How to register your Information Officer

Quick FAQ #1: Your organisation, charity, school, club, etc does have an Information Officer under POPIA, and your IO does need to be registered.
Quick FAQ #2: Your organisation, charity, school, club, etc does have to comply with both PAIA and POPIA.

The Information Regulator has provided guidelines and instructions here:

REGISTRATION: https://inforegulator.org.za/information-officers/

PAIA: https://inforegulator.org.za/paia-guidelines/

The instructions on how to register your IO are provided together with the registration forms.

What’s this all about?

The Information Officer role (IO) was already defined in PAIA (What is PAIA?). POPIA built on the role and mandated that the IO be registered.

Quick FAQ #3: the IO role has nothing to do with a Chief Information Officer (“CIO”) role. It is a compliance role, and is similar to the Data Protection Officer (“DPO”) role defined in the EU GDPR, in case that helps clarify things.

On 1 April 2021, the Information Regulator published the Guidelines for Information Officers (“IO”) and Deputy Information Officers (“DIO”) 10.

It answers a lot of questions that have been raised over the years, specifically it covers the following topics:

  • The obligations and liabilities of the IO and DIO, including instances when criminal liability would apply
  • Who should be registered as the IO in both public and private organisations
  • How to designate DIOs and delegate duties and responsibilities
  • How to register and keep the details updated, and how those details will be published

Who is the Information Officer, and who can be Deputies?

POPIA designates the head of the business as the Information Officer 1. Depending on the type of business, the Information Officer will therefore be the sole trader, a partner in a partnership or CEO (or equivalent) in a company or CC 2.

The head of the business can delegate his or her responsibilities as Information Officer to any other duly authorised person 3,10. However, it is important to note that whoever “determines the purpose of and means for processing personal information” remains ultimately responsible for ensuring that the processing of personal information is done in a lawful manner 4 and “retains the accountability and responsibility for any power or the functions authorised to that person”10.

The Guidance Note specifies that “Each subsidiary of a group of companies must register its Information Officer” 10.

The Information Officer must appoint as many Deputy Information Officers as necessary 5. For example, the appointment of Deputy Information Officers may become necessary to make the organisations records as accessible as reasonably possible for requesters. This must be done in writing, specifically using Template “B” in the Guidance Note which also stipulates that the DIO “should report to the highest management office within a Body” and therefore must be an employee10.

Duties and Responsibilities

So, what are the duties and responsibilities of the Information Officer? 6

The specific duties are spelled out for us in the Guidance Note10

The Act stipulates the following general responsibilities:

  1. to encourage compliance with POPI
  2. dealing with requests made to the organisation in relation to POPI (for instance, requests from Data Subjects to update or view their personal information)
  3. working with the Regulator in relation to investigations
  4. otherwise ensuring compliance with POPI
  5. as may be prescribed (i.e. keep an eye on the Regulator’s website!)

Information Officers need to be registered with the Regulator before taking up their duties 7.

Regulation 412 lists the following prescribed responsibilities in addition to those listed above:

  • Compliance framework:
    • Develop and implement a compliance framework
    • ensure it is monitored and maintained over time
    • (this could be captured in a privacy charter or framework document that outlines who is responsible for what and which policies apply)
  • Personal information impact assessment (“PIIA”)
    • conduct a PIIA to ensure that adequate measures and standards exist in order to comply the conditions for the lawful processing of personal information (as defined in Chapter 3 of POPIA)
    • (you can find international guidelines on this if you look up Privacy Impact Assessments or “PIA”)
  • PAIA Manual: ensure that your organisation has a PAIA manual
    • that documents how POPIA applies to your organisation and instructs Data Subjects on how to exercise their privacy rights
    • ensure this manual is monitored, maintained and made available as prescribed PAIA11
    • provide copies of the manual to anyone who asks for it (the Regulator may determine in future that a fee must be paid for this)
  • Enable Data Subject Participation
    • develop measures and adequate systems to process requests for information or access to information
  • Awareness Training: conduct internal awareness sessions regarding
    • the provisions of the POPI Act,
    • the regulations made in terms of the Act,
    • codes of conduct, or
    • information obtained from the Regulator
    • (this will need to be ongoing as the Regulator provides updates, guidelines, new regulations, or as new codes of conduct become enforceable)

On a day to day basis the Information Officer may find themselves 8:

  • making recommendations and raising concerns where appropriate
  • documenting information processing procedures
  • evaluating and further developing data protection and security policies
  • suggesting, selecting and implementing technical security measures
  • drafting forms and contracts appropriate for data protection
  • selecting employees, service providers and others to be involved in the processing of personal information
  • monitoring data privacy and security measures as well as the proper use of data processing programs
  • handling complaints relating to personal information
  • employee training
  • preparing, submitting and maintaining notifications to [the Regulator]

Internal or External?

Once the decision is made to delegate the Information Officer role, the question may arise whether to appoint an internal or external person.

The IO Guidance Note provides some clarity. The IO must be an employee of a private body and must be an employee at an executive level or equivalent position at a level of management.

Similarly, DIOs must be employees of the organisation, and multinational entities based outside of South Africa must designate aa Deputy Information Officer that is present within our borders.

Suitable Candidates

While POPI does not set out specific skills and qualifications for an Information Officer, realistically the role requires the following 9:

  1. A good understanding of information technology
  2. Basic legal training is advantageous
  3. An broad understanding of the company operations (arguably easier to acquire than 1 & 2)
  4. No conflicts of interest, “which typically rules out the appointment of business owners, senior managers and employees with a strong interest in data collection and usage, such as marketing and HR managers” 9
  5. Enough spare time
  6. Buy-in from top management

Notes

This post deals with the Information Officer role in a ‘private body’ which includes sole traders, partnerships, CCs and companies but excludes government & constitutional bodies.

The role of Information Officer in SA law is not directly related to the CIO role found in companies.

References

  1. Protection of Personal Information Act 4 of 2013, s1
  2. Promotion of Access to Information Act 2 of 2000, s1
  3. Promotion of Access to Information Act 2 of 2000, s1
  4. Protection of Personal Information Act 4 of 2013, s4(1)
  5. Protection of Personal Information Act 4 of 2013, s56
  6. Protection of Personal Information Act 4 of 2013, s55(1)
  7. Protection of Personal Information Act 4 of 2013, s55(2)
  8. Determann’s Field Guide to International Data Privacy Law Compliance, p7, s1.16
  9. Determann’s Field Guide to International Data Privacy Law Compliance, p9, s1.20
  10. Guidance note on Information Officers and Deputy Information Officers, 1 April 2021
  11. Promotion of Access to Information Act 2 of 2000, s14 and s51
  12. POPIA Regulations, December 2018

All of the legislation referenced above can be accessed on the website of the Information Regulator : justice.gov.za/inforeg