POPIA – Who is your information officer?

information officer
14 Dec 2022

In South Africa, in terms of the Promotion of Access to Information Act, 2 of 2000 (PAIA), and the Protection of Personal Information Act, 4 of 2013 (POPIA), each organisation has an information officer (IO) who is tasked with ensuring compliance with PAIA and POPIA, and the promotion of the constitutional rights of access to information, and privacy.

POPIA, read with PAIA, specifies that the head of a private body, being its CEO or equivalent officer, is the default IO; however, it may not be practical for this person, particularly in a large or multinational organisation, to perform the daily duties of the IO. To cater for this, POPIA and PAIA make provision for the appointment of other persons, duly appointed by such officer, as the IO, and the designation of persons as deputy information officers (DIOs). However, the legislation is rather vague when it comes to who should be appointed as IO or DIO, with neither POPIA nor PAIA setting out any specifics on who can or should be appointed, or where they must be based, and “person” being broadly defined to include any natural and juristic persons.

In order to provide some guidance, the Information Regulator issued a Guidance Note on Information Officers and Deputy Information Officers, April 2021 (Guidance Note), which states that these officers must be natural persons, in the employ of the organisation, at a management level or above, and based in South Africa. The Guidance Note goes further to provide that a multinational entity based outside of South Africa must authorise a person within South Africa as the IO, and must delegate persons within South Africa as DIOs, as applicable. This is aimed at ensuring that the officers are as accessible as reasonably possible to data subjects and the Information Regulator.

It is important to note that, notwithstanding any delegation of responsibility, the default, or authorised, IO retains accountability and responsibility for any functions delegated to a DIO, which means that such appointments must not be done lightly.

While the Guidance Note provides some insight into what the Information Regulator deems appropriate for the appointment of IOs and DIOs, it does not necessarily solve the dilemma facing multinational organisations, who may not have suitable employees based in South Africa, or who may have centralised their privacy functions outside South Africa. Furthermore, although the Guidance Note is not strictly binding, it has been published by the Information Regulator to assist organisations with their implementation of and compliance with POPIA and PAIA, and will no doubt be used by the Information Regulator to determine whether an organisation is compliant. It is therefore recommended that organisations take all reasonable measures to ensure that they comply with the Guidance Note.

Whether your organisation’s IO is the default IO, or an authorised IO, your organisation must register your IO, and any DIOs, with the Information Regulator either:

If you have any queries regarding the appointment of your IO, and DIOs, please get in touch with our Technology, Media, and Telecommunications team.

Article sourced from Eversheds Sutherland.

See also:

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)
Grant Williams

Grant Williams is a partner in our commercial group. He specialises in commercial law with an emphasis on media, telecommunications and IT. Grant’s recent experience includes assisting with the establishment... Read more about Grant Williams

Meghan Annandale

Meghan Annandale is an Associate in our Technology, Media and Telecommunications Department at the Bryanston office. She graduated from the University of Pretoria with a BA Law degree in 2016... Read more about Meghan Annandale


Constitutional Law & Civil Rights articles by

Constitutional Law & Civil Rights articles on GoLegal