There has been a lot of talk around Information Officers when it comes to POPIA (Protection of Personal Information Act) and PAIA (Promotion of Access to Information Act), with a guidance note recently released by the South African Information Regulator. The note details a lot of the who and what that you need to know in terms of this vitally important role in terms of the law. In this article, I’m going to break down some of the key elements of their responsibilities. For the purposes of this article, I’ll be sticking to private bodies (and sole proprietors), and steering away from the guidance specifically for public bodies.
Who is the information Officer?
In terms of a private body (company and similar), it is the CEO, Managing Director, or similar equivalent. For cases where your company is just you (sole proprietor), then you are the Information Officer too. You can delegate this role within the organisation (it must be someone who is part of the company, you can’t outsource it), but you will still retain accountability and responsibility.
Multinationals operating within South Africa but having operations overseas will need to appoint a South African resident to be their Information Officer. It would not appear that a multinational needs to appoint an employee, but it does need to be someone within the borders of the Republic.
If you are a group of companies, each subsidiary in the group must register its own Information Officers.
Lastly, the Information Officer should be someone at the executive level (or equivalent). Deputy Information Officers, who can be appointed if you have complex requirements or have a larger organisation, should at least be at the management level.
Can it be delegated?
As mentioned, the role of Information Officer can be taken up by any natural person in the company who can then act as the Information Officer, but the person providing the authorisation retains the accountability and the responsibility. Similarly, appointing any number of Deputy Information Officers may share the responsibilities of the role, but the Information Officer remains ultimately responsible and accountable for their actions. In all cases of locally registered companies, the Information Officers and Deputies should be employees of the company, and the delegation must be in writing. As mentioned, international companies that are processing the personal information of South Africans or are performing processing within the borders of the Republic will need to appoint a South African resident to represent them as an Information Officer.
The guidance note from the regulator contains the registration and delegation forms for you to take a look at (see Annexures A, B and C).
What should they be doing?
The Information Officer has a number of duties as set out in POPIA and PAIA, some of the key duties are:
- Encouraging compliance of the organisation with the acts, implementing policies that deal with how the company complies with the 8 conditions of POPIA.
- Dealing with requests made to a company by data subjects, known as DSARs (Data Subject Access Requests). These could be for deletion of data, amendment of information, or various other rights being exercised.
- Assisting the regulator in terms of investigations. When it comes to investigations around prior authorisation (article coming soon) or other data related matters, the Information Officer must assist the regulator.
- Otherwise ensuring compliance with the 8 conditions of POPIA. Slightly broader than the first point, this includes any other means that an IO must follow to ensure that the organisation is remaining compliant.
- Keeping records of Data Subject Access Requests. As a private body, the regulator reserves the right to request a report of access requests received in a year, and what your approach was with each.
For the full list of Information Officer duties, please read Section 55 of the Protection of Personal Information Act.
What are the penalties?
Yes, you read that right, there are penalties that can be levied against Information Officers. There are a number of conditions where an Information Officer (and head of an organisation) can be held criminally liable in terms of PAIA or POPIA. In terms of POPIA, an Enforcement Committee will make recommendations of the actions to be taken against the Information Officer, with sentences up to 10 years on the table. In terms of PAIA, the following applies:
- Where you deny access to a record and then modify, conceal, falsify or destroy a record – this attracts a fine or imprisonment not exceeding two years.
- Where you are wilful of grossly negligent in complying to section 51 of PAIA (compiling a PAIA manual) – this attracts a fine or imprisonment not exceeding two years.
- Where you don’t comply with an Enforcement Notice – this attracts a find or imprisonment not exceeding three years, or both.
How does one register and get trained up?
As of the 1st of May 2021, Information Officers can be registered with the regulator. They have a registration form available on their website which can be completed and submitted to them, and it would appear that there will be a registration portal launching on the 1st of May (expected). Existing Information Officers registered under PAIA previously will still need to register with the Information Regulator.
The Information Regulator does not have a mandate to train Information Officers, this is up to you as a company to do. RGS Consulting and a number of other reputable firms out there offer a number of training solutions for your Officers. To find out more about the training that is available with RGS Consulting, please book some time with me below.
While it is not a silver bullet, software can make the Information Officer’s life significantly easier. Contact me below to find out more about the different tools I have on offer to assist.
My next public course for Small Business compliance is currently running on the mornings of Friday the 23rd and Monday the 26th of April, 2021. Find out more here.