On 1 April 2021, the Information Regulator established under the Protection of Personal Information Act, 2013 (“POPIA”) published a Guidance Note for the registration of Information Officers (“IOs”) and Deputy Information Officers (“DIOs”), and no, it was not an April Fool's joke.
The initial draft guidance note contemplated that all IOs and DIOs must be registered by 31 March 202, which did not happen. The Information Regulator has specified in its media statement that it is developing an online portal for registration which will be live by the end of April 2021 and the registration process will commence on 1 May 2021. The Information Regulator urges all responsible parties to use the online registration process instead of the manual process. Once registered, the contact details of all IOs and DIOs will be available on the Information Regulator's website.
If your organisation has previously, in terms of the Promotion of Access to Information Act, 2002 (“PAIA”), appointed an IO, then the IO must also be registered with the Information Regulator.
The particulars provided to the Information Regulator must be the same as that contained in your PAIA Manual.
Who is your IO?
For private bodies, by default the “head” of your organisation will be your IO. However, POPIA, as read with the PAIA, and as now confirmed in the Guidance Note, allows the CEO or managing director of a juristic person to authorise any natural person within the body to act as the IO. The Guidance Note states that authorisation must be within the body, indicating that the role cannot be outsourced. The Guidance Note further states that the CEO or managing director retains the accountability and responsibility for any power or functions authorised to that person.
The Guidance Note advises that the person authorised as the IO should be at an executive level or equivalent position and that such duties should be described in that person's job description.
Any authorisation must:
- be in writing using the Authorisation Template (attached as Annexure B to the Guidance Note) or a substantially similar document;
- not prohibit the person (i.e. CEO or managing director) who made the authorisation from exercising the power concerned or performing the duty themselves;
- must be capable of being withdrawn or amended in writing.
Who is your DIO?
A DIO is an employee of a body, authorised by the IO to be designated as the DIO. An organisation may wish to appoint a DIO if it is considered to be large or complex structured organisation. The authorisation for a DIO must be in writing using the Delegation of Authority Template (attached as Annexure B to the Guidance Note) or a substantially similar document and such person must be afforded sufficient time, adequate resources and financial means to devote to compliance with POPIA and PAIA.
It is recommended that the DIO should report to the highest management office. As such, the DIO should be at a level of management or above. The DIO should have a reasonable understanding of POPIA and PAIA and the business operations and processes of the organisation.
The IO must ensure that their rights are reserved in the delegation to a DIO, including to:
- exercise the powers or to perform the duties and responsibilities concerned themself; and
- withdraw or amend the delegation at any time.
What if we are subsidiaries of a group of companies?
The Guidance Note specifies that each subsidiary must register its IO and DIO with the Information Regulator. Group companies would therefore have to carefully consider the appointment of their IOs and DIOs.
What if I am part of a multinational organisation?
The Guidance Note requires multinational organisations based outside of South Africa to authorise any person within South Africa to be the IO. However, the Guidance Note goes on to provide that the IO of a multinational who is outside of South Africa must designate a DIO within South Africa. There is therefore still uncertainty regarding this. It is not clear whether the IO of a multinational can reside outside of South Africa if the IO appoints a DIO within South Africa.
Duties of the IO
The duties of the IO are set out in POPIA and the Regulations to POPIA.
In addition, the IO of a public body is expected to submit an annual report to the Information Regulator mainly dealing with data subject access requests. The IO of a private body is not expected to submit this annual report but may have to do so where requested by the Information Regulator.
The IO and DIO must also receive adequate training and keep abreast with the latest developments in POPIA and PAIA.
Updating the details of an IO or DIO
Organisations must not more than once a year update the particulars of the IO and DIO with the Information Regulator.
Please contact us for assistance with the appointment and registration of your IO, comprehensive training for your IO and DIOs and comprehensive and full-service data privacy and data-breach advice and assistance, including:
- pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, contracts and procedures for businesses, Information Officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
- post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches and security compromise events.
We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.