Practical guidance in respect of the mandatory appointment of Information Officers

Practical guidance in respect of the mandatory appointment of Information Officers

Appointment of Information Officers

Every business and organisation, irrespective of their nature, has in their possession certain information that must be protected in their own interest.

Access to information and the protection of certain types of personal information rights in South Africa are entrenched in the Constitution and are mainly regulated by the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (POPIA).

The main objectives of POPIA are to regulate the lawful processing of personal information and provide data protection in a robust effort to align all South African data protection laws with international standards.

In a previous blog, we discussed The Role of an Information Officer as per the POPI Act.  This blog aims to provide practical guidance on whom to appoint as a business’s Information Officer and Deputy Information Officers, based on the Guidance Note on Information Officers and Deputy Information Officers published by the Information Regulator dated 1 April 2021.

Who needs to appoint an Information Officer?

The Protection of Personal Information Act 4 of 2013 (POPIA) was enacted to give effect to the constitutional right to privacy by safeguarding personal information processed by a responsible party.  POPIA prescribes that it is compulsory for all private and public bodies to register an Information Officer with the Information Regulator.

Neither the Guidance Note nor POPIA makes provision for any exemptions in respect of appointing and registering Information Officers, and therefore it is mandatory for all responsible parties to have a designated Information Officer. In terms of section 55(2) of POPIA, such Information Officer is required to take up his or her duties only after being registered with the Information Regulator.

It is also important to note that the Information Officers referred to in POPIA are the same Information Officers as referred to in the Promotion of Access to Information Act 2 of 2000 (PAIA) and are therefore tasked with performing their duties in terms of both such sets of legislation.

What are the legal requirements when deciding whom to appoint as Information Officer and Deputy Information Officer?

  • In terms of PAIA and POPIA, the Chief Executive Officer (CEO) or Managing Director (MD) of a juristic person such as a Private Company or Close Corporation, will automatically be appointed as the Information Officer by virtue of their positions, as envisaged in terms of the definition of “information officer” contained in Section 1 of POPIA. The CEO or MD may, however, in writing authorise any other person to take up the position of Information Officer.
  • Such authorisation by the CEO or MD of a different person as Information Officer, is done by completing and signing a standard form issued by the Information Regulator, i.e. Annexure C to the Guidance Note.
  • If the CEO or MD authorises a different person as the Information Officer of the entity, the CEO or MD will ultimately still retain accountability and responsibility for any power or function delegated to that person.
  • In respect of a multinational entity based outside of the Republic of South Africa, a person within the Republic should be authorised in writing as an Information Officer to ensure accessibility to such entity.
  • Each subsidiary of a group of companies should respectively register an Information Officer with the Information Regulator.
  • The person to be authorised as an Information Officer should be at an executive level or equivalent position within the organisation, i.e. an employee of an entity at management level and above.
  • Section 56 of POPIA provides for the designation of Deputy Information Officers to assist the Information Officer with his or her functions. Whether or not Deputy Information Officers are required will depend on the structure, size and complexity of the business operations of the relevant entity.
  • In terms of Section 56 of POPIA, the relevant Deputy Information Officer will be appointed with the same powers and duties as conferred upon the Information Officer in terms of the Act.
  • It is crucial that the person to be appointed as Deputy Information Officer has an understanding of POPIA and PAIA in order to execute his or her duties. This person should also have a reasonable understanding of the business’ operations and processes.
  • The Information Officer and Deputy Information Officer(s) should receive appropriate training in respect of the latest developments in terms of POPIA and PAIA to empower them to keep the entity compliant with the relevant statutory requirements.

In conclusion

It is clear that the decision as to whom to appoint as Information Officer or whom to delegate as Deputy Information Officer, is not to be taken lightly. Since no entity is exempt from registering an Information Officer, we encourage our clients to give the necessary consideration to the points mentioned above when making these decisions, especially in view of the fact that the CEO of the entity shall ultimately remain accountable for any compliance failures.

The Act regards the position of Information Officer and Deputy Information Officer as an important aspect to ensure compliance with legislation. Consequently, the powers, duties and responsibilities conferred by the Act on an Information Officer cannot merely be delegated to a receptionist or junior person within the organisation without any executive authority.

SERR Synergy assists entities to fully comply with procedures as required by the POPI Act by setting up information security management system policies where the physical information and cybersecurity risks of organisations are identified and managed to maintain the confidentiality, integrity and legitimate availability of data.

About the Author: Daniele Louw obtained her LLB degree as well as a Post Graduate Diploma in Financial Planning from the University of the Free State. She also obtained a Certificate in Compliance Management from the University of Cape Town. She is an admitted attorney of the High Court, and after practising at a legal firm for 5 years, she decided to pursue a career in compliance. She joined SERR Synergy in 2021 and currently holds the title of Information Compliance Advisor, where she specialises in POPI and PAIA compliance.

You May Also Like

POPI Act and Electronic Direct Marketing - YES Cold Calls are allowed
March 04, 2022
Direct Marketing is defined in POPIA as marketing aimed at an individual with the direct or indirect purpose of selling goods or services or to solicit a donation of some sort from the data subject. 
Direct Marketing vs The Consumer Protection Act and POPI Act (part 1)
June 07, 2018
What is allowed when approaching consumers with Direct Marketing activities?
Telemarketing and the POPI Act – A simple guide
May 03, 2022
Cold calling is a business practice mostly used to create leads in the telemarketing industry and other industries, as well as to market products to consumers who may not have exposure to other forms of electronic communication such as email.
Online Resource & News Portal