The Information Regulator has on 12 October 2022 approved two codes of conduct, which came into effect on 5 November 2022:
- Code of conduct from the Credit Bureau Association (CBA);
- Code of conduct from the Banking Association South Africa (BASA).
The Information Regulator has issued these first Codes of Conduct since its establishment to ensure clarity on conditions for the lawful processing of personal information and how these conditions are to be applied and complied with, given the features of the relevant body, activities, sector, or class of information.
The codes will also ensure peace of mind for members of the public in that the legitimate interest of the data subject is to be protected insofar as automated decision-making affects them.
The Codes of Conduct will bind the members of CBA and BASA, and they must refrain from performing an act or engaging in a practice that breaches the codes. According to POPIA, an infringement of an issue code is deemed a breach of the conditions for the lawful processing of personal information. It shall be dealt with in terms of the Regulator’s enforcement powers as provided in POPIA.
Herewith is a brief summary of the Codes’ Conditions for Lawful Processing:
Accountability
Members of BASA and the CBA must ensure the conditions for the lawful processing of personal information as set out in Chapter 3 of POPIA, and all the measures that give effect to such conditions, are complied with at all times of the determination of the purpose and means of processing and during the processing itself.
Processing Limitation
Members of BASA and the CBA must process personal information lawfully and in a reasonable manner that does not infringe on the data subject’s right to privacy, and only if, given the purpose for which it is processed, it is – adequate, relevant, not excessive.
Purpose Specification
Members of BASA and CBA will collect personal information for a specific, explicitly defined, and lawful purpose related to a function of activities of a data subject.
Further Processing Limitation
Members of BASA and the CBA will only further process personal information in accordance or compatible with the purpose for which it was collected.
Information Quality
Members of BASA and the CBA must take reasonable practical steps to ensure that the data subject’s personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which the personal information is collected or further processed.
Openness
Members of BASA and the CBA must maintain the documentation of all processing operations under their responsibility as referred to in Section 51 of the Promotion of Access to Information Act, No.2 of 2000 (PAIA).
Security Safeguards
Members of BASA and the CBA must secure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to, unlawful access to, or unauthorised destruction of personal information.
Data Subject Participation
The data subject, having provided adequate proof of identity, has the right to request confirmation, free of charge, whether BASA or the CBA holds personal information about a data subject and request the record or description of the personal information about the data subject kept.
The codes also make provision for an Independent Adjudicator to be appointed by BASA or the CBA, which will apply the principles of Section 44 of POPIA in determining a decision concerning the unlawful processing of personal information.
Therefore, it is clear that the Information Regulator’s intention in issuing these codes of conduct was intended to be a voluntary accountability tool and transparency mechanism on how personal information should be processed by the Banking Industry– and members of the Credit Bureau Association.
Want to know more about the new Codes that came into effect? Contact your nearest SEESA Consumer Protection & POPI Legal Advisor. Alternatively, leave your details on our website, and a SEESA representative will contact you.
About The Author:
Douw Krüger started his career at SEESA in 2015. He is a Consumer Protection- and POPI legal advisor. Douw also has in-depth practical experience in BEE- and Labour legislation. Before joining SEESA, he obtained his LLB degree in Law and Advance Certificate in Labour Law at the University of the Free State.
Resources:
- Protection of Personal Information Act No.4 of 2013;
- Code of Conduct for the Processing of Personal Information by the Banking Industry;
- Code of Conduct – Lawful Processing of Personal Information by the Credit Bureaus in South Africa;
- Information Regulator – Media Statement – Regulator Approves Codes of Conduct for the Banking and Credit Reporting Sectors dated 27 October 2022;
- Government Gazette dated 7 October 2022 – No. 47257.