By now the news of the commencement date (i.e. 1 July 2020) for the Protection of Personal Information Act No. 4 of 2013 (“POPIA” / “Act”) has done the rounds and most persons who are required to comply with the Act’s provisions, are now in the midst of either implementing or updating their compliance frameworks to ensure that by the time the grace period ends and the Act’s provisions become enforceable, on 1 July 2021, they can reasonably show the Information Regulator (POPIA’s supervisory authority) that their processing activities are compliant with POPIA’s conditions.
Arguably, one of the key areas to address in POPIA compliance is the role of the information officer. From an international comparative, the position of the information officer under POPIA, is somewhat alike to the role of a data protection officer (“DPO”) under the Regulation (EU) 2016/679 (General Data Protection Regulation) (the “GDPR”) however, certain dissimilarities exist. Getting to grips with what the mandatory position entails and who should fill the role for the responsible party (equivalent to a ‘Data Controller’ under the GDPR) is key and therefore, the following practical insight is provided:
- Who is the information officer?
In terms of South African law, the role of the information officer stems from the South African legislation known as the Promotion of Access to Information Act No. 3 of 2000 (“PAIA”) which, at its core, aims to uphold the right to access information (section 32) as enshrined in the Constitution of the Republic of South Africa, 1996 (“Constitution”). POPIA, on the other hand, promotes and aims to protect the right to privacy as set out in the Constitution (section 14). Therefore, these two pieces of legislation aim to coincide and find a balance between the right of any person to have access to information (PAIA) versus the right of a person to have their own personal information and privacy protected (POPIA).
No matter the turnover, number of employees or type of body (public or private), every organisation is required to appoint and register an information officer. Information officers are appointed automatically in terms of PAIA. What this means is that every public body (e.g. national department, provincial body and municipality) and every private body (e.g. a company, a trust or a close corporation) has an information officer by default and no one is exempt.
POPIA defines (section 1) an information officer as follows:
- in relation to a public body: an information officer or deputy information officer as contemplated in terms of section 1 or 17 of POPIA; or
- in relation to a private body: the head of a private body as contemplated in section 1 of PAIA.
PAIA provides that a “head” of a private body means:
- in the case of a natural person: that natural person or any person duly authorised by that natural person;
- in the case of a partnership: any partner of the partnership or any person duly authorised by the partnership;
- in the case of a juristic person: the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or the person who is acting as such or any person duly authorised by such acting person.
The information officer of a public body is the head of that public body. This means that for a national or provincial government department it is the Director-General or the equivalent official of that department who is the information officer. For a municipality, the municipal manager is the information officer. In the case of any other public body the chief executive officer (CEO) is the information officer. In the case of a private body, the information officer is by default the owner of the business. Therefore, based on the type of private body, the information officer may be the sole trader, a partner in a partnership or the CEO (or equivalent) in a company or close corporation.
- What are the duties and responsibilities of the information officer?
In general, the role of the information officer is to ensure the responsible party’s compliance with both POPIA and PAIA. Therefore, like any compliance project may require a leader, the information officer, in this instance, plays this leadership role and is tasked, in general, to ensure that the responsible party (i.e. the body / organisation) meets its processing compliance obligations under both POPIA and PAIA.
In terms of PAIA, an information officer of a responsible party is in essence tasked with:
- encouraging and ensuring compliance with PAIA;
- developing, updating and monitoring a PAIA manual for the body (that is if the organisation is required to have such a manual and does not fall under the current exemptions); and
- assessing and providing outcomes, within the applicable time periods, to application requests which are received by the organisation, on the grounds of PAIA, to be given access to information held by the organisation.
In terms of section 55 of POPIA, an information officer has the duty and responsibility to:
- encourage compliance by the body with the conditions for the lawful processing of personal information in terms of POPIA;
- deal with requests made to the body in terms of POPIA;
- work with the Information Regulator in relation to investigations conducted in relation to the body; and
- otherwise ensure compliance by the body with the provisions of POPIA.
Regulation 4 of the published Regulations Relating to the Protection of Personal Information (14 December 2018) (“POPIA Regulations”) further shed light on what the duties and responsibilities of an information officer are and provide that the information officer is responsible for ensuring that:-
- a compliance framework is developed, implemented, monitored and maintained by the responsible party;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- (subject to the aforesaid exemptions) a manual is developed, monitored, maintained and made available as prescribed in terms of POPIA and PAIA
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- internal awareness sessions are conducted regarding the provisions of POPIA.
- What are the qualifications, if any, that the information officer is required to have?
Neither POPIA nor PAIA, specifically provide for the qualifications that a person should have to hold the position of information officer. However, from the afore listed duties and responsibilities it is evident that such a person is bestowed with great responsibility and duty to ensure that the body, whether private or public, fulfils its POPIA and PAIA mandate.
- Must we register our information officer and with who?
