The Protection of Personal of Personal Information Act, 2013 (“POPIA”) requires entities to be compliant by 1 July 2021.

One requirement is the appointment of an Information Officer for your organisation.

Who is the Information Officer?

Section 1 of POPIA defines the “information officer” in relation to a private body as “the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act” (PAIA) that, in turn, defines the “head”, concerning a private body and in the case of a juristic person, to be “the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer”. It thus seems that the CEO of a juristic person can delegate that role.

What are the responsibilities and liabilities of the Information Officer?

• encouraging compliance for the lawful processing of personal information and the provisions of POPIA
• dealing with requests made to the private body
• working with the Information Regulator concerning investigations
• Developing and maintain a compliance framework
• conducting personal information impact assessments to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information
• developing, monitoring, maintaining and making available the manual as prescribed by PAIA
• ensuring internal measures are developed together with adequate systems to process requests for information or access; and
• conducting internal POPIA awareness sessions.

The Information Officer may delegate his or her powers and duties to one or more Deputy Information Officers to ensure compliance. POPIA can impose personal liability on the Information Officer, and any delegated Information Officers and the Enforcement Committee can take appropriate action against them.

Next steps once a private body has appointed an Information Officer?

• The Private body must register details of the Information Officer with the Information Regulator following the Information Regulator’s guidelines.
• Organisations should ensure that their PAIA manuals comply with section 51 of PAIA by including the postal and street address, phone and fax number, and, if available, electronic mail address of the head of the body or his delegated Information Officer.