The Importance of the Guidance Note
The Information Regulator confirmed in the Guidance Note that the registration of IOs and DIOs is expected to commence on 1 May 2021. In a separate media statement released alongside the Guidance Note on 1 April 2021, the Information Regulator further confirmed that such registration would be able to take place via an online portal specifically developed for the purpose of registering IOs and DIOs.
Who is an IO?
In terms of the Promotion of Access to Information Act 2 of 2000 (PAIA), IOs for public entities and heads for private entities are appointed automatically by virtue of their position. However, the advent of POPIA has expanded the role of an IO, meaning the role of an IO within an organisation is now not only governed by the provisions of PAIA, but also by POPIA.
The IO of a public body is the IO or DIO as contemplated in section 1 of PAIA, and this role is not capable of being delegated. On the other hand, in a private body, the role is automatically assigned to the “head” of the private body, which in terms of PAIA, means:
- in the case of a natural person, that natural person or any person duly authorised by that natural person;
- in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership; and
- in the case of a juristic person, the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer or the person who is acting as such or any person duly authorised by such acting person.
Accordingly, in respect of private bodies, the CEO or equivalent officer is by default the IO and this role may be delegated. However, the Guidance Note now provides confirmation that for purposes of POPIA, the CEO or managing director of a private body may authorise an employee within the body to act as the IO, which must be in writing and in a form substantially similar to the Annexure “C” to the Guidance Note. It is important to note that despite authorisation to another person, the ‘default’ IO still retains the accountability and responsibility for any power or function authorised to that person in terms of PAIA and POPIA.
The Guidance Note unequivocally states in paragraph 5.9, that only an employee of a private body at a level of management and above i.e. executive level, should be considered for authorisation as an IO of that body. To this end, each subsidiary of a group of companies should appoint and register its own IO, while a further obligation is placed on a multinational entity based outside of South Africa, who must now authorise a person within South Africa as an IO.
Duties of the IO
Regulation 4 of the Regulations relating to POPIA, which sets out the responsibilities of IOs, comes into effect on 1 May 2021. Regulation 4 states that an IO must, in addition to the responsibilities referred to in section 55(1) of POPIA (which sets out the duties and responsibilities of IOs), ensure that:
- a compliance framework is developed, implemented, monitored, and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with processing conditions stipulated under POPIA;
- a PAIA manual is developed, and copies of such manual are made available to a person upon request and payment of a prescribed fee;
- data subject access measures are developed together with adequate systems to process requests for information or access; and
- internal staff awareness training is conducted on the provisions of POPIA, the POPIA Regulations, Codes of Conduct, if applicable, and information obtained from the Information Regulator.
IOs of a public body are required to submit a report annually to the Information Regulator setting out information such as, for example, the number of requests for access received, the number of requests for access granted or refused, and the number of internal appeals lodged as a result of a request for access being refused.
Designation and delegation of DIOs
Section 17 of PAIA provides for the designation and delegation of DIOs in a public body, while section 56 of POPIA extends the designation and delegation of DIOs to private bodies.
The Information Regulator has stressed the utilisation of DIOs in organisations with large and complex structures to ensure the extensive obligations placed on an IO are managed and complied with. The Guidance Note provides that the IOs may designate one or more DIOs, in writing, as may be necessary to allow for the organisation to be as accessible as reasonably possible.
Paragraph 7 of the Guidance Note provides direction in regard to the designation of DIOs and recommends that a DIO should “report to the highest management office” within the organisation and should be an employee at a level of management and above (Paragraph 7.9). The DIO is also required to be accessible, including to data subjects, have a reasonable understanding of the organisation’s operations and processes, and should have a good understanding of POPIA and PAIA in order to perform her or his duties (Paragraph 7.11).
Paragraph 8 of the Guidance Note further allows the IO to delegate any of its powers or duties conferred or imposed on him or her to a DIO. Such a delegation must be in writing and substantially similar to the Annexure “B” annexed to the Guidance Note. However, it is important to note that despite the designation of or delegation to a DIO, an IO retains the accountability and responsibility for the duties and responsibilities in terms of PAIA and POPIA and an IO is entitled to withdraw or amend the delegation at any time.
The registration process of the IO
Registration of an IO with the Information Regulator is compulsory for all responsible parties and is a pre-requisite before an IO may commence their duties and responsibilities in terms of POPIA. The IO of a responsible party must complete Annexure “A” to the Guidance Note and submit same to the Information Regulator. The registration form is separated into different parts and also provides for information relating to a DIO where applicable. The IO may submit the registration form either manually or electronically via the online registration portal. The Information Regulator has encouraged the use of the online portal as a means to streamline and speed up the registration process. The online portal is expected to go-live by the end of April. One could, however, complete the registration form attached to the Guidance Note manually and submit it to the Information Regulator’s offices (either by delivering the form to its physical address, or by emailing it to registration.IR@justice.gov.za).