With the coming into force of POPI, the role of the Information Officer has expanded. Their role within an organisation is now not only governed by the provisions of PAIA, but also POPI.
POPI provides that the Information Officer is responsible for, amongst other things:
- ensuring that the organisation complies with the conditions of lawful processing of personal information; and
- working with the Regulator in relation to any investigations conducted in accordance with the relevant provisions of POPI.
These responsibilities are amplified in the regulations published in terms of POPI (Regulations), which provide that an Information Officer is required to, amongst other things, ensure a compliance framework is developed, implemented, monitored and maintained; attend to a personal information impact assessment to ensure that adequate measures and standards exist within the responsible party in order to comply with the various conditions for lawful processing of personal information as contemplated in POPI; and ensure that a manual as contemplated in PAIA is developed, monitored, maintained and made available. The Information Officer is also required to ensure that internal awareness sessions are conducted regarding the provisions of POPI, the Regulations and any codes of conduct or information obtained from the Regulator.
Although the position of the Information Officer is still an automatic appointment, the Information Officer is now required to register with the Regulator prior to taking up their duties as an Information Officer under POPI. From this it appears that although an Information Officer may continue to act in accordance with the provisions of PAIA, they will need to first register with the Regulator before attending to their duties and responsibilities under POPI. It is not clear, at this stage, what this registration process will look like or whether any proof of registration will be provided to the Information Officer as confirmation of their position as such within an organisation.
In addition to an organisation having an Information Officer, it is entitled to appoint as many deputy information officers as may be necessary to perform the duties placed on the Information Officer by the relevant legislation. From these powers of delegation, there appears to be an understanding that the Information Officer may need assistance attending to all the duties required of them under the legislation.
However, as both Acts impose strict requirements on responsible parties to ensure compliance with the provisions thereof, an organisation must carefully consider who will take the position of deputy information officer. Will it be the organisation’s chief information officer, the head of information technology or another individual? Selecting the right individual for this role is important because if a deputy information officer fails to perform the duties delegated to them, it could have adverse implications for not only the responsible party (as defined in POPI) but also the Information Officer.
We are happy to provide assistance with regards to any queries you may have relating to aspects of POPI, the role of the Information Officer and/or deputy information officer, the drafting of a compliance framework, attending to any personal information impact assessment; and providing you and your employees with internal POPI awareness sessions.