Organisations have less than three months to ensure compliance with the provisions of the Protection of Personal Information Act (POPIA) by 30 June 2021. With the deadline for compliance looming, the Information Regulator has published the Guidance Note on Information Officers and Deputy Information Officers (Guidance Note).
Many organisations have been eagerly awaiting the publication of the Guidance Note following the Draft Guidelines on the Registration of Information Officers prepared by the Information Regulator for public comment in July last year.
When published, the draft guidelines required information officers to be registered with the Information Regulator by 31 March 2021. This is no longer the case. The Information Regulator has confirmed that the registration of information officers and deputy information officers is expected to commence on 1 May 2021.
The Guidance Note published by the Information Regulator on 1 April 2021 seeks to provide guidance in relation to:
- the appointment and duties of information officers;
- the designation and delegation of duties to deputy information officers; and
- the registration of information officers and deputy information officers with the Information Regulator.
What you need to know:
Who is the information officer?
POPIA requires every responsible party (i.e. a public or private body that determines the purpose of, and means for the processing of, personal information) to appoint and register an information officer with the Information Regulator.
Information officers are, by virtue of their positions, appointed automatically in terms of the Promotion of Access to Information Act (PAIA). The information officers for purposes of POPIA are the same information officers as referred to in PAIA. In this regard, the information officer:
- in relation to a public body means the information officer as contemplated in section 1 of PAIA; and
- in relation to a private body means the head of the private body as contemplated in section 1 of PAIA. The ‘head’ in the case of a juristic person means (i) the chief executive officer or equivalent officer; or (ii) any person duly authorised by that officer; or (iii) the person who is acting as such or any person duly authorised by such acting person.
Accordingly, in respect of private bodies, the chief executive officer or equivalent officer is by default the information officer. The chief executive officer or equivalent officer may, however, authorise any person to act as the information officer. Such authorisation is required to be in writing using a template that is substantially similar to the Authorisation Template annexed to the Guidance Note.
Despite the authorisation to another person, the ‘default’ information officer retains the accountability and responsibility for any power or function authorised to that person in terms of PAIA and POPIA.
In terms of the Guidance Note, any person authorised as the information officer should be at an executive level or equivalent position. Further, to ensure accessibility of a private body, the information officer of a multinational entity based outside of South Africa should authorise a person within South Africa as an information officer and each subsidiary of a group of companies should appoint and register its information officer with the Information Regulator.
Duties of the information officer
Information officers are required to perform their duties in terms of both PAIA and POPIA. However, POPIA provides that information officers may only take up their duties under POPIA after they have been registered with the Information Regulator.
Once registered, section 55 of POPIA prescribes certain duties that an information officer is required to comply with. These duties include, among other things, encouraging and ensuring that the responsible party complies with the provisions of POPIA, dealing with requests made under POPIA, and assisting the Information Regulator with any investigations conducted in respect of the organisation.
In addition to the duties set out in POPIA above, Regulation 4 of the POPIA Regulations prescribes additional duties to be performed by information officers, which include ensuring that:
- a compliance framework is developed, implemented, monitored and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- a manual is developed, maintained and made available as prescribed in terms of PAIA;
- internal measures are developed together with adequate systems to process requests for information; and
- internal awareness sessions are conducted regarding the provisions of POPIA, the Regulations, codes of conduct or any other information obtained from the Information Regulator.
In terms of PAIA, information officers of a public body are required to submit a report annually to the Information Regulator setting out, amongst other things, the number of requests for access received, the number of requests for access granted or refused, and the number of internal appeals lodged as a result of a request for access being refused.
In respect of private bodies, the Information Regulator may annually request a private body to furnish it with information about requests received for access to records.
Designation of a deputy information officer
Given the extensive nature of the duties imposed on an information officer, section 17 of PAIA provides for the designation of deputy information officers of a public body, and section 56 of POPIA extends the designation of deputy information officers for a private body. It appears from the legislation and Guidance Note that only employees of a body can be designated as a deputy information officer.
Depending on the structure and size of an organisation, the Guidance Note provides that the information officer must designate one or more deputy information officers as may be necessary to allow for the organisation to be as accessible as reasonably possible.
The information officer may also delegate any power or duty imposed on her/him to a deputy information officer. Such designation and delegation must be in writing using a template that is substantially similar to the Designation and Delegation of Authority Template annexed to the Guidance Note.
Where an organisation seeks to designate one or more deputy information officers having regard to its size, structure or the complexity of its operations, the Guidance Note provides the following assistance to organisations to identify the appropriate individuals for the role:
- any deputy information officer should report to the highest management office within the organisation. This means that only an employee at a level of management and above should ideally be considered for designation as a deputy information officer;
- the deputy information officer should be accessible, have a reasonable understanding of the organisation’s operations and processes, and should have a good understanding of POPIA and PAIA in order to perform her/his duties;
- the deputy information officer should be provided with sufficient time and adequate resources to devote to matters concerning POPIA and PAIA; and
- to ensure a level of accountability, organisations may want to consider including the deputy information officer’s duties and responsibilities as part of her/his job description.
Despite the designation of, and delegation to, a deputy information officer, an information officer retains the accountability and responsibility for the duties and responsibilities in terms of PAIA and POPIA.
The registration process
The Guidance Note provides that an information officer must either:
- complete and submit an online registration form; or
- complete the registration form attached to the Guidance Note manually and submit it to the Information Regulator’s offices (either by delivering the form to its physical address, or by emailing it to: [email protected]).
The Information Regulator recently announced that it is in the process of developing an online portal to be used by organisations to register their information officers online, which portal is expected to be live by the end of April.
Accordingly, the Information Regulator has indicated that the registration process is anticipated to commence from 1 May 2021. In order to speed up the registration process, the Information Regulator has encouraged organisations to submit their applications for registration through the online portal.
Where organisations have already completed and submitted their applications for registration using the form attached to the Draft Guidelines, the Information Regulator has urged these organisations to reapply using the online portal.
Conclusion
With less than one month until 1 May 2021, it is important for organisations to take steps now to identify and appoint their information officers and deputy information officers, if any, with a view to registering the information officers and deputy information officers with the Information Regulator as soon as the registration process commences.
Employers may find the Bowmans POPIA Toolkit for Employers of great assistance in getting POPIA-ready.