Protection of Personal Information Act, 2013 (Act No. 4 of 2013)Codes of ConductGuidelines to Develop Codes of ConductPart 1 - Introduction: The Legislative Framework1. Purpose of POPIA and the need for a code of conduct |
| 1.1 | The purpose of POPIA is, amongst others, to give effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party. |
| 1.2 | POPIA applies to the processing of personal information: |
| 1.2.1 | entered in a record by or for a responsible party by making use of automated or non-automated means provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof; and |
| 1.2.2 | where the responsible party is: |
| 1.2.2.1 | domiciled in the Republic; or |
| 1.2.2.2 | not domiciled in the Republic but makes use of automated and non-automated means in the Republic unless those means are used only to forward personal information through the Republic. |
| 1.3 | Chapter 3 of POPIA regulates the processing of personal information by or for a responsible party through compliance with the eight (8) conditions for the lawful processing of personal information, the processing of special personal information and the processing of personal information of children. |
| 1.4 | POPIA empowers the Regulator to: |
| 1.4.1 | issue, from time to time, codes of conduct, amend and revoke codes; |
| 1.4.2 | make guidelines that would assist bodies to develop or to apply codes; |
| 1.4.3 | approve codes; and |
| 1.4.4 | consider afresh, upon application the determinations by adjudicators under approved codes. |
| 1.5 | The purpose of a code is to establish a voluntarily accountability tool and to promote transparency for relevant bodies on how personal information should be processed. A code does not replace the relevant provisions in POPIA but operates in support of the requirements in POPIA. A code cannot limit a data subject’s right to privacy, which can only be done as provided for in POPIA. |
| 1.6 | The relevant bodies bound by an issued code of conduct must refrain from performing an act or engaging in a practice that breaches the code. A breach of an issued code is deemed to be a breach of the conditions for the lawful processing of personal information referred to in Chapter 3 and shall be dealt with in terms of Chapter 10 of POPIA. |
| 1.7 | A code should limit itself to the provisions which outline the specific obligations of relevant bodies bound by a code. A code should comply with all the conditions for the lawful processing of personal information or meet the functional equivalent standard of lawful processing of personal information. A code must also include, but is not limited to, governance and administrative provisions in these guidelines as applicable to specific relevant bodies. |
| 1.8 | In deciding whether to issue a code, the Regulator will consider whether a code meets the requirements set out in Chapter 7 of POPIA and the requirements set out in these guidelines. |
| 1.9 | The guidelines encourage different sectors to develop codes within an established framework and harmonise the code with POPIA. |