South Africa: The role and responsibilities of the information officer under POPIA
By now the news of the commencement date (i.e. 1 July 2020) for the Protection of Personal Information Act No. 4 of 2013 (‘POPIA’) has done the rounds and most persons who are required to comply with POPIA’s provisions are now in the midst of either implementing or updating their compliance frameworks to ensure that by the time the grace period ends and POPIA’s provisions become enforceable, on 1 July 2021, they can reasonably show the Information Regulator (POPIA’s supervisory authority) that their processing activities are compliant with POPIA’s conditions. Arguably, one of the key areas to address in POPIA compliance is the role of the information officer. PR de Wet and Hayley Levey, Director and Associate respectively at VDT Attorneys, outline the key compliance considerations with respect to the appointment and role of the information officer under POPIA.
Who is the information officer?
In terms of South African law, the role of the information officer stems from the Promotion of Access to Information Act No. 3 of 2000 (‘PAIA’) which, at its core, aims to uphold the right to access information (Section 32) as enshrined in the Constitution of the Republic of South Africa, 1996 (‘the Constitution’). POPIA, on the other hand, promotes and aims to protect the right to privacy as set out in the Constitution (Section 14). Therefore, these two pieces of legislation aim to coincide and find a balance between the right of any person to have access to information (PAIA) versus the right of a person to have their own personal information and privacy protected (POPIA).
No matter the turnover, number of employees, or type of body (public or private), every organisation is required to appoint and register an information officer. Information officers are appointed automatically in terms of PAIA. What this means is that every public body (e.g. national department, provincial body, and municipality) and every private body (e.g. a company, a trust, or a close corporation) has an information officer by default and no one is exempt.
POPIA defines an information officer as follows (Section 1 of POPIA):
- in relation to a public body: an information officer or deputy information officer as contemplated in terms of Section 1 or 17 of POPIA; or
- in relation to a private body: the head of a private body as contemplated in Section 1 of PAIA.
PAIA provides that a ‘head’ of a private body means:
- in the case of a natural person: that natural person or any person duly authorised by that natural person;
- in the case of a partnership: any partner of the partnership or any person duly authorised by the partnership; or
- in the case of a juristic person: the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or the person who is acting as such or any person duly authorised by such acting person.
The information officer of a public body is the head of that public body. This means that for a national or provincial government department it is the Director-General or the equivalent official of that department who is the information officer. For a municipality, the municipal manager is the information officer. In the case of any other public body, the CEO is the information officer. In the case of a private body, the information officer is by default the owner of the business. Therefore, based on the type of private body, the information officer may be the sole trader, a partner in a partnership, or the CEO (or equivalent) in a company or close corporation.
The duties and responsibilities of the information officer
In general, the role of the information officer is to ensure the responsible party’s compliance with both POPIA and PAIA. Therefore, like any compliance project that may require that a leader, the information officer, in this instance, plays this leadership role and is tasked, in general, to ensure that the responsible party (i.e. the body/organisation) meets its processing compliance obligations under both POPIA and PAIA.
In terms of PAIA, an information officer of a responsible party is in essence tasked with:
- encouraging and ensuring compliance with PAIA;
- developing, updating and monitoring a PAIA manual for the body (that is if the organisation is required to have such a manual and does not fall under the current exemptions1); and
- assessing and providing outcomes, within the applicable time periods, to application requests which are received by the organisation, on the grounds of PAIA, to be given access to information held by the organisation.
In terms of Section 55 of POPIA, an information officer has the duty and responsibility to:
- encourage compliance by the body with the conditions for the lawful processing of personal information in terms of POPIA;
- deal with requests made to the body in terms of POPIA;
- work with the Information Regulator in relation to investigations conducted in relation to the body; and
- otherwise ensure compliance by the body with the provisions of POPIA.
Regulation 4 of the published Regulations Relating to the Protection of Personal Information (14 December 2018) (‘the POPIA Regulations’) further shed light on what the duties and responsibilities of an information officer are and provide that the information officer is responsible for ensuring that:
- a compliance framework is developed, implemented, monitored, and maintained by the responsible party;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- (subject to the aforementioned exemptions) a manual is developed, monitored, maintained, and made available as prescribed in terms of POPIA and PAIA;
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- internal awareness sessions are conducted regarding the provisions of POPIA.
What are the qualifications, if any, that the information officer is required to have?
Neither POPIA nor PAIA specifically provide for the qualifications that a person should have to hold the position of information officer. However, from the afore listed duties and responsibilities it is evident that such a person is bestowed with great responsibility and duty to ensure that the body, whether private or public, fulfils its POPIA and PAIA mandate.
Must we register our information officer and with who?
An Information Officer is required to be registered with the Information Regulator, prior to the person formally commencing his or her duties in terms of POPIA (Section 55(2)).
What about deputy information officers?
