Contact

Countdown to POPIA: Understanding the role of information officers and deputy information officers

Back to top

Countdown to POPIA: Understanding the role of information officers and deputy information officers

The role of an Information Officer has been subject to some uncertainty and the recently published Guidance Note for the registration of Information Officers (IOs) and Deputy Information Officers (DIOs) (the Guidance Note) has provided some insight as to the procedures required for the appointment, designation, delegation, and registration of IOs and DIOs in terms of the Protection of Personal Information Act 4 of 2013 (POPIA).

20 Apr 2021 5 min read Article

At a glance

  • The recently published Guidance Note for the registration of Information Officers (IOs) and Deputy Information Officers (DIOs) provides insight into the procedures required for their appointment, designation, delegation, and registration under the Protection of Personal Information Act.
  • The registration of IOs and DIOs is expected to commence on 1 May 2021, and it can be done through an online portal developed for this purpose.
  • The role of an IO has expanded with the advent of POPIA, and while IOs for public entities are automatically appointed, private bodies can authorize an employee at the executive level to act as the IO, while retaining accountability and responsibility.

The Importance of the Guidance Note

The Information Regulator confirmed in the Guidance Note that the registration of IOs and DIOs is expected to commence on 1 May 2021. In a separate media statement released alongside the Guidance Note on 1 April 2021, the Information Regulator further confirmed that such registration would be able to take place via an online portal specifically developed for the purpose of registering IOs and DIOs.

Who is an IO?

In terms of the Promotion of Access to Information Act 2 of 2000 (PAIA), IOs for public entities and heads for private entities are appointed automatically by virtue of their position. However, the advent of POPIA has expanded the role of an IO, meaning the role of an IO within an organisation is now not only governed by the provisions of PAIA, but also by POPIA.

The IO of a public body is the IO or DIO as contemplated in section 1 of PAIA, and this role is not capable of being delegated. On the other hand, in a private body, the role is automatically assigned to the “head” of the private body, which in terms of PAIA, means:

  • in the case of a natural person, that natural person or any person duly authorised by that natural person;
  • in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership; and
  • in the case of a juristic person, the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer or the person who is acting as such or any person duly authorised by such acting person.

Accordingly, in respect of private bodies, the CEO or equivalent officer is by default the IO and this role may be delegated. However, the Guidance Note now provides confirmation that for purposes of POPIA, the CEO or managing director of a private body may authorise an employee within the body to act as the IO, which must be in writing and in a form substantially similar to the Annexure “C” to the Guidance Note. It is important to note that despite authorisation to another person, the ‘default’ IO still retains the accountability and responsibility for any power or function authorised to that person in terms of PAIA and POPIA. 

The Guidance Note unequivocally states in paragraph 5.9, that only an employee of a private body at a level of management and above i.e. executive level, should be considered for authorisation as an IO of that body. To this end, each subsidiary of a group of companies should appoint and register its own IO, while a further obligation is placed on a multinational entity based outside of South Africa, who must now authorise a person within South Africa as an IO.

Duties of the IO

Regulation 4 of the Regulations relating to POPIA, which sets out the responsibilities of IOs, comes into effect on 1 May 2021. Regulation 4 states that an IO must, in addition to the responsibilities referred to in section 55(1) of POPIA (which sets out the duties and responsibilities of IOs), ensure that:

  • a compliance framework is developed, implemented, monitored, and maintained;
  • a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with processing conditions stipulated under POPIA;
  • a PAIA manual is developed, and copies of such manual are made available to a person upon request and payment of a prescribed fee;
  • data subject access measures are developed together with adequate systems to process requests for information or access; and
  • internal staff awareness training is conducted on the provisions of POPIA, the POPIA Regulations, Codes of Conduct, if applicable, and information obtained from the Information Regulator.

IOs of a public body are required to submit a report annually to the Information Regulator setting out information such as, for example, the number of requests for access received, the number of requests for access granted or refused, and the number of internal appeals lodged as a result of a request for access being refused.

Designation and delegation of DIOs

Section 17 of PAIA provides for the designation and delegation of DIOs in a public body, while section 56 of POPIA extends the designation and delegation of DIOs to private bodies.

The Information Regulator has stressed the utilisation of DIOs in organisations with large and complex structures to ensure the extensive obligations placed on an IO are managed and complied with. The Guidance Note provides that the IOs may designate one or more DIOs, in writing, as may be necessary to allow for the organisation to be as accessible as reasonably possible.

