Has the role of the Information Officer changed?

Prior to the commencement of the Protection of Personal Information Act 4 of 2013 (POPI), the role of the Information Officer was governed by the provisions of the Promotion of Access to Information Act 2 of 2000 (PAIA). Under PAIA, the Information Officer was the individual tasked with ensuring compliance with its provisions. No process is required to be followed by a company for the appointment of an individual as an Information Officer, as the position is automatically assigned to the head of an organisation (be it the chief executive officer or otherwise).

30 Jun 2020 3 min read POPI Bumper Special Alert Article

With the coming into force of POPI, the role of the Information Officer has expanded. Their role within an organisation is now not only governed by the provisions of PAIA, but also POPI.

POPI provides that the Information Officer is responsible for, amongst other things:

  • ensuring that the organisation complies with the conditions of lawful processing of personal information; and
  • working with the Regulator in relation to any investigations conducted in accordance with the relevant provisions of POPI.

These responsibilities are amplified in the regulations published in terms of POPI (Regulations), which provide that an Information Officer is required to, amongst other things, ensure a compliance framework is developed, implemented, monitored and maintained; attend to a personal information impact assessment to ensure that adequate measures and standards exist within the responsible party in order to comply with the various conditions for lawful processing of personal information as contemplated in POPI; and ensure that a manual as contemplated in PAIA is developed, monitored, maintained and made available. The Information Officer is also required to ensure that internal awareness sessions are conducted regarding the provisions of POPI, the Regulations and any codes of conduct or information obtained from the Regulator.

Although the position of the Information Officer is still an automatic appointment, the Information Officer is now required to register with the Regulator prior to taking up their duties as an Information Officer under POPI. From this it appears that although an Information Officer may continue to act in accordance with the provisions of PAIA, they will need to first register with the Regulator before attending to their duties and responsibilities under POPI. It is not clear, at this stage, what this registration process will look like or whether any proof of registration will be provided to the Information Officer as confirmation of their position as such within an organisation.

In addition to an organisation having an Information Officer, it is entitled to appoint as many deputy information officers as may be necessary to perform the duties placed on the Information Officer by the relevant legislation. From these powers of delegation, there appears to be an understanding that the Information Officer may need assistance attending to all the duties required of them under the legislation.

However, as both Acts impose strict requirements on responsible parties to ensure compliance with the provisions thereof, an organisation must carefully consider who will take the position of deputy information officer. Will it be the organisation’s chief information officer, the head of information technology or another individual? Selecting the right individual for this role is important because if a deputy information officer fails to perform the duties delegated to them, it could have adverse implications for not only the responsible party (as defined in POPI) but also the Information Officer.

We are happy to provide assistance with regards to any queries you may have relating to aspects of POPI, the role of the Information Officer and/or deputy information officer, the drafting of a compliance framework, attending to any personal information impact assessment; and providing you and your employees with internal POPI awareness sessions.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.