Do you have what it takes to be an Information Officer?
25 May 2021
In modern society, information can be more valuable than oil. Curiously, more often than not, it is freely available for the world to access.
The Protection of Personal Information Act 4 of 2013 (“POPIA”) introduces strict regulations which govern the manner in which personal information may be processed by private and public bodies. POPIA will become fully operational on 1 July 2021 and compliance with its provisions is mandatory.
Section 1 of POPIA defines personal information as any information that relates to an “identifiable, living, natural person,” or alternatively, an identifiable juristic person. Personal information includes, inter alia, information relating to race, gender, sexual orientation, political preference, ID numbers and employment history.
As a pre-requisite for compliance with both POPIA and the Promotion of Access to Information Act 2 of 2000 (“PAIA”), every public and private entity is obliged to appoint and register an information officer to oversee the implementation of POPIA’s provisions. If a private entity fails to appoint an information officer, the de facto (default) information officer is its CEO or managing director. It is also pertinent to note that no one is exempt from appointing and registering an information officer.
The de facto information officer of a public entity is dependant upon the context in which the entity operates and the roles played by its senior members. In this regard, section 5.1 of the Guidance Note on Information Officers and Deputy Information Officers is instructive. A copy of the guidance note can be found at https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-IO-DIO-20210401.pdf.
The responsibilities of an information officer are ongoing and extensive. In terms of section 55 of POPIA, an information officer must:
- co-operate fully with the information regulator when an investigation, pursuant to chapter 6 of POPIA, is being conducted;
- deal with requests made to him or her by any individual (data subject) in relation to personal information which is processed by the organisation;
- encourage the organisation to comply with the provisions of POPIA; and
- ensure that personal information is processed in a lawful and fair manner.
Regulation 4 of POPIA set out further responsibilities, including the following:
- developing a system in which personal information will be adequately protected and processed;
- ensuring that a personal information impact assessment is conducted in order to certify that adequate information, security measures and standards are in place;
- establishing a framework in which compliance with POPIA will be successful;
- evaluating the internal standards that exist within the organisation;
- providing for “internal awareness sessions” that discuss and expand on the regulations, codes of conduct and provisions set out in POPIA; and
- publishing a manual setting out certain statutory pre-requisites.
It is clear that the way in which information is processed and shared has changed for the foreseeable future. While the role of an information officer may seem largely administrative in nature, the individual who is appointed to that position should ideally be a strong communicator who is geared toward structured project management.
In addition, an information officer should be an individual with an understanding of data protection principles and an in-depth knowledge of the organisation’s processing activities. This is to ensure the timeous implementation of POPIA’s wide-ranging provisions within their organisation before the 1 July deadline (and on an ongoing basis thereafter).
Written by: Ryszard Lisinski, Brett Weinberg and Jessica Strydom
See also:(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)