On 14 December 2018 the Regulations Relating to the Protection of Personal Information 2018 (POPI Regulations) were published by the Information Regulator. The POPI Regulations, although final, will only take effect on a date that will align with the commencement date of the Protection of Personal Information Act 4 of 2013 (“POPI”).
Amongst other things, the POPI Regulations shed further light on what the duties and responsibilities of an Information Officer are. POPI defines an Information Officer as follows:
- in relation to a public body: an Information Officer or Deputy Information Officer as contemplated in terms of section 1 or 17 of POPI; or
- in relation to a private body: the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act 2 of 2000 (PAIA).
PAIA provides that a “head” of, a private body means:
- in the case of a natural person: that natural person or any person duly authorised by that natural person;
- in the case of a partnership: any partner of the partnership or any person duly authorised by the partnership;
- in the case of a juristic person: the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or the person who is acting as such or any person duly authorised by such acting person.
Information Officers are appointed automatically in terms of PAIA. What this means is that every public body (e.g. national department, provincial body, municipality, etc.) and every private body (e.g. a company, a trust, a close corporation, etc.) has an Information Officer by default and no one is exempt.
The Information Officer of a public body is the head of that public body. This means that for a national or provincial government department it is the Director-General or the equivalent official of that department who is the Information Officer. For a municipality the municipal manager is the Information Officer. In the case of any other public body the Chief Executive Officer (CEO) is the Information Officer. In the case of a private body, the Information Officer is by default the owner of the business. Therefore, based on the type of private body, the Information Officer will be the sole trader, a partner in a partnership or the CEO (or equivalent) in a company or close corporation.
Information Officers are also required to appoint (in writing), Deputy Information Officers to assist them in the performance of their responsibilities and duties and to ensure that the request for information made to the body will be dealt with in an effective and efficient manner. There is no limitation on the number of Deputy Information Officers that an Information Officer may appoint.
The Deputy Information Officer of a public body or private body is an employee of that public body or private body to whom the Information Officer has delegated their powers and duties in terms of POPI, read with the provisions of PAIA. This means that the Deputy Information Officer will receive requests for information, facilitate these requests and provide the necessary assistance to applicants on behalf of the Information Officer.
The Information Officer still maintains direction and control over the Deputy Information Officer(s), meaning that the Information Officer as the head of the public or private body who determines the purpose of and the means for processing personal information, remains responsible for the decisions of his or her authorised deputies. This delegation of powers must be done in writing for it to be valid.
In terms of section 55 of POPI, an Information Officer has the duty and responsibility to:
- encourage compliance by the body with the conditions for the lawful processing of personal information in terms of POPI;
- deal with requests made to the body in terms of POPI;
- work with the Regulator in relation to investigations conducted in relation to the body; and
- otherwise ensure compliance by the body with the provisions of POPI.
The POPI Regulations (Regulation 4) have now amplified the provisions of section 55 of POPI and provide that an Information Officer of a body is responsible for ensuring that:
- a compliance framework is developed, implemented, monitored and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- a manual is developed, monitored, maintained and made available as prescribed in terms of POPI and PAIA (made available on the body’s website as well as at its offices for public viewing during normal business hours). These manuals must also be made available for copy, at payment of a fee which fee does not exceed R3.50 per page. The manual must specify:
- the purpose of the processing of personal information;
- a description of the categories of data subjects and of the information or categories of information relating thereto;
- the recipients or categories of recipients to whom the personal information may be supplied;
- the planned trans-border or cross-border flows of personal information; and
- a general description allowing preliminary assessment of the suitability of information security measures to be implemented and monitored by the responsible party;
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- internal awareness sessions are conducted regarding the provisions of POPI.
Neither POPI nor PAIA specifically provide for the qualifications that a person should have in order to hold the position of Information Officer. However, from the afore listed duties and responsibilities, it is evident that such a person is bestowed with great responsibility and duty to ensure that the body, whether private or public, fulfils its POPI mandate.
VDT Attorneys has the necessary expertise to ensure that your business is fully POPI compliant. We offer innovative POPI solutions to fit your businesses’ essential POPI compliance needs, which in turn can be customised to equip your business with the finer important details. For further information on complying with the provisions of data protection legislation such as POPI and PAIA, please contact us.
Disclaimer: Nothing in this article should be construed as formal legal advice from VDT Attorneys Inc. or any attorney of the firm. Readers of this article are advised to consult professional legal advisors for guidance on legislation which may affect them or their businesses.
Your legal experts:
PR de Wet 012 – 452 1413 or firstname.lastname@example.org
Hayley Levey 012 – 452 1317 or email@example.com
Copyright @ VDT Attorneys, 12 February 2019