Tax and Legal Insights | 3 min read

POPIA Explained – Part 13

Information officer

By Lize de la Harpe, legal adviser

In the last edition we discussed the Transfer of personal information to a foreign country.

In this edition we will discuss the role of the Information Officer and take a closer look at their duties in terms of the act.

Promotion of Access to Information Act, 2000 (PAIA)

But first, let’s recap on PAIA (as mentioned briefly in previous editions).

The role of the Information Officer is not a new concept. Before POPIA commenced, the role of the Information Officer was governed by the provisions of PAIA.

POPIA has however expanded this role: the Information Officer referred to in section 55(1) of POPIA is the same Information Officer referred to in the relevant sections of PAIA. To put it differently: the Information Officer will thus perform the duties and responsibilities as set out in both POPIA and PAIA.

Section 1 of POPIA

Every responsible party must appoint an Information Officer to ensure compliance by the responsible party with the provisions of the act.

Section 1 of POPIA defines an Information Officer as follows:

  1. In relation to a private body, means the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act (“PAIA”); and
  • In relation to a public body, an information officer or deputy information officer as contemplated in section 1 or 17.

Put simply: in the instance of a private body, the Information Officer is the CEO or equivalent officer or any person duly authorised by that officer.

Duties and responsibilities

Section 55(1) of the act sets out the specific duties and responsibilities of the Information Officer, which includes:

  1. Encouraging compliance with the conditions for lawful processing of personal information (*an Information Officer may develop a policy on how employees should implement the eight (8) conditions for the lawful processing of personal information);
  • Dealing with requests made pursuant to the act (*for example, an Information Officer of a body will be expected to render such reasonable assistance, free of charge, as is necessary to enable the requester or data subject to comply with the prescribed process for submitting a request in terms of section 24);
  • Working with the Information Regulator in relation to investigations conducted in accordance with the relevant sections of the act; (*PS: we will discuss the role of the Information Regulator in a later edition);
  • Otherwise ensuring compliance with the act as a whole; and
  • As may be prescribed.

In addition to the above, paragraph 4 of the Regulations published in terms of the act (*copy attached hereto) sets out further duties and responsibilities of the Information Officer, being to ensure that:

  1. a compliance framework is developed, implemented, monitored and maintained;
  • personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the Conditions for the lawful processing of personal information;
  • a PAIA manual is be developed, monitored, maintained and made available as prescribed in sections 14 and 51 of PAIA;
  • internal measures are developed together with adequate systems to process requests for information or access thereto;
  • internal awareness sessions are conducted regarding the provisions of the act, its Regulations and all codes of conduct thereunder (*for example, incorporating POPIA specific aspects into HR documentation and/or training provided to staff); and
  • upon request by any person, copies of the manual are provided to such person upon the payment of a fee to be determined by the Regulator from time to time.

Registration of Information Officers

Unlike PAIA (which does not prescribe a process for appointing an information officer), section 55(2) of POPIA requires the responsible party to register its appointed Information Officer with the Information Regulatorbefore taking up his or her respective duties in terms of the act.

*PS: in July 2020 the POPIA Information Regulator published Draft Guidelines on the Registration of Information Officers for public comment before 16 August 2020. These Draft Guidelines aimed to provide guidance and procedures for the registration of Information Officers, updating their details, as well as the designation of and delegation to Deputy Information Officers. To date, a final version has yet to be published.

Delegation to Deputy Information Officers

Section 56 states that responsible parties must make the necessary provision for the designation of powers or duties to Deputy Information Officers, if necessary. Similarly, section 17 of PAIA makes provision for the designation of a Deputy Information Officer.

*PS: please bear in mind that despite any delegation to such Deputy Information Officer(s), the appointed Information Officer will remain accountable and responsible for the functions delegated by him/her.

Conclusion

Although Information Officers are, by virtue of their positions, appointed automatically in terms of both POPIA and PAIA, responsible parties should carefully consider who to appoint in the role of Deputy Information Officer(s) so as to ensure that the duties imposed by the act are duly performed. It is also recommended that responsible parties provide adequate training to Information Officers and Deputy Information Officers in order to keep them abreast of the latest developments in both POPIA and PAIA. In the next edition we will discuss Information Regulator in more detail.

Glacier Financial Solutions (Pty) Ltd and Sanlam Life Insurance Ltd are licensed financial services providers

Your Next Read

Industry Insights | 3 min read
Glacier to acquire Alexander Forbes’ individual client administration business

Receive the latest Glacier Insights delivered to your inbox


Please enabled javascript to view Glacier.