South Africa: The Protection Of Personal Information Act (POPIA); Mandatory Appointment Of Information Officer – What You Need To Know

By Chido Pamela Mafongoya, Centurion Law Group

With the Fourth Industrial Revolution at play and the increase of internet usage, the Protection of Personal Information Act 4 of 2013 (“POPIA”) was designed to ensure the protection of personal information when being processed. The main aim of the POPIA is to protect data subjects from security breaches, theft, and discrimination. The POPIA also aligns South Africa’s privacy laws with international standards and international best practices. In terms of POPIA, all organizations who process personal information are required to adopt measures to ensure the protection of personal information. It is mandatory for all data processors and responsible persons to comply with POPIA. The Act provides for a one-year transition period, allowing impacted organizations until 1 July 2021 to comply fully.

One of the measures stipulated in POPIA is ensuring that there is an individual who is endowed with the responsibility of protecting information within an organization and held accountable for the use/misuse of the data they hold. Such a person is referred to as the Information Officer. On 1 April 2021, the Information Regulator published the Guidelines for Information Officers (“IO”) and Deputy Information Officers (“DIO”).  This is what you will need to know in respect of the appointment of an Information Officer in the following respects:

Who is the Information Officer?

POPIA designates the head of the business as the Information Officer. The Information Officer therefore varies depending on the kind of entity. For instance, the Information Officer in a sole business will be the sole trader; a partner in a partnership or the Chief Executive Officer (or equivalent) in a company.

The head of the business can delegate his or her responsibilities as Information Officer to any other duly authorized person. However, it is important to note that whoever “determines the purpose of and means for processing personal information” remains ultimately responsible for ensuring that the processing of personal information is done in a lawful manner. Such person retains the accountability and responsibility for any power or the functions authorized to the delegate.

Information Officers need to be registered with the Regulator before taking up their duties. The Guidance Note specifies that “each subsidiary of a group of companies must register its Information Officer”.

Who can be Deputy Information Officer?

In terms of the Guidelines, the Information Officer must appoint as many Deputy Information Officers as is necessary. For example, the appointment of Deputy Information Officers may become necessary to make the organizations’ records as accessible as reasonably possible for requesters. This must be done in writing, specifically using Template “B” in the Guidance Note. Template “B” also stipulates that the Deputy Information Officer should report to the highest management office within a Body and therefore must be an employee.

What are the duties and responsibilities of the Information Officer?

In terms of POPIA, the following general responsibilities ensue-

  • To encourage and ensure compliance with POPIA;
  • To handle and manage requests made to the organization in relation to POPIA (for instance, requests from Data Subjects to update or view their personal information);
  • To work with the Regulator in relation to investigations;
  • To ensure compliance with POPIA; and
  • Responsibilities as may be prescribed (i.e. check for updates on the Regulator’s website).

Regulation 4 lists the following prescribed responsibilities in addition to those listed above –

  • Compliance framework: A compliance framework must be developed and implemented. The IO must ensure that it is monitored and maintained over time.
  • Personal information impact assessment (“PIIA”): Conduct a PIIA to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information (as defined in Chapter 3 of POPIA).
  • POPIA Manual: The IO must ensure that the organisation has a POPIA manual which he or she must monitor, maintain and make available as prescribed. Copies of the manual must be provided to anyone who asks for it (the Regulator may determine in future that a fee must be paid for this).
  • Enable Data Subject Participation: Develop measures and adequate systems to process requests for information or access to information.
  • Awareness Training: The IO must conduct internal awareness sessions regarding the provisions of the POPIA, the regulations made in terms of the Act, relevant codes of conduct, and information obtained from the Regulator. Awareness training must be ongoing as the Regulator provides updates, guidelines and new regulations, or as new codes of conduct become enforceable.

On a day-to-day basis the Information Officer may find themselves: making recommendations and raising concerns where appropriate; documenting information and processing procedures; evaluating and further developing data protection and security policies; suggesting, selecting and implementing technical security measures; drafting forms and contracts appropriate for data protection; selecting employees, service providers and others to be involved in the processing of personal information; monitoring data privacy and security measures as well as the proper use of data processing programs; handling complaints relating to personal information and preparing; and submitting and maintaining notifications to the Regulator.

While POPIA does not explicitly set out specific skills required for an Information Officer, guidance can be gathered from the General Data Protection Regulation (“GDPR”). The GDPR’s requirements for a Data Protection Officer reflect directly upon the skills required by the Information Officer role, such as:

  • Knowledge of IT functions: The Information officer must be very knowledgeable of I.T functions in general and must be well versed in data protection law. They have to be able to offer guidance on related matters such as risk assessments and data protection impact assessments.
  • Legal: The IO must understand relevant data protection and privacy laws and keep up with evolving legislation.
  • Cultural competency: The Information Officer must be able to engage and relate with diverse responsible parties and data operators in other countries.
  • Communication/teaching: The IO is going to serve companies as a consultant for any issues that may arise with regard to personal data rights, he or she must therefore have strong communication skills.
  • Self-starter: The Information Officer must have the competence and skills to carry out their role without guidance and know where to find necessary information.

What liabilities can the Information Officer face?

Section 93(b)(ii) of POPIA empowers the Enforcement Committee to make any recommendation to the Regulator necessary or incidental to any action that should be taken against an Information Officer in terms of the Promotion of Access to Information Act 2 of 2000 (“PAIA”).

An Information Officer may, on conviction, be held criminally liable for the following offences, in terms of PAIA.  A person who, with intent to deny a right of access in terms of this Act

  • Destroys, damages or alters a record;
  • Conceals a record;
  • Falsifies a record or makes a false record;
  • Wilfully or in a grossly negligent manner fails to comply with the provisions of section 14 of PAIA;
  • The head of a private body who, willfully or in a grossly negligent manner, fails to comply with the provisions of section 51 of PAIA; and
  • Non-compliance with an Enforcement Notice.

If found guilty, the Information Officer will be liable to either a fine or imprisonment for a period not exceeding three years or to both such a fine and such imprisonment.

Should the Information Officer be an internal or an external employee?

Once the decision is made to delegate the Information Officer role, the question may arise whether to appoint an internal or external person.

The Information Officer Guidance Note provides some clarity. It states that the Information Officer must be an employee of a private body and must be an employee at an executive level or equivalent position at a level of management. Similarly, Deputy Information Officers must be employees of the organization, and multinational entities based outside of South Africa must designate a Deputy Information Officer that is present within our borders.

In conclusion it is imperative that all organizations, data processors and responsible persons become acquainted with the Guidelines for Information Officers to ensure that they appoint an Information Officer who is competent and knowledgeable of this role. This is important as it is now mandatory and a failure to do so will cost the organization.