The information regulator (IR) has recently issued their Guidance Note on Information Officers and Deputy Information Officers . This is an important step in clarifying the position of Information Officers (IOs) and Deputy Information Officers (DIOs)within organisations.
The IO of an organisation is the person who is responsible for their data privacy compliance. The Guidance Note has a useful table setting out exactly who the IR will see asIO for various bodies.
This article is only focusing on private bodies.
Nature of the Body | Identity of Information Officer | |
---|---|---|
Private Body | Natural Person | A natural person who carries on any trade, business or profession, but only in such capacity or any person duly authorised by that natural person. |
Partnership | Any partner of the partnership or any person duly authorised by the partnership. | |
Juristic Person | Chief Executive Officer or the Managing Director or equivalent officer of the juristic person or any person duly authorised by that officer or any person who is acting as such or any person duly authorised by such acting person. |
The net result of the above is that the IO is, by default, the head of an organisation. This is unless an IO is appointed in terms of the above-mentioned guidance note. Even when appointed, however, they may only take up this appointment once registered with the IR.
Some risk can be conferred to this appointed IO as they are required to be senior within the organisation. The person ultimately responsible for POPIA and PAIA compliance will, however, always be the head of the company. This is important as the Guidance Note confirms that an Information Officer may (on conviction) be held criminally liable for certain offences in terms of the PAIA.
If your company is a multinational (and operating in South Africa) you will be required to designate a person within South Africa as your IO.
The IO is then responsible for compliance with the POPIA and the PAIA. This can be by whatever means they deem appropriate (as the legislation is principle based and not prescriptive) but in terms of Regulation 4 of the POPIA Regulations they must, at least ensure that:
- a compliance framework is developed, implemented, monitored and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
Sections 56 of the POPIA and 17 of the PAIA, allow for the appointment of any number of DIOs who may be conferred any power or responsibility of the IO. The need for a DIO, or DIOs, must be determined using the structure and size of an organisation. While the Guidance Note states that all multinationals must appoint a DIO in South Africa.
Only sufficiently qualified employees may be designated, in writing, as DIOs (from manager level and above). Whereafter they are to be given sufficient time, resources, training and budget to comply with their delegated responsibilities.
The DIOs are to act as the “face” of data privacy for an organisation. They are the people who will likely run the day-to-day activities of data privacy within an organisation. The IO, however may step in at any time as the IO is the person ultimately responsible.
Both IOs and DIOs need to be registered with the IR, starting from 1 May 2021.
In a media statement [Link: https://www.justice.gov.za/inforeg/docs/ms-20210401-GuidanceNote-IO.pdf?fbclid=IwAR04HXAafRKEkV0P4715DJnfvvDoXWGpqkoPhLaInN91nqccuHbsKT_RoPE] the IR stated that it is creating an online portal to facilitate the registration of IOs. This portal should be online by the end of April. The portal, however, has yet to be launched. Consequently, we would recommend manually making manual appointments using the form issued by the IR [Link: https://justice.gov.za/inforeg/docs/InfoRegSA-eForm-InformationOfficersRegistration-2021.pdf].
Internally, there should be an appointment letter issued and signed by the IO and/or DIOs. The internal appointment letter must capture, at a minimum, the same level of detail as set out in the Guidance Note but should also capture specificities of the company – which may need to remain confidential, such as Research and Development. This letter is especially important if the IO and/or DIOs have dual roles.
Should you need assistance in appointing, training or registering your IOs or DIOs, contact one of our data privacy experts here at Atvance Intellect.
CLICK HERE to connect to our expert
Brendon Ambrose