From 1 July this year, South African companies must be fully compliant with the requirements of the Protection of Personal Information Act (POPIA), the Act that governs when and how organisations collect, use, store, delete and otherwise handle personal information.
As a result, many organisations are starting to feel the mounting pressure of becoming compliant with POPIA. According to Nicole Gabryk and Rakhee Dullabh of law firm ENSAfrica a good starting point in any POPIA compliance journey is the appointment of an Information Officer for your organisation.
Who is the Information Officer?
POPIA, by default, designates the head of any private body as the Information Officer. Depending on the type of business, the Information Officer will therefore be the sole trader, a partner in a partnership or CEO (or equivalent) in a company or CC. “However, there has been some debate as to whether or not the role of Information Officer can be delegated to another person, either internal or external,” Gabryk and Dullabh points out.
Section 1 of POPIA defines the “information officer” in relation to a private body as “the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act” (PAIA). PAIA, in turn, defines the “head”, in relation to a private body and in the case of a juristic person, to be “the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or the person who is acting as such or any person duly authorised by such acting person”.
“As such, our view is that the relevant legislation allows for the chief executive officer of a juristic person to authorise or appoint some other person to act as the Information Officer for the purposes of POPIA. Clarity on this aspect is awaited and needed from the office of the Information Regulator, well ahead of 1 July 2021, so that organisations can ensure that the correct person is appointed as Information Officer.”
What are the responsibilities and liabilities of the Information Officer?
- encouraging the body’s compliance with the conditions for the lawful processing of personal information;
- dealing with requests made to the body pursuant to POPIA;
- working with the Information Regulator in relation to investigations;
- otherwise ensuring compliance by the body with the provisions of POPIA;
- ensuring that a compliance framework is developed, implemented, monitored and maintained;
- conducting personal information impact assessments to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- developing, monitoring, maintaining and making available the manual as prescribed by PAIA;
- ensuring internal measures are developed together with adequate systems to process requests for information or access; and
- conducting internal POPIA awareness sessions.
“The Information Officer, once appointed, does not have to ensure compliance alone. While the appointee remains ultimately responsible for the fulfilment of the responsibilities, section 56 of POPIA permits Information Officers to delegate their powers and duties to one or more Deputy Information Officers,” Gabryk and Dullabh concludes.
Click here to read the ENSAfrica article that also includes information on what an organisation should do once they have appointed an Information Officer.
Did you know? Moonstone Business School of Excellence (MBSE) offers an online course which provides key information on POPIA, the data protection principles of POPIA and how to apply these principles in daily business activities via an interactive learning experience. Just the awareness training you and your employees need. At a cost of only R300 (VAT inclusive), can you afford not to enrol?
Click here for more information.