During July 2020, the Information Regulator published draft Guidelines on the Registration of Information Officers. In terms of the Protection of Personal Information Act (POPIA), responsible parties are required to appoint and register an Information Officer. This is a two-step process firstly requiring that the Information Officer be appointed within the business and secondly, that the appointed Information Officer must be registered with the Information Regulator. Section 55(2) of POPIA requires that Information Officers must be registered with the Information Regulator before they can take up their duties in terms of POPIA and the Promotion of Access to Information Act (PAIA). Registration is therefore a prerequisite for Information Officers to perform their duties.
The draft Guidelines on the Registration of Information Officers provide insight into:
- Who should be registered as an Information Officer for both public and private bodies
- The duties of the Information Officer
- Instances when an Information Officer may be criminally liable in terms of PAIA
- The designation of and delegation of authority to Deputy Information Officers
- Training of Information Officers and Deputy Information Officers
- Procedure for registration of Information Officers
- Forms and Templates
Registration of Information Officers
Certain people, by virtue of their position, are automatically appointed as Information Officers in terms of PAIA and POPIA. For private bodies the following types of people are automatically appointed, and it is therefore compulsory that they be registered with the Information Regulator:
- Sole Proprietors
- Any partner in a partnership or any person duly authorised by the partnership
- CEO or Managing Director (or equivalent officer), or any person duly authorised by that officer in a Company or Close Corporation
The draft guideline contains a prescribed “Information Officer’s Registration Form” which must be used to register Information Officers. The draft guidelines propose that registration forms must be completed and submitted to the Regulator before 31 March 2021.
Designation of and delegation of authority to Deputy Information Officers
Both PAIA and POPIA allow for the designation of a Deputy Information Officer within the business. The designation and delegation of authority must be in writing and allows for the Information Officer to delegate some of its duties to the Deputy Information Officer however, the Information Officer will still retain the accountability and responsibility for the functions delegated to the Deputy Information Officer.
The Deputy Information Officer must also be registered with the Information Regulator. The proposed guidelines contain a template for the “Designation and Delegation of Authority to the Deputy Information Officer”. More than one Deputy Information Officer may be designated depending on the size, structure, and the complexity of the operations of a specific business.
A Deputy Information Officer should be suitably qualified and have a reasonable understanding of POPIA, PAIA and of the business operations and processes in order to perform his or her duties. The guidelines state that an employee at a level of management and above should be considered for designation as a Deputy Information Officer.
Duties of Information Officers
Persons appointed and registered as Information Officers or who are Deputy Information Officers will be responsible to:
- Encourage and ensure compliance in the organisation with the conditions for the lawful processing of personal information.
- Deal with requests made to the organisation pursuant to POPIA.
- Work with the Information Regulator in relation to investigations conducted regarding Chapter 6 of POPIA which deals with “prior authorisation”.
- Ensure that a compliance framework is developed, implemented, monitored and maintained.
- Ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.
- Ensure that a PAIA Manual is developed, monitored, maintained and made available as prescribed.
- Ensure internal measures are developed together with adequate systems to process requests for information or access thereto.
- Ensure internal awareness sessions are conducted regarding the provisions of the Act, regulations, codes of conduct, or information obtained from the Regulator.
- Provide a copy of the Manual to a person who requests it, upon payment of the prescribed fee.
Updating of details and publication
After registration, the details of Information Officers and Deputy Information Officers should be updated on an annual basis or as and when it becomes necessary. The contact details of the Information Officer and Deputy Information Officer/s will be published on the website of the Information Regulator.
The period to comment on the draft guidelines has been extended until 31 August 2020 .
To read the Erratum extending the deadline to comment, click here.
Planning for POPI Compliance is key. Read more about how Masthead can assist your business to become POPI Compliant.