As the Protection of Personal Information Act, 2013 (“POPIA”) deadline of 1 July 2021 approaches rapidly, many organisations are starting to raise questions about the more intricate aspects of POPIA.
An important aspect relates to the role and responsibilities of the Information Officer. The Information Regulator sees the role of the Information Officer as a vital aspect of the overall compliance of an organisation and I a sense as an extension of the Information Regulator within the organisation to ensure compliance by the organisation.
For any business wishing to ensure its POPIA compliance, one of the first steps is the identification and appointment of an Information Officer for the organisation. No matter the turnover, number of employees, or type of body (public or private), every organisation is required by POPIA to identify, appoint and register an information officer.
Prior to the commencement of the POPIA, the role of the Information Officer was governed by the provisions of the Promotion of Access to Information Act 2 of 2000 (“PAIA”), but with the introduction of POPIA, the role of an Information Officer is now governed by two pieces of legislation. This means that the role an Information Officer has been expanded and these two pieces of legislation will work side by side to strike a balance between the right of any person to have access to information (in terms of PAIA) versus the right of a person to have their own personal information and privacy protected (in terms of POPIA).
POPIA, by default, designates the head of any private body as the Information Officer (be it the chief executive officer, managing director or otherwise). It is important to keep in mind that POPIA also requires that the Information Officer register with the Information Regulator prior to taking up their duties as an Information Officer under POPIA, and in a published Guidance Note issued by the Information Regulator, this requirement of registration has taken effect from 01 May 2021.
A business may also appoint one or more Deputy Information Officers, who may assist the Information Officer in the performance of their duties under POPIA. These persons must also be registered with the Information Regulator.
Neither POPIA nor PAIA specifically provide for the qualifications that a person should have to hold the position of Information Officer. However, from the listed duties and responsibilities it is evident that such a person is bestowed with significant responsibilities and the duty to ensure that the body, whether private or public, fulfils its POPIA and PAIA mandate. There are also consequences should this not be done and POPIA is breached.
As both PAIA and POPIA impose strict requirements on responsible parties to ensure compliance with the provisions thereof, an organisation must therefore carefully consider who will take the position of Deputy Information Officer. Will it be the organisation’s the Head of Information Technology, Head of Human Resources or another individual or both? Selecting the right individual(s) for this role is important because if a Deputy Information Officer fails to perform the duties delegated to him/her, it could have adverse implications for not only the responsible party (as defined in POPIA) but also the Information Officer.
It is of course also advisable that the Information Officer and deputies receive the necessary training in relation to POPIA to ensure that they are able to ensure effective data governance and POPIA compliance in the day-to-day operations of the business.
One can therefore summarize the role of the Information Officer as follows:
Under PAIA, an Information Officer is expected to:
- Encourage and ensure compliance with PAIA.
- Create, maintain and update a PAIA manual for the body, if not exempted.
- Evaluate and approve requests for access to information received in terms of the grounds set out in PAIA, within the applicable timelines.
Under POPIA, an Information Officer is expected to:
- Encourage compliance with the conditions for the lawful processing of personal information in terms of POPIA.
- Deal with requests made pursuant to POPIA (presumably by the Information Regulator or data subjects).
- Work with the Information Regulator in relation to investigations.
- Ensure compliance by the body/entity with the provisions of POPIA.
- Develop, implement and monitor a compliance framework for the POPIA compliance within such entity.
- Ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.
- Develop, monitor, maintain and make available a PAIA manual as prescribed in terms of POPIA and PAIA, if not exempted.
- Develop internal measures and adequate systems to process requests for access to information.
- Ensure that internal awareness sessions are conducted.
- Any other responsibilities as may be prescribed from time to time (by the Minister or the Information Regulator).
The person appointed as the Information Officer has a noteworthy responsibility and a duty to ensure that the entity complies with both POPIA and PAIA. Since neither POPIA nor PAIA specifically provide for the qualifications that a person should have to hold the position of Information Officer, management must use their discretion to appoint a responsible person with a keen insight and understanding to fulfil this important responsibility within an entity.
Make sure that your Information Officer and any deputies are appointed and registered and that these persons receive the necessary training from specialists to enable them to fulfil their roles in your organisation as part of preparing for your overall POPIA compliance by 1 July 2021.