POPIA, in terms of its Section 56 read together with the provisions of Section 17 of PAIA, provides for the delegation of authority through the appointment of deputy information officers, to assist the information officer with the performance of his or her responsibilities and duties towards the responsible party, and the proper fulfilment of his or her mandate. The number of deputy information officers that can be appointed to assist the information officer is not limited and such persons are also required to be registered with the information regulator prior to taking up their functions.
The deputy information officer of a public body or private body is an employee of that public body or private body to whom the Information Officer has delegated their powers and duties in terms of POPIA, read with the provisions of PAIA. This means that the deputy information officer will receive requests for information, facilitate these requests, and provide the necessary assistance to applicants on behalf of the information officer.
The information officer still maintains direction and control over the deputy information officer(s), meaning that the information officer as the head of the public or private body who determines the purpose of and the means for processing personal information, remains responsible for the decisions of his or her authorised deputies. This delegation of powers must be done in writing for it to be valid.
The Draft Guidelines relating to the Registration of Information Officers
On 17 July 2020 the Information Regulator published Draft Guidelines relating to the Registration of Information Officers in terms of Chapter 5 of POPIA 2(‘the Draft Guidelines’). The Draft Guidelines provide, inter alia, for:
- the obligations and liability of information officers;
- required training;
- who should be registered as an information officer;
- duties of an information officer (as provided for in terms of Section 55(1) of POPIA read together with Regulation 4 of the POPIA Regulations providing for the responsibilities of information officers);
- the designation and delegation of authority to deputy information officers; and
- the proposed procedure for registration of an information officer with the Information Regulator.
The extended deadline for the public to submit comments in relation to the Draft Guidelines was 4pm on 31 August 2020 and currently, the Information Regulator is in the process of reviewing and considering the comments received to the Draft Guidelines and it is anticipated that the final guidelines in respect of Information Officers (‘the Final Guidelines’), will be issued by the Information Regulator’s office during the first quarter of 2021, that is if not sooner, prior to the effective date of POPIA on 1 July 2021.
In terms of the Draft Guidelines the following aspects are noted:
- An Information Officer may be held personally liable for the failure to adequately perform his or her responsibilities and/or duties in terms of POPIA or the POPIA Regulations. The proposed penalty levied in this regard is a fine and/or imprisonment, with the fine capped at a maximum of ZAR 3,000 (approx. €160) per infringement; however, the proposed imprisonment time is not stipulated in the Draft Guidelines.
- The Responsible Party must register its information officer with the Information Regulator but prior to doing so, the appointment of the role and of any deputies must be effected in writing. The Draft Guidelines propose at this stage that a manual hardcopy application form be completed and submitted for registrations and further that the information officer of the responsible party must be registered with the Information Regulator by 31 March 2021. The form for submission has been included in the Draft Guidelines.
Notwithstanding the above, the Information Regulator’s office has in terms of feedback given to queries raised in ongoing awareness panel presentations, indicated that the Information Regulator plans to develop an electronic portal enabling responsible parties to register their information officers and deputies online. This is further in line with the Information Regulator’s Readiness Plan for the Implementation of the Protection of Personal Information Act 4 of 2013 (‘the Readiness Plan’), which indicates that the proposed time frame in terms of which persons will be able to access the electronic register of information officers is 3 March 2021.
Unfortunately, apart from making it mandatory to have the information officer role catered for, providing for prescribed proposed timelines, the delegation of authority, and what the respective duties and responsibilities of the information officer are, POPIA, the POPIA Regulations, PAIA and the Draft Guidelines provide little guidance on how to approach the appointment of an information officer practically, especially where the default position (e.g. CEO in the case of a private body) is deviated from.
It is therefore anticipated that clarification regarding who is eligible to be an information officer in certain circumstances will be provided once the Information Regulator’s office has finalised their review of the comments received to the Draft Guidelines and the relevant stakeholder participation has been considered. Some lingering concerns in relation to the role include, inter alia:
- whether the role may be outsourced;
- whether the role of the information officer can be centralised in the case of a group structure; and
- whether, in the case of a global group structure, the information officer has to be positioned locally in South Africa.
These are all pertinent questions which hopefully the Information Regulator shall address in terms of the Final Guidelines. In the circumstances, being able to outsource the role and being able to centralise the role in the case of a group structure, should arguably be allowed and it is thought that the Information Regulator will take guidance from the interpretation and implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) made by supervisory authorities and courts, as far as the role of data protection officers is concerned. However, recent public engagements with representatives of the Information Regulator’s office have indicated that this might not be so and, therefore, this remains to be clarified in terms of the Final Guidelines. An organisation’s own circumstances will need to be considered to determine what the best possible setup for the information officer role may be.
- See: https://www.sahrc.org.za/index.php/understanding-paia ; 2. Available at: https://www.justice.gov.za/inforeg/docs/InfoRegSA-Guidelines-InfoOfficers-Invite-20200717.pdf