POPIA: From the office of the Regulator

On 29 August 2017, a member of the Information Regulator, Mr Sizwe Lindelo Snail ka Mtuze provided updates regarding the POPI Act.

The Regulator consists of the Chairperson and four ordinary members. The Chairperson and two ordinary members serve in a full-time capacity and the other two ordinary members serve in a part-time capacity.

On 2 December 2016, these five members met for the first time a boardroom of the Department of Justice and Constitutional Development in Pretoria; it was the inaugural meeting of the Information Regulator in South Africa. Armed with copies of the Constitution, the Protection of Personal Information Act ( POPIA) and the Promotion of Access to Information Act (PAIA) strategising began.

The team set out to strategise what had to be done to give effect to what POPIA mandates them to do:

“To give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at:

Balancing the right to privacy against other rights, particularly the right of access to information; and protecting important interests, including the free flow of information within the Republic and across international borders.”

In executing this mandate, the Regulator’s Office is guided by section 39(a) of POPIA, which provides inter alia that the “Information Regulator is independent and is subject only to the Constitution and the law and must exercise its powers without fear, favour or prejudice.”

The vision of the Regulator’s Office is to build a world-class institution for the protection of personal information and the promotion of access to information; an organisation which will hold its own among the community of Information Regulators both regionally and globally.

A common misconception is that it’s the sole mandate of the Regulator to protect personal information – in some quarters the organisation is referred to as the “POPI” Regulator. In other jurisdictions, data protection as it is referred to, is regarded as an ICT issue. In South Africa the legislation that establishes the Regulator enables this team to ensure respect for, and to promote, enforce and fulfil, the constitutionally guaranteed right of access to information and the right to privacy.

The mandate of the Regulator’s office is human rights based and our mission is to give equal effect to these rights.


Section 49 of POPIA mandates the Regulator to establish one or more Committees for the proper performance of its functions. These Committees may consist of members of the Regulator or other members, which the Regulator may appoint. The following committees have been established:

Committee Chairperson
Policy and Governance Committee Adv Pansy Tlakula
Enforcement Committee Mr Sizwe Snail ka Mtuze*
Legal and Compliance Committee Adv Lebogang Stroom-Nzama
Complaints and Dispute Resolution Committee Professor Tana Pistorius
Finance, Risk and Information Technology and Communication Governance Committee (ITC) Adv Collen Weapond
Outreach and Research Committee Mr Sizwe Snail ka Mtuze
Corporate Services Committee Adv Collen Weapond

* Mr Sizwe Snail ka Mtuze is the designated member representing the Regulator in the Enforcement Committee as envisaged in section 50 (1) (a) of POPIA. In terms of section 50 (2) this Committee must be chaired by a Judge of the High Court, or a magistrate with at least 10 years appropriate experience, whether in active service or not; or an advocate or attorney with at least 10 years appropriate experience whether in active service or not;

Members of the Regulator belong to one or more of these Committees. External members may be appointed to these Committees in due course, this will be done in consultation with the Minister of Finance as provided for in section 47(7) of POPIA.

Areas that have already come into effect

A strategic plan for the years 2017-2020 and the annual performance plan for the year 2017- 2018 have already been adapted.

Some key areas, informed by the sections of POPIA that have already come into effect, have been prioritised for the current financial year. These are:

Areas of POPIA that have already come into effect resized

POPIA and the Minister of Justice and Constitutional Development

Section 112(1) (a) of POPIA empowers the Minister of Justice and Constitutional Development to make regulations relating to the establishment of the Regulator.

The Regulator’s Office has already consulted the Minister with regards to this, who stated “the provisions of the Act which deal with the establishment of the Regulator are extensive in nature and it is foreseen that it will not be necessary for the Minister to make any regulations.”

POPIA and the South African Human Rights Commission

Section 114 (4) of POPIA requires the Regulator’s Office to take over the function of enforcing PAIA from the South African Human Rights Commission (SAHRC).

The Regulator’s Office has had its first meeting with the SAHRC on the interpretation of the relevant provisions of PAIA and POPIA, and are of the opinion that until such time that section 114(4) of POPIA has come into operation, the SAHRC should continue to enforce PAIA.

Issue, amend, and revoke

The Regulator may issue, amend, and revoke codes of conduct for the lawful processing of personal information or make guidelines to assist bodies to develop codes of conduct or to apply codes of conduct. Two code of conduct needs assessment are currently being conducted with industry stakeholders.

Learning from the best

The Regulator has identified a number of countries to visit to observe and learn from. The UK and Germany is first on the list, with other African countries and developing nations like Ghana and Mexico also on the list.

The Regulator has also joined the Network of Commonwealth Countries Data Authorities known as Common Threat and is in the process of seeking accreditation with the Network of African Data Protection Authorities and the International Data Protection Commissioners.

Sharp teeth

Mr Sizwe Snail ka Mtuze finished his presentation by stating that people always ask whether the Regulator will have teeth, he answered this with: “Try us!”

In conclusion, POPIA is a reality and is here to stay. It will affect all public and private bodies that process personal information irrespective of size. All public and private bodies that process personal information must ensure that reasonable, adequate, and proportionate measures are taken in order to comply with POPIA.


Mtuze, S. (2017). Training on protection of personal information act 4 of 2013 (POPIA). In: POPI – Protection of Personal Information. Johannesburg, pp.2-24.