POPIA: Information Regulator invites comment on the Draft Guidelines relating to the registration of Information Officers

​Now that the Protection of Personal Information Act, 2013 (POPIA) has commenced, the Information Regulator may be issuing various notices and other guideline documents to give meaning to POPIA, and to assist the Information Regulator in monitoring and enforcing compliance with POPIA.

To date, the role of the Information Officer has been somewhat elusive. The Information Regulator has published (for comment) draft Guidelines on the Registration of Information Officers (the Guidelines).

Purpose of the Guidelines

The Guidelines' stated purpose is to provide guidance and establish procedures for the registration of Information Officers with the Information Regulator, the designation of Deputy Information Officers and the delegation of duties of the Information Officer to Deputy Information Officers.

Who should be appointed as the Information Officer?

POPIA provides for the automatic designation of the head of a private body as the Information Officer, and so depending on the type of organisation, the Information Officer will, according to the Guidelines be (i) a partner in a partnership or any person authorised by the partnership; (ii) the Chief Executive Officer or the Managing Director or equivalent officer of the juristic person or a person duly authorised by that officer or any person acting as such or any person authorised by such acting person; or (iii) the sole proprietor.

In relation to a public body or an organ of state, the Information Officer would be (i) the Director-General or the person acting as such, in relation to a National Department; (ii) the Head of Department or the person acting as such, in relation to a Provincial Administration; (iii) the Municipal Manager, in relation to a Municipality; and (iv) the Chief Executive Officer or the person acting as such, in relation to various other public institutions.

What are the duties of an Information Officer?

An Information Officer is tasked with various duties and responsibilities, such as, for example, encouraging compliance by the body with the conditions for lawful processing of personal information.  Until now, it was not understood how Information Officers were required to ensure such compliance. The Guidelines contains various practical examples to assist Information Officers with carrying out such responsibilities. 

In relation to the Information Officer's responsibility to encourage compliance by the body with the conditions for lawful processing of personal information, the Guidelines state that an Information Officer could, for example, develop a policy on how employees should implement the eight conditions for the lawful processing of personal information, or (supposedly for an Information Officer of a public body) the Information Officer could consider issuing a circular in the case of provincial and national departments.

Can an Information Officer delegate his or her powers?

POPIA makes provision for the designation and delegation of any power or duty conferred on an Information Officer to as many Deputy Information Officers as is necessary to perform the duties and responsibilities of an Information Officer.  The Guidelines state the Information Officer should develop a framework for the delegation of authority.  Furthermore, such delegation and designation must be in writing. A person designated as a Deputy Information Officer must be an employee at the level of management or above and must be afforded sufficient time, resources and financial means to perform their functions.  The Information Officer can make the delegation subject to reasonable conditions, and the Information Officer can withdraw the delegation at any time.  The Information Officer retains accountability and responsibility for the delegated functions, much like a director of a company would retain his responsibility when delegating functions to a board committee.

Does the Information Officer and the Deputy Information Officer​ require training for his / her role?

The Guidelines require that the Deputy Information Officer must have a reasonable understanding of POPIA and PAIA, and a reasonable understanding of the business operations and processes of the organisation.  In this regard, the Guidelines recommend that the Information Officer and Deputy Information Officer receive training and stay abreast of POPIA and PAIA developments.

Will the Information Officer and the Deputy Information Officer​​ be required to be registered with the Information Regulator?

The Guidelines propose that all Information Officers must complete and submit a registration form to the Information Regulator on or before 31 March 2021. The form must include the details of the Information Officer as well as the details of all Deputy Information Officers. The Information Regulator will make the contact details of all Information Officers and Deputy Information Officers available on its website.

Written comments on the Guidelines are due on 31 August 2020.

Contact  us for assistance in this regard.