Authors: Zaheer Moosa – Associate & Natasha Jansen – Consultant
The Protection of Personal Information Act 4 of 2013 (POPIA) prescribes compulsory requirements for the registration of Information Officers with the Information Regulator and an obligation on Information Officers of public and private bodies to designate and/or delegate any power or duty to Deputy Information Officers, as necessary to make the body as accessible as reasonably possible.
On 1 April 2021, the Regulator published a Guidance Note on information officers and deputy information officers. The Guidance Note provides guidelines and procedures on, inter alia, the following pertinent aspects:
Liability and duties of Information Officers;
Registration of Information Officers;
Designation and delegation of authority to a Deputy Information Officer;
Training; and
Procedure for registration.
It is important to note that in terms of the Guidance Note, the Information Officers referred to in section 55(1) of POPIA are considered to be the same Information Officers referred to in sections 1 or 14 and 51 of the Promotion of Access to Information Act 2 of 2000 as amended (PAIA). Furthermore, the Information Officers of public and private bodies perform their duties and responsibilities in terms of both PAIA and POPIA.
Liability
Paragraph 4.2 of the Guidance Note provides that an Information Officer may be held criminally liable for various offences in terms of PAIA. The penalties on conviction include a fine, or imprisonment for a stipulated period or, in certain circumstances, both.
Identity of Information Officer
Paragraph 5.1 of the Guidance Note provides that Information Officers are, by virtue of their positions, appointed automatically in terms of PAIA and POPIA. The Guidance Note further prescribes the following categories of Information Officers per specific body:
Paragraph 5.8 of the Guidance Note provides that the authorisation of an Information Officer must be in writing, using the template provided in Annexure C to the Guidance Note, or a substantially similar form. It is important to note that any person authorised as an Information Officer should be at an executive level or equivalent position. This means that only an employee of a private body at a level of management and above should be considered for the role of an Information Officer of that body.
Duties
Section 55(1) of POPIA sets out the duties and responsibilities of an Information Officer. The Guidance Note provides specific examples of how these duties may be fulfilled.
Designation of a Deputy Information Officer
Section 17 of PAIA provides for the designation of a Deputy Information Officer of a public body, and section 56 of POPIA extends this requirement to private bodies.
Paragraph 7.3 of the Guidance Note provides that in order to render a body as accessible as reasonably possible, the Information Officers of public and private bodies may designate one or more Deputy Information Officers as are necessary, depending on the structure and size of such bodies. A designation of a Deputy Information Officer must be in writing and a person designated as a Deputy Information Officer should be afforded sufficient time, adequate resources and the financial means to devote to matters concerning POPIA and PAIA.
The Guidance Note also sets out the characteristics and qualities that an employee should possess in order to be considered eligible for designation as a Deputy Information Officer.
Delegation of Authority
Paragraph 8.1 of the Guidance Note provides that an Information Officer of a public or private body may, subject to legislation and policies governing the employment of personnel of the body concerned, delegate any power or duty conferred or imposed on him or her to a Deputy Information Officer of that body. The delegation of authority must be in writing, using a template substantially similar to the Delegation of Authority in Annexure B of the Guidance Note.
Paragraph 8.10 of the Guidance Note makes it clear that despite the above-mentioned delegation of authority to a Deputy Information Officer, an Information Officer retains the accountability and responsibility for the functions delegated to the Deputy Information Officer.
Training
Paragraph 9.1 of the Guidance Note recommends that an Information Officer and Deputy Information Officer(s) receive appropriate training and keep abreast of the latest developments regarding POPIA and PAIA.
Procedure for Registration
Paragraph 10 of the Guidance Note comprehensively sets out the procedure for the registration of Information Officers and the key information that is required for purposes of registration.
Paragraph 13 of the Guidance Note sets out the contact details of and the channels through which applications for registration of Information Officers and Deputy Information Officers may be submitted to the Regulator.
Contact the Lawtons Africa Data Privacy and POPIA team to assist you in navigating the complexities surrounding the appointment and registration of Information Officers and Deputy Information Officers.
The Lawtons Africa Data Privacy and POPIA team is well placed to take clients through their entire data privacy compliance journey, providing training and awareness, data privacy gap assessments, legal advice around POPIA compliance measures, and drafting privacy-related documents, policies and agreements. Contact us for more information on how we can guide and assist you with effectively incorporating and implementing POPIA into your business.
Lawtons Africa is a South African law firm. With roots that grew out of seeds sown in down-town Johannesburg in 1892, our history features various changes and different names. Our team of lawyers, including directors, consultants, associates and candidate attorneys is highly qualified, market-recognised and skilled. For further information, visit www.lawtonsafrica.com