Note On Information Officers And Deputy Information Officers – POPI
The Protection of Personal Information Act 4 of 2013 (“POPIA”), although promulgated in 2013, is only to come into full force and effect on 1 July 2021. In this regard the implementation of some of its sections had been delayed for various reasons, including the preparation of the office of the Information Regulator and the determination of the practical implementation of some obligations of POPIA.
Some of the sections which have recently come into full effect include, inter alia, section 55 and section 56 which are arguably the most important sections in POPIA. These sections make provision for the responsibilities of Information and Deputy Information Officers respectively.
According to the Promotion of Access to Information Act 2 of 2000 (“PAIA”), read with POPIA, an Information Officer is defined as the Chief Executive Officer or an equivalent officer or any other person who is acting as such in respect of a public body and the head of the organisation, the equivalent or a person who is acting or duly authorised in respect of a private body.
Section 55(1) of POPIA provides that the responsibilities of an Information Officer include, inter alia, encouraging compliance with the conditions of lawful processing, ensuring compliance with POPIA and working with the Information Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA. Section 55 (2) provides that Information Officers must take up their responsibilities in terms of POPIA after they have been registered with the Information Regulator.
On 1 April 2021, the Information Regulator published the “Guidance Note on Information Officers and Deputy Information Officers” which sets out the obligations and liabilities of Information and Deputy Information Officers; the registration of Information Officers with the Information Regulator; the updating the details of Information Officers; the designation of Deputy Information Officers and the delegation of duties and responsibilities of the Information Officers to the Deputy Information Officers. The purpose of this Guidance Note is to ensure that organisations understand the legislative requirements of POPIA as well as the implications of failing to comply therewith. It is accordingly crucial for both Information and Deputy Information Officers to understand their respective roles and obligations as outlined in POPIA, the Regulations to POPIA and the Guidance Note.
In addition to appointing Deputy Information Officers, the Guidance Note provides that the Chief Executive Officer or Managing Director of an organisation may appoint any person as an Information Officer provided, that person holds an executive or equivalent management position. It is important to note however that the Chief Executive Officer or Managing Director will retain accountability and responsibility for all the functions and duties of an Information Officer.
The Guidance Note clarifies that the Information Officer of a multinational entity based outside South Africa must authorise a local person, who holds a management position, to be an Information Officer. Each subsidiary of a group of companies must also register its Information and Deputy Information Officer(s) with the Regulator.
From the wording of the Guidance Note, it is clear that the Information Regulator recognises the need for the training of Information and Deputy Information Officers. However, very little emphasis is placed on the training as the Guidance Note states that the training is only “recommended” and that the Information Regulator is not empowered to provide any training. This is in our view a concern as the consequences for non-compliance are far reaching. Information Officers are ultimately responsible for the organisations they operate in and they bear the risk that comes with non-compliance with the provisions of POPIA. The implications of non-compliance, whether wilful or negligent, may result in fines or imprisonment. It is thus advisable that companies to provide training and support to their Information Officers in order to mitigate any risk.
In this regard employees’ accountability for the organisation’s compliance with POPIA should not be finite and should ideally be distributed to many employees across the organisation. It would also be useful to form POPIA committees.
The first and most important step to mitigating risk is to ensure that Information and Deputy Information Officers are registered with the Information Regulator. The Guidance Note sets out the procedure for the registration of Information Officers and the manner in which the registration forms must be sent to the Information Regulator. Organisations are encouraged to familiarize themselves with the Guidance Note prior to completing and submitting the registration forms for those Officers which are available on the Information Regulator’s website.
Organisations and other responsible parties are required to register Information Officers with the Information Regulator as of 1 May 2021. The registration forms for Information Officers may be sent by way of email to the email address appearing in clause 13 of the Guidance Note, being registration.IR@justice.gov.za. The Guidance Note further provides a physical address for those who wish to submit the registration forms in person.
Employers and other responsible parties are urged to regularly visit the Information Regulator’s website for further developments, particularly as 1 May 2021 is fast approaching.
In view of the above, our POPIA Unit is available to assist clients and advise on the necessary measures and procedures which must be put in place in order to ensure compliance.
Written by the POPIA Unit of Cowan-Harper-Madikizela Attorneys Tanya Mulligan | Gael Barrable | Mbulelo Ndlovu | Jessica Fox | Sinokuhle Skondo