An Information Officer is required to be registered with the Information Regulator, prior to the person formally commencing his or her duties in terms of the Act (section 55(2)).
- What about deputy information officers?
POPIA, in terms of section 56 which must read together with the provisions of PAIA’s section 17, provides for the delegation of authority through the appointment of deputy information officers, to assist the information officer with the performance of his or her responsibilities and duties towards the responsible party, and the proper fulfilment of his or her mandate. The number of deputy information officers that can be appointed to assist the information officer is not limited and such persons are also required to be registered with the information regulator prior to taking up their functions.
The deputy information officer of a public body or private body is an employee of that public body or private body to whom the Information Officer has delegated their powers and duties in terms of POPIA, read with the provisions of PAIA. This means that the deputy information officer will receive requests for information, facilitate these requests and provide the necessary assistance to applicants on behalf of the information officer.
The information officer still maintains direction and control over the deputy information officer(s), meaning that the information officer as the head of the public or private body who determines the purpose of and the means for processing personal information, remains responsible for the decisions of his or her authorised deputies. This delegation of powers must be done in writing for it to be valid.
- The publication of Draft Guidelines relating to the registration of information officers
On 17 July 2020 the Information Regulator published Draft Guidelines Relating to the Registration of Information Officers in terms of Chapter 5 of POPIA (“Draft Guidelines”). The Draft Guidelines provide, inter alia, for
- the obligations & liability of information officers,
- required training,
- who should be registered as an information officer,
- duties of an information officer (as provided for in terms of s55(1) of POPIA read together with Regulation 4 of the POPIA Regulations providing for the responsibilities of information officers – refer to 2 above);
- the designation & delegation of authority to deputy information officers (refer to No. 5 above); and
- the proposed procedure for registration of an information officer with the Information Regulator.
The extended deadline for the public to submit comments in relation to the Draft Guidelines was 4pm on 31 August 2020 and currently, the Information Regulator is in the process of reviewing and considering the comments received to the Draft Guidelines and it is anticipated that the final Guidelines in respect of Information Officers (“Final Guidelines”), will be issued by the Information Regulator’s office during the first quarter of 2021, that is if not sooner, prior to the effective date of the Act on 1 July 2021.
In terms of the Draft Guidelines the following aspects are noted:
- An Information Officer may be held personally liable for the failure to adequately perform his or her responsibilities and/or duties in terms of the Act or the POPIA Regulations. The proposed penalty levied in this regard is a fine and/or imprisonment, with the fine capped at a maximum of R3 000.00 per/infringement however, the proposed imprisonment time is not stipulated in the Draft Guidelines.
- The Responsible Party must register its information officer with the Information Regulator but prior to doing so, the appointment of the role and of any deputies must be effected in writing. The Draft Guidelines propose at this stage that a manual hardcopy application form be completed and submitted for registrations and further that the information officer of the responsible party must be registered with the Information Regulator by 31 March 2021. The form for submission has been included in the Draft Guidelines.
Notwithstanding the above, the Information Regulator’s office has in terms of feedback given to queries raised in ongoing awareness panel presentations, indicated that the Information Regulator plans to develop an electronic portal enabling responsible parties to register their information officers and deputies online. This is further in line with the Information Regulator’s Readiness Plan for the Implementation of the Protection of Personal Information Act 4 of 2013 (“Readiness Plan”), which indicates that the proposed time frame in terms of which persons will be able to access the electronic register of information officers is 3 March 2021.
Unfortunately, apart from making it mandatory to have the information officer role catered for, providing for prescribed proposed timelines, the delegation of authority and what the respective duties and responsibilities of the information officer are, POPIA, the POPIA Regulations, PAIA and the Draft Guidelines provide little guidance on how to approach the appointment of an information officer practically, especially where the default position (e.g. CEO in the case of a private body) is deviated from.
It is therefore, anticipated that clarification regarding who is eligible to be an information officer in certain circumstances, will be provided once the Information Regulator’s office has finalised their review of the comments received to the Draft Guidelines and the relevant stakeholder participation has been considered. Some lingering concerns in relation to the role include, inter alia, whether the role may be outsourced? Can the role of the information officer be centralised in the case of a group structure? What about the case of a global group structure, does the information officer have to be positioned locally in South Africa?
These are all pertinent questions which hopefully the Information Regulator shall address in terms of the Final Guidelines. In the circumstances, being able to outsource the role and being able to centralise the role in the case of a group structure, should arguably be allowed and it is thought that the Information Regulator will take guidance from the interpretation and implementation of the GDPR, made by supervisory authorities and courts, as far as the role of DPOs is concerned however, recent public engagements with representatives of the Information Regulator’s office have indicated that this might not be so and therefore, this remains to be clarified in terms of the Final Guidelines. An organisation’s own circumstances will need to be considered to determine what the best possible setup for the information officer role may be.