Regulations and forms relating to complaints
Protection of Personal Information Act
The protection of personal information of all data subjects is the key aspiration of the POPI Act. Therefore it stipulates various mechanisms whereby data subjects are protected proactively and that there are procedures to follow to ensure the safety of personal information. Of course, there are instances where personal information is leaked or breached. In light of this, the POPI Act makes provision for data subjects to lay complaints if they feel that their personal information had been unlawfully accessed.
We are going to explore some of the regulations set out by the Information regulator as it pertains to complaints as well as some of the relevant documentation that comes into play when a complaint is firstly laid, how it would be investigated and how a settlement might come to be.
What does the Act stipulate about complaints?
We are interested in Sections 74-77,79,80,94-95,99 of POPIA primarily and in the Government Gazette in that it lays down the various regulations that are applicable to the complaints procedure and the legal remedies available. The section cited above might seem daunting at first, but after this discussion, you will have a general idea of what to do and what you might expect if you are ever faced with a complaint.
Section 74 to Section 80 of POPIA empowers data subjects to lay complaints, empowers the Regulator to act as a conciliator, and stipulates the pre-investigation proceedings of the Regulator and the Settlement of complaints. Section 94 to Section 99 deals with the rights of affected parties to information regarding the investigation. The Act also requires the completion of the relevant forms, as set out in the Regulations enforced by Section 112 of the Act, for the various section described above.
Forms forming part of the complaints process
There are different forms for different parts of the Complaint process and not all are applicable in every case. They form part of the administrative side as contemplated in Chapter 7 of the Act.
Part 1 of Form 5 relates to any person who wishes to submit a complaint about interference with the protection of the personal information of a data subject.
Part 2 of Form 5 relates a complaint submitted to the Regulator by a responsible party if they are unhappy with the determination of an adjudicator.
Form 6: A Notice to parties of a conciliation Meeting
Forms 6 serves as an invitation to a meeting whereby the Regulator has decided to invite the data subject and the responsible party to a meeting. The Regulator may consolidate separate complaints if the same parties are involved. The Regulator must ensure that all attendees are notified within a reasonable time of the date, time and place of the meeting. If the meeting set fails to take place, the Regulator must arrange for an alternative date and notify the invited parties accordingly.
Form 7: Conciliation Certificate
The Regulator must issue a conciliation certificate within a reasonable time after the date of the conclusion of the conciliation meeting. If the complaint is not resolved, or either or both of the parties did not attend a conciliation meeting, the Regulator must proceed with the complaint as provided for in terms of section 76 of the Act.
Form 8: Pre-investigation Proceedings of the Regulator
Part 1 of Form 8 relates to the notification by the Regulator of its intention to investigate a complaint prior to conducting the investigation.
Part 2 of Form 8 requires the Regulator to inform the responsible party that they are about to be investigated and what the investigation pertains to. Part 2 also grants the responsible party the right to submit a written response to the complaint or subject matter within the time allocated by the Regulator.
Form 9: Settlement meeting Invite
If the Regulator decides to convene a settlement meeting, the Regulator must, as soon as it is practically possible, inform the data subject and the responsible party on Form 9 of the date, time and place of the settlement meeting.
Form 10: Settlement Certificate
The Regulator must issue a settlement certificate within a reasonable time after the date of the conclusion of the settlement meeting. If the complaint is not resolved, or either or both of the parties did not attend a settlement meeting, the Regulator must proceed with the complaint as provided for in terms of section 76 of the Act.
Forms 13-19: Developments in the Case - Enforcement Notices
During the course of the investigation, the regulator must keep the parties informed as to the progress of the investigation and they must be served at the designated addresses of the data subject and responsible party. Depending on the results of the investigation, the following forms relate to actions taken by the Regulator:
Enforcement Notices must contain a statement indicating the nature of what interfered with the protection of personal information of the data subject as well as why the regulator came to this conclusion. As enshrined in Section 97 of the Act, an enforcement notice can be appealed and the Regulator has a responsibility to inform the responsible party of their right to appeal.
The protection of personal information is of utmost importance and as such, the role of the Regulator and the complaints process is important to know, but being proactive and avoiding complaints is always going to be the preferred approach.