The processing of information is diverse and extends across many different sectors of our commercial world. There may be varying considerations governing the processing of personal information in different sectors which require sharper definition than is possible in framework legislation of the nature of the Act. For this reason, provision is made for the establishment of codes of conduct which will govern the processing of personal information within defined sectors.
The codes of conduct will not mean that a particular sector may enjoy a more relaxed regime relating to the processing of personal information. The Act expressly provides that a code must incorporate all of the Conditions for the Lawful Processing of Personal Information or obligations that are a functional equivalent of those conditions. The intention is merely to give Responsible Parties operating in specific sectors governed by codes of conduct, clearer guidance on how they may process personal information.
Codes of conduct may prescribe procedures for dealing with complaints, provided that they do not restrict the Regulator’s powers of enforcement provided for in the Act.
The Regulator has the power to revoke codes of conduct if it deems them not fit for purpose with the appropriate measures. The Regulator may also provide written guidelines for codes of conduct. The Regulator must keep a register of approved codes of conduct.
Procedure with dealing with complaints
A code of conduct may prescribe procedures for making and dealing with complaints alleging a breach of the code, but no such provision may limit or restrict any provision of Chapter 10 (Enforcement). The Regulator needs to be satisfied with the code of conduct in meeting the prescribes standards and guidelines as set out by the Regulator.
A code of conduct adjudicator has the responsibility to prepare and submit a report to the Regulator. This requires the report prepared for each year to specify the number and nature of complaints made to an adjudicator under the code during the relevant financial year.
A responsible party or data subject who is aggrieved by a determination, including any declaration, order or direction that is included in the determination, made by an adjudicator after having investigated a complaint relating to the protection of personal information under an approved code of conduct, may submit a complaint in terms of section 74(2) with the Regulator against the determination upon payment of a prescribed fee. The adjudicator’s determination continues to have effect unless and until the Regulator makes a determination under Chapter 10 relating to the complaint or unless the Regulator determines otherwise.
Examples of Codes of Conduct and Ethics
- The Institute of Management Consultants of South Africa (IMCSA)
- The Health Professionals Council of South Africa (HPCSA)
- Legal Practice Council: Code of Conduct For All Legal Practitioners, Candidate Legal practitioners And Juristic Entities
- South African Institute of Chartered Accountants