The coming into effect, on 1 July 2021, of the Protection of Personal Information Act No 4 of 2013 (the “POPI Act”) has caused widespread anxiety amongst businesses who have made little to no progress on becoming compliant with the provisions of the POPI Act. One of the key factors that needs to be addressed is the appointment of an information officer (“Information Officer”). On 1 April 2021, the Information Regulator (South Africa) (“Regulator”) published a Guidance Note on Information Officers and deputy Information Officers (“Guidance Note”). In this article we will investigate what the duties and responsibilities of an Information Officers are, who should be appointed as an Information Officer, or deputy Information Officer, and how to register with the Regulator.

Duties and Responsibilities:

Section 55(1) of the POPI Act provides for the following duties and responsibilities of the Information Officer:

  • encouraging the juristic entity to comply with the conditions for the lawful processing of personal information;
  • dealing with requests made to the juristic entity pursuant to the POPI Act;
  • working with the Regulator in relation to investigations conducted on the juristic entity pursuant to chapter 6 of the POPI Act; and
  • otherwise ensuring the juristic entity complies with the provisions of the POPI Act.

Regulation 4 of the POPI Act provides that, in addition to the abovementioned duties and responsibilities, an Information Officer is required to ensure that:

  • a compliance framework is –
    • developed,
    • implemented,
    • monitored; and
    • maintained,
  • a personal information impact assessment is done to ensure that adequate measures and standards exist for the lawful processing of personal information;
  • a protection of personal information manual (“POPI Manual”) is –
    • developed,
    • monitored,
    • maintained;
    • and made available as prescribed in sections 14 and 51 of the POPI Act;
  • internal measures are developed together with adequate systems to process requests for information or access thereto; and
  • internal awareness training sessions are conducted regarding the provisions of the POPI Act.

Who should be register as an Information Officer and deputy Information Officer?

Section 5 of the Guidance Note provides some clarity as to who must be appointed as the Information Officer. The Information Officer must be an employee of the juristic entity at an executive level or equivalent position such as the chief executive officer or managing director. By virtue of the positions in the juristic entity, they are automatically appointed as Information Officers, however they are still required to register with the Regulator. The authority to act as Information Officer may also be delegated by such executive level employee to any natural person within the juristic entity. Such natural person then becomes the deputy Information Officer. The number of deputy Information Officer a juristic entity may employ depends solely on the size, structure and complexity of the operations of such juristic entity.

Potential liability of an Information Officer:

Information officers who neglect their duties and responsibilities may face severe punishment as provided for in the Promotion of Access to Information Act No 2 of 2000 (“PAIA”). In terms of PAIA, an Information Officer that is found guilty of an offence may be liable, on conviction, to a fine or to imprisonment for a period not exceeding two years.

How to register with the Regulator:

Registration of an Information Office can be completed online via a registration form on the online portal.

VDMA’s team of experts are available to assist you and your business with drafting POPI manuals, privacy policies, conducting POPI training or any other POPI compliance needs you may have.

Published 31 May 2021