Protection of Personal Information Act, 2013 (Act No. 4 of 2013)Codes of ConductGuidelines to Develop Codes of ConductPart 2 - Issuing of a Code of Conduct by the Information Regulator (regulator)13. General principles applicable to issuing of a code of conduct |
| 13.1 | A code of conduct must: |
| 13.1.1 | be in writing; |
| 13.1.2 | incorporate all the conditions for the lawful processing of personal information or set out obligations that provide a functional equivalent of all the obligations set out in those conditions; and |
| 13.1.3 | prescribe how the conditions for the lawful processing of personal information are to be applied or complied with, given the features of the sector or sectors in society in which the relevant responsible parties are operating. |
| 13.2 | A code may apply to any one or more of the following: |
| 13.2.1 | any specified information or class of information; |
| 13.2.2 | any specified body or class of bodies; |
| 13.2.3 | any specified activity or class of activities; or |
| 13.2.4 | any specified industry, profession, or vocation or class of industries, professions, or vocations. |
| 13.3 | A code must also specify appropriate measures: |
| 13.3.1 | for information matching programmes if such programmes are used within a specific sector; |
| 13.3.2 | for protecting the legitimate interests of data subjects insofar as automated decision making is concerned; |
| 13.3.3 | to provide for the review of the code by the regulator; and |
| 13.3.4 | to provide for the expiry of the code within a minimum five (5) year period. |