Paragraph 7 of the Guidance Note provides direction in regard to the designation of DIOs and recommends that a DIO should “report to the highest management office” within the organisation and should be an employee at a level of management and above (Paragraph 7.9). The DIO is also required to be accessible, including to data subjects, have a reasonable understanding of the organisation’s operations and processes, and should have a good understanding of POPIA and PAIA in order to perform her or his duties (Paragraph 7.11).

Paragraph 8 of the Guidance Note further allows the IO to delegate any of its powers or duties conferred or imposed on him or her to a DIO. Such a delegation must be in writing and substantially similar to the Annexure “B” annexed to the Guidance Note. However, it is important to note that despite the designation of or delegation to a DIO, an IO retains the accountability and responsibility for the duties and responsibilities in terms of PAIA and POPIA and an IO is entitled to withdraw or amend the delegation at any time.

The registration process of the IO

Registration of an IO with the Information Regulator is compulsory for all responsible parties and is a pre-requisite before an IO may commence their duties and responsibilities in terms of POPIA. The IO of a responsible party must complete Annexure “A” to the Guidance Note and submit same to the Information Regulator. The registration form is separated into different parts and also provides for information relating to a DIO where applicable. The IO may submit the registration form either manually or electronically via the online registration portal. The Information Regulator has encouraged the use of the online portal as a means to streamline and speed up the registration process. The online portal is expected to go-live by the end of April. One could, however, complete the registration form attached to the Guidance Note manually and submit it to the Information Regulator’s offices (either by delivering the form to its physical address, or by emailing it to registration.IR@justice.gov.za).

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

7 Mar 2024

by Charl Williams and Parusha Chetty

Revised Social Housing Grant Quantum

On 7 September 2023, the Social Housing Regulatory Authority (SHRA) issued a circular advising interested parties of the applicability, and implementation, of the adjustment to the quantum of the Consolidated Capital Grant (CCG), as announced by the Minister of Human Settlements on 31 March 2023. 

Corporate & Commercial Law

2 min read

15 Feb 2024

by Andries le Grange and Shandré Smith

Don’t count your chickens before they hatch: The Competition Commission’s inquiry into the poultry industry

On 6 February 2023, the Competition Commission (Commission) published its draft terms of reference for its inquiry into the poultry industry (ToR) established in terms of section 43B of the Competition Act 89 of 1998 (Competition Act). The Commission has indicated that there are market features within the poultry industry that are likely to impede or distort competition. The features include structural indicators, the outcomes in the industry and certain conduct along the value chain. It stated that taking steps to address these market features through a market inquiry could benefit industry competitiveness and consumers through the improvement incompetition. 

Competition Law

4 min read

26 Oct 2023

by Louis Botha

No guarantee(s): The practical importance of exchange control compliance

South Africa, with its sophisticated financial system has an extensive legal framework that regulates this system and its proper functioning. One of the components of this regulatory framework is South Africa’s exchange control (Excon) regime, captured mainly in the Currency and Exchanges Act 9 of 1933, Exchange Control Regulations, 1961 (Regulations) and the Currency and Exchanges Manual for Authorised Dealers (AD Manual).

Tax & Exchange Control

7 min read

25 Apr 2024

by Imraan Mahomed and Taryn York

Webinar recording | Immigration implications of the right to work in South Africa

Employment Law Director Imraan Mahomed and Senior Associate, Taryn York together with Andreas Krensel from IBN Immigration Solutions, hosted a webinar on immigration implications of the right to work in South Africa.

Immigration

55:59 Minutes

19 Jan 2024

by Njeri Wagacha

Njeri Wagacha talks to Catherine Igathe

Njeri Wagacha talks to Catherine Igathe, Managing Director and Founder of Ortus Solutions Group Ltd.

53:02 Minutes

3 Apr 2024

by Emma Kingdon

Elections 2024: Internet service providers must prevent dissemination of fake news

With the national and provincial elections less than two months away, the Film and Publication Board (FPB) published a notice on 22 March 2024 in which it defines the terms “ misinformation ” and “ disinformation ”, and declares them to be propaganda for war, inciting imminent violence or potentially advocating hate speech. The distribution of any such content via any medium, including social media, is an offence in terms of section 18H of the Films and Publications Act 65 of 1996 (Act). The fine, if found guilty, is R150,000 and/or a two-year prison term.

2 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline