With the imminent grace period for organisations complying with the Protection of Personal Information Act 4 of 2008 ("POPIA") coming to an end on 30 June 2021, it is now crunch time for organisations to ensure that their processing activities are compliant with POPIA's conditions.
One such compliance element is the appointment of an information officer. Up until now the role of the information officer has been governed by the provisions of the Promotion of Access to Information Act 2 of 2000 ("PAIA") but with the introduction of POPIA, the role of an information officer is now governed by two pieces of legislation. This means that the role an information officer has been expanded and these two pieces of legislation will work side by side to strike a balance between the right of any person to have access to information (PAIA) versus the right of a person to have their own personal information and privacy protected (POPIA).
This article seeks to outline the key compliance considerations which organisations need take into account with respect to the roles and obligations of an information officer under POPIA.
Who is an information officer?
Section 1 of POPIA defines an 'information officer' as follows:
- in relation to a public body - an information officer or deputy information officer as contemplated in terms of section 1 or 17 of POPIA; or
- in relation to a private body - the head of a private body as contemplated in section 1 of PAIA.
In terms of PAIA, the 'head' of a private body means the chief executive officer (CEO) or equivalent officer of the juristic person or any person duly authorised by that officer; or the person who is acting as such or any person duly authorised by such acting person. Therefore, the information officer is likely to be the CEO (or equivalent) in a company or close corporation.
The duties and responsibilities of the Information Officer
In terms of POPIA (section 55, read with regulation 4 of the Regulations Relating to the Protection of Personal Information (14 December 2018), an Information Officer has the duty and responsibility to, inter alia:
- attend to the development of a compliance framework and to ensure the implementation thereof;
- encourage compliance, by the organisation, with the conditions for the lawful processing of personal information;
- ensure that internal awareness sessions are conducted regarding the provisions of POPIA, codes of conduct, or information obtained from the Information Regulator;
- developing, updating and aligning a manual for the purposes of PAIA (see article "PAIA manual deadline still looming for some" which provides some guiding questions to determine whether your organisation is required to prepare a PAIA manual);
- ensure compliance by the organisation with provisions of POPIA; and
- conduct personal information assessments to ensure that sufficient measures and standards exist to ensure the lawful processing of information.
Registration as an information officer
It is clear from both POPIA and PAIA that the appointment of an Information Officer is automatic. However, POPIA (section 55(2)) now requires an information officer to be registered with the Information Regulator in order for them to take up their duties in terms of POPIA and PAIA. This registration must be done before the information officer commences with his or her duties.
Deputy information officers
In addition to information officers, both PAIA and POPIA provide for the designation of a deputy information officer. The roles of deputy information officers are not however automatic. An information officer (in terms of section 56 of POPIA) is entitled to delegate powers and responsibilities conferred on him/her to a deputy information officer in writing. In fact, more than one deputy information officer may be designated depending on the structure, size and the complexity of the operations of the organisation. It should be noted that an appointment of a deputy information officer does not prohibit the information officer from exercising the powers and duties that have been delegated. Despite the designation, information officers will still retain the accountability and responsibility for their duties.
Qualifications of information officers
Although not expressly mentioned in both POPIA and PAIA, it is clear from the duties and responsibilities that an information officer should be suitably qualified and must have a reasonable understanding of both PAIA and POPIA. It is also important for both the information officer (and the deputy information officer) to receive appropriate training in both POPIA and PAIA in order to execute their duties.
POPIA thus provides some clarity on the duties and responsibilities of an information officer. It is clear that information officers and designated deputy information officers play an important role in an organisation and it is vital for organisations to ensure that information officers are suitably prepared to undertake their roles and the obligations bestowed upon them in terms of POPI.
Should you require any further information on the role of an information officer/ deputy information officer, registration requirements or any aspects relating to POPIA, our team at Tabacks will be able to assist in this regard.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.