The search for your Information Officer begins now
02 Jul 2019
The Regulations relating to the Protection of Personal Information 2018 (the Regulations) were published by the Information Regulator on 14 December 2018. Although the POPI Regulations are final, they will only take effect concurrently with the commencement date of the Protection of Personal Information Act 4 of 2013 (POPI).
The Information Officer for private bodies is defined in POPI by using the definition provided for in section 1, of the Promotion of Access to Information Act 2 of 2000. Regulation 4 offers further insight into what the Information Regulator requires from businesses when appointing an Information Officer by setting out their minimum duties and responsibilities in addition to those set out in section 55 of POPI and include inter alia:
- Appointing, in writing a person employed by the body to act as the Information Officer, and a Deputy Information Officer to assist the Information Officer in performing its obligations;
- Ensuring a compliance framework is developed, implemented, monitored and maintained;
- Performing a personal information impact assessment to ensure the business has adequate measures and standards in place to comply with the eight conditions for processing personal information; and
- Developing, monitoring, maintaining and making available a manual that sets out (i) the purpose of processing the personal information, (ii) the categories of data subjects and personal information relation thereto, (iii) the details of third parties receiving the personal information, (iv) whether any personal information will be transferred outside the Republic and if so, the manner in which the business will transfer the personal information, (v) security measures in place to ensure information quality and safety, (vi) procedure for parties to access the personal information held by the business, (vii) training sessions to be conducted to ensure internal awareness on POPI.
While POPI and its Regulations are not yet in force, the hunt for the right Information Officer should commence as soon as possible in order to allow for adequate time to search, appoint, train and prepare for the inevitable implementation and enforcement of POPI.
- PoPIA Regulations – Responsibilities of the information officer
- The complex issue of privacy when on the internet
- GDPR in South Africa