With the Protection of Personal Information Act, 2013 ("POPIA") deadline closing in on 1 July 2021, many organisations are starting to feel the mounting pressure of becoming compliant with POPIA. A good starting point in any POPIA compliance journey is the appointment of an Information Officer for your organisation.
Who is the Information Officer?
POPIA, by default, designates the head of any private body as the Information Officer. However, there has been some debate as to whether or not the role of Information Officer can be delegated to another person (either internally or externally):
- Section 1 of POPIA defines the “information officer” in relation to a private body as “the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act” ("PAIA"). PAIA, in turn, defines the “head”, in relation to a private body and in the case of a juristic person, to be “the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or the person who is acting as such or any person duly authorised by such acting person”. [our emphasis]
- As such, our view is that the relevant legislation allows for the chief executive officer of a juristic person to authorise or appoint some other person to act as the Information Officer for the purposes of POPIA.
- Clarity on this aspect is awaited and needed from the office of the Information Regulator, well ahead of 1 July 2021, so that organisations can ensure that the correct person is appointed as Information Officer.
What are the responsibilities and liabilities of the Information Officer?
- encouraging the body’s compliance with the conditions for the lawful processing of personal information;
- dealing with requests made to the body pursuant to POPIA;
- working with the Information Regulator in relation to investigations;
- otherwise ensuring compliance by the body with the provisions of POPIA;
- ensuring a compliance framework is developed, implemented, monitored and maintained;
- conducting personal information impact assessments to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- developing, monitoring, maintaining and making available the manual as prescribed by PAIA;
- ensuring internal measures are developed together with adequate systems to process requests for information or access; and
- conducting internal POPIA awareness sessions.
The Information Officer, once appointed, does not have to ensure compliance alone. While the Information Officer remains ultimately responsible for the fulfilment of the responsibilities, section 56 of POPIA permits the Information Officer to delegate their powers and duties to one or more Deputy Information Officers.
There is scope for personal liability being imposed on the Information Officer under POPIA. By way of example, section 93 of POPIA, which deals with the functions of Enforcement Committee, states that the Enforcement Committee:
- must consider all matters referred to it by the Regulator in terms of POPIA or the PAIA and make a finding in this respect; and
- may make any recommendation to the Regulator necessary or incidental to any action that should be taken against:
- a responsible party in terms of POPIA; or
- an information officer or head of a private body, as the case may be, in terms of PAIA.
What should an organisation do once they have appointed an Information Officer?
- The Information Officer must take up their duties in terms of POPIA only after the responsible party has registered them with the Information Regulator.
- The Information Regulator has prepared draft Guidelines on the Registration of Information Officers. These guidelines have not yet been finalised, but we anticipate that the Information Regulator will be prepared to receive Information Officer registrations in March 2021.
- Organisations should ensure that their PAIA manuals comply with section 51 of PAIA by including the postal and street address, phone and fax number and, if available, electronic mail address of the head of the body (which would, of course, be the head of the organisation unless such authority was delegated to another person who then becomes the head for purposes of PAIA.) We note that no express mention is made for the provision of the name of the relevant officer.
Please contact us for comprehensive and full-service data privacy and data-breach advice and assistance, including:
- pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, contracts and procedures for businesses, Information Officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
- post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches and security compromise events.
We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.