Appointment and duties of an information officer in terms of South Africa’s POPI draft regulations
The office of the South African Information Regulator recently published its first draft regulations in terms of the Protection of Personal Information Act, 2013 (“POPI”), entitled “Regulations relating to the Protection of Personal Information, 2017”. The draft regulations are open for public comment until 7 November 2017.
The draft regulations address various procedural aspects of POPI, which include the manner in which data subjects may object to the processing of their personal information and the manner in which to request a data subject’s consent to the processing of personal information for direct marketing purposes. The draft regulations refer to, and have attached to them, various forms that prescribe how these requests may be obtained.
Regulation 4 of the draft regulations expands on the duties and responsibilities of information officers. Information officers are defined in terms of the Promotion of Access to Information Act, 2000 (“PAIA”) to mean the “head” of the private body, which is, in the case of:
- a natural person: that person or any person duly authorised by that natural person;
- a partnership: any partner or duly authorised person; and
- a juristic person: the chief executive officer, equivalent, acting officer or duly authorised officer.
Information officers must be registered with the Information Regulator. This function may be delegated to other members of the organisation and deputy officers may be appointed to assist with duties. An information officer’s duties, as set out in section 55 of POPI, include:
- encouraging compliance with the conditions for the lawful processing of personal information;
- dealing with requests made to an organisation;
- working with the Information Regulator in relation to investigations conducted; and
- otherwise ensuring compliance by an organisation with the provisions of POPI.
Regulation 4 of the draft regulations expands on these duties to include that information officers must ensure that:
- a compliance framework is developed, implemented and monitored;
- adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- preliminary assessments are conducted;
- a manual for the purpose of PAIA and POPI is developed, which must be available on an organisation’s website and at its offices for public inspection during normal business hours. Copies of the manual must also be made available upon payment of a fee to be determined by the organisation, which may not be more than ZAR3.50 per page. This manual must detail:
- the purpose of the processing;
- a description of the categories of data subjects and of the information or categories of information relating thereto;
- the recipients or categories of recipients to whom the personal information may be supplied;
- the planned trans-border or cross-border flows of personal information; and
- a general description allowing preliminary assessment of the suitability of information security measures to be implemented and monitored by the responsible party.
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- awareness sessions are conducted regarding the provisions of POPI, regulations made in terms of POPI, codes of conduct, or information obtained from the Information Regulator.
Based on these developments, it is clear that the role of every organisation’s information officer is not one to be taken lightly. An information officer’s duties are wide and their role is one that every organisation needs to review.
ENSafrica’s privacy law experts have developed innovative, world-class solutions to assist organisations and information officers to meet the stringent requirements imposed by POPI and PAIA. The firm also offers in-depth training to information officers and prospective information officers on all aspects of legislation, including the practical implementation of POPI.
Organisations may also consider appointing ENSafrica’s data privacy experts as their information officer, to ensure that all legislative requirements are met.
For more information on the requirements imposed by POPI and PAIA, information officer training or the appointment of ENSafrica as your organisation’s information officer, please contact us.
This article was reviewed by Ridwaan Boda, director and head of ENSafrica’s technology, media and telecommunications department.
No information provided herein may in any way be construed as legal advice from ENSafrica and/or any of its personnel. Professional advice must be sought from ENSafrica before any action is taken based on the information provided herein, and consent must be obtained from ENSafrica before the information provided herein is reproduced in any way. ENSafrica disclaims any responsibility for positions taken without due consultation and/or information reproduced without due consent, and no person shall have any claim of any nature whatsoever arising out of, or in connection with, the information provided herein against ENSafrica and/or any of its personnel. Any values, such as currency (and their indicators), and/or dates provided herein are indicative and for information purposes only, and ENSafrica does not warrant the correctness, completeness or accuracy of the information provided herein in any way.