of the Protection of Personal Information Act 4 of 2013 (POPIA), for further public consultation. This follows a public consultation, held on 6 November 2019, on the initial draft guidelines for the development of codes of conduct.
The objective of the amended guidelines is to serve as an interpretive aid to chapter 7 of POPIA. It further serves as a practical guide that outlines the minimum criteria for codes of conduct and provides a framework to ensure that codes of conduct are evaluated in a standardised manner. This is intended to foster transparency relating to the requirements and processes for the approval of codes of conduct.
As noted in clause 6 of the amended guidelines, the primary purpose of a code of conduct is to outline how the conditions for the lawful processing of personal information are to be complied with or applied. Reasons for developing a code of conduct may include the following:
- Clarity on how the conditions for lawful processing of personal information are to be applied and complied with given the particular features of the sector or sectors of society in which the relevant responsible parties are operating.
- Functional equivalent means of achieving the obligations related to the conditions for the lawful processing of personal information.
- Higher standards than that which POPIA requires for the protection of privacy rights.
- Additional obligations for the processing of personal information than those prescribed in POPIA.
- Practices to promote cultural change for a relevant body in relation to the lawful processing of personal information.
- Specified processing conditions for specified information or classes of information.
- Specified processing conditions for any specified activity or class of activity.
- Rules and procedures for information matching programmes, if such programmes are used within a specific sector.
- How the legitimate interests of data subjects are to be protected insofar as automated decision making affects them.
- The review of the code by the Information Regulator.
- Details regarding the expiry of the code.
The amended guidelines are accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].