The Office of the Information Regulator will oversee the administration of POPIA across South Africa.
However, the oversight of POPIA compliance for individual entities or businesses will be the role of that entity’s Information Officer.
The appointment of an Information Officer is a requirement for all organisations and businesses that collect or process personal data in terms of POPIA.
POPIA automatically designates an Information Officer and every business, irrespective of its size, has one. Accordingly, it does not matter whether the entity is a sole proprietorship, private company, trust or public body. By operation of law, the Information Officer is ordinarily the head of the entity. However, an Information Officer can also be specifically authorised. For example, a company’s CEO is automatically the information officer, but this can be delegated to another member of staff or management.
It is important to bear in mind that the person authorising any person as the Information Officer of an entity, continues to be responsible and accountable for any power or the functions authorised to that person.
Information Officers must be registered with the Information Regulator by the responsible party by 1 July 2021. The information regulator has developed an electronic portal to enable an entity to register their Information Officer and to provide access to the register of Information Officers.
Information Officers have several responsibilities, which include:
- Being responsible for ensuring compliance with POPIA,
- Designing, developing, implementing and overseeing a compliance framework,
- Educating the company and its staff about POPIA compliance,
- Training staff involved in data processing,
- Conducting regular security assessments,
- Dealing with requests in terms of POPIA,
- Working with the information regulator in terms of investigations.
So, who should be appointed as Information Officer? The regulator has published a final guidance note in this regard:
- Any person authorised as an Information Officer should be at an executive level or equivalent position.
- This means that only an employee at the level of management and above should be considered for authorisation as an Information Officer.
Information Officers of companies may designate one or more Deputy Information Officers as may be necessary in terms of the structure and size of such entities. The idea is to make the entity accessible to data subjects.
Only an employee of the business can be appointed as a Deputy Information Officer.
It is recommended that an Information Officer and Deputy Information Officer(s) receive training in order to become knowledgeable about POPIA and to keep up to date with the latest developments.
The Office of the Information Regulator is not empowered to provide any training, or to provide legal advice in respect of POPIA.
Shepstone & Wylie has a POPIA department that will be able to provide this service to clients.