Protection of Personal Information Act, 2013 (Act No. 4 of 2013)

Chapter 5 : Supervision

Part A : Information Regulator

40. Powers, duties and functions of Regulator

Purchase cart Previous page Return to chapter overview Next page

 

(1)The powers, duties and functions of the Regulator in terms of this Act are—
(a)to provide education by—
(i)promoting an understanding and acceptance of the conditions for the lawful processing of personal information and of the objects of those conditions;
(ii)undertaking educational programmes, for the purpose of promoting the protection of personal information, on the Regulator’s own behalf or in co-operation with other persons or authorities acting on behalf of the Regulator;
(iii)making public statements in relation to any matter affecting the protection of the personal information of a data subject or of any class of data subjects;
(iv)giving advice to data subjects in the exercise of their rights; and
(v)providing advice, upon request or on its own initiative, to a Minister or a public or private body on their obligations under the provisions, and generally on any matter relevant to the operation, of this Act;
(b)to monitor and enforce compliance by—
(i)public and private bodies with the provisions of this Act;
(ii)undertaking research into, and monitoring developments in, information processing and computer technology to ensure that any adverse effects of such developments on the protection of the personal information of data subjects are minimised, and reporting to the Minister the results of such research and monitoring;
(iii)examining any proposed legislation, including subordinate legislation, or proposed policy of the Government that the Regulator considers may affect the protection of the personal information of data subjects, and reporting to the Minister the results of that examination;
(iv)reporting upon request or on its own accord, to Parliament from time to time on any policy matter affecting the protection of the personal information of a data subject, including the need for, or desirability of, taking legislative, administrative, or other action to give protection or better protection to the personal information of a data subject;
(v)submitting a report to Parliament, within five months of the end of its financial year, on all its activities in terms of this Act during that financial year;
(vi)conducting an assessment, on its own initiative or when requested to do so, of a public or private body, in respect of the processing of personal information by that body for the purpose of ascertaining whether or not the information is processed according to the conditions for the lawful processing of personal information;
(vii)monitoring the use of unique identifiers of data subjects, and reporting to Parliament from time to time on the results of that monitoring, including any recommendation relating to the need of, or desirability of taking, legislative, administrative, or other action to give protection, or better protection, to the personal information of a data subject;
(viii)maintaining, publishing and making available and providing copies of such registers as are prescribed in this Act; and
(ix)examining any proposed legislation that makes provision for the—
(aa)collection of personal information by any public or private body; or
(bb)disclosure of personal information by one public or private body to any other public or private body, or both, to have particular regard, in the course of that examination, to the matters set out in section 44(2), in any case where the Regulator considers that the information might be used for the purposes of an information matching programme,

and reporting to the Minister and Parliament the results of that examination;

(c)to consult with interested parties by—
(i)receiving and inviting representations from members of the public on any matter affecting the personal information of a data subject;
(ii)co-operating on a national and international basis with other persons and bodies concerned with the protection of personal information; and
(iii)acting as mediator between opposing parties on any matter that concerns the need for, or the desirability of, action by a responsible party in the interests of the protection of the personal information of a data subject;
(d)to handle complaints by—
(i)receiving and investigating complaints about alleged violations of the protection of personal information of data subjects and reporting to complainants in respect of such complaints;
(ii)gathering such information as in the Regulator’s opinion will assist the Regulator in discharging the duties and carrying out the Regulator’s functions under this Act;
(iii)attempting to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation; and
(iv)serving any notices in terms of this Act and further promoting the resolution of disputes in accordance with the prescripts of this Act;
(e)to conduct research and to report to Parliament—
(i)from time to time on the desirability of the acceptance, by South Africa, of any international instrument relating to the protection of the personal information of a data subject; and
(ii)on any other matter, including necessary legislative amendments, relating to protection of personal information that, in the Regulator’s opinion, should be drawn to Parliament’s attention;
(f)in respect of codes of conduct to—
(i)issue, from time to time, codes of conduct, amend codes and to revoke codes of conduct;
(ii)make guidelines to assist bodies to develop codes of conduct or to apply codes of conduct; and
(iii)consider afresh, upon application, determinations by adjudicators under approved codes of conduct;
(g)to facilitate cross-border cooperation in the enforcement of privacy laws by participating in any initiative that is aimed at such cooperation; and
(h)in general to—
(i)do anything incidental or conducive to the performance of any of the preceding functions;
(ii)exercise and perform such other functions, powers, and duties as are conferred or imposed on the Regulator by or under this Act or any other legislation;
(iii)require the responsible party to disclose to any person affected by a compromise to the integrity or confidentiality of personal information, such compromise in accordance with section 22; and
(iv)exercise the powers conferred upon the Regulator by this Act in matters relating to the access of information as provided by the Promotion of Access to Information Act.

 

(2)The Regulator may, from time to time, in the public interest or in the legitimate interests of any person or body of persons, publish reports relating generally to the exercise of the Regulator’s functions under this Act or to any case or cases investigated by the Regulator, whether or not the matters to be dealt with in any such report have been the subject of a report to the Minister.

 

(3)The provisions of sections 3 and 4 of the Commissions Act, 1947 (Act No. 8 of 1947), will apply, with the necessary changes, to the Regulator.

 

(4)The powers and duties of the Regulator in terms of the Promotion of Access to Information Act are set out in Parts 4 and 5 of that Act.