By Jessie Taylor
Information Officers – a vital cog in the wheel of protecting personal information.
With only three months left to fully comply with the Protection of Personal Information (POPI) Act, many companies need to ensure they register their Information Officers this month. This position is key to managing the requirements of the new regulations and South African companies should not neglect this critical area. Registrations for Information Officers will close on 31 March 2021.
Protecting information
The POPI Act came into effect on 1 July 2020, with South African businesses given a year to comply. The POPI Act aims to protect personal information processed by both public and private bodies. The Act introduces certain minimum requirements for companies in the processing of personal information and establishes rights for individuals around unsolicited electronic communications and automated decision making. The Act also provides for the establishment of the Information Regulator.
Simply put, the privacy law ensures that companies will no longer be allowed to keep your personal information on their databases indefinitely. But along with the necessary systems companies need to implement under POPI, is the appointment of an Information Officer – a vital role in complying with the legislation. Under POPI, the Information Officer is automatically the head of the organisation. The Information Officer’s role is governed by both POPI and PAIA and will require balancing the public’s right to access information with the right of a person to have their personal information protected.
Every organisation is required to have an Information Officer, regardless of size or whether it is a public or private body. The responsibility of the Information Officer is to encourage compliance with POPI and working with the Information Regulator where necessary, such as in the event of any investigation. The Information officer will also need to deal with any requests made to the company regarding POPI, such as requests to update information. Information officers will be essential in developing and enforcing information processing procedures, as well as implementing data protection and security policies. The Information Officer will also need to handle any complaints and prepare reports required by the Information Regulator.
The responsibility of Information Officers includes ensuring that a personal information impact assessment is done to ensure that adequate measures and standards exist to comply with POPI. The Information Officer will also need to ensure internal awareness sessions are carried out within the company.
What does this mean for your business?
Before an Information Officer can take up the role, their company will need to register them with the Information Regulator. The deadline for this registration, based on a draft guideline published by the Regulator, is 31 March 2021. Some people, by default of their positions, will automatically be in the role of Information Officer. For public bodies, this could be the CEO, Director-General or municipal manager. For private bodies, the owner of the business is the Information Officer – this includes sole proprietor, a partner, or the CEO or Managing Director (or equivalent) of a company.
While the head of a business is automatically the Information Officer, he or she will still need to register with the Information Regulator. Candidates will need to complete an “Information Officer’s Registration Form” and submit this to the Information Regulator. After registration, the details of Information Officers and Deputy Information Officers will need to be updated with the Information Regulator, either on an annual basis or when they have changed.
The Information Officer can appoint as many delegates, or Deputy Information Officers, as necessary. However, the Information Officer carries the ultimate responsibility for compliance with POPI and processing of personal information. Should the Information Officer appoint Deputy Information Officers, this will need to be done in writing and they will need to be registered with the Information Regulator before they take up their roles. The contact details of the Information Officer and Deputy Information Officer/s will be published on the website of the Information Regulator.
What is the Information Regulator?
The Information Regulator (South Africa) is an independent body established under the Protection of Personal Information (POPI) Act, which is subject only to the law and the constitution. It is accountable to the National Assembly. The Information regulator is, among others, empowered to monitor and enforce compliance by public and private bodies with the Promotion of Access to Information Act (PAIA) and the POPI Act. The Information Regulator is also responsible for issuing codes of conduct for different sectors and making guidelines to assist bodies with the development and application of codes of conduct.