The Information Officer and POPIA: What you need to know
“I am the compliance officer for our retail business. I’m aware
of the deadline of 1 July 2021 to be POPIA compliant and we are busy
putting the necessary in place. I’ve recently heard that the Information
Regulator now requires information officers to be registered with the
Information Regulator. Is this true and what are the main
responsibilities of an information officer?”
As the
Protection of Personal Information Act, 2013 ("POPIA") deadline of 1
July 2021 approaches rapidly, many organisations are starting to raise
questions about the more intricate aspects of POPIA.
An important
aspect relates to the role and responsibilities of the Information
Officer. The Information Regulator sees the role of the Information
Officer as a vital aspect of the overall compliance of an organisation
and I a sense as an extension of the Information Regulator within the
organisation to ensure compliance by the organisation.
For any
business wishing to ensure its POPIA compliance, one of the first steps
is the identification and appointment of an Information Officer for the
organisation. No matter the turnover, number of employees, or type of
body (public or private), every organisation is required by POPIA to
identify, appoint and register an information officer.
Prior to
the commencement of the POPIA, the role of the Information Officer was
governed by the provisions of the Promotion of Access to Information Act
2 of 2000 (“PAIA”), but with the introduction of POPIA, the role of an
Information Officer is now governed by two pieces of legislation. This
means that the role an Information Officer has been expanded and these
two pieces of legislation will work side by side to strike a balance
between the right of any person to have access to information (in terms
of PAIA) versus the right of a person to have their own personal
information and privacy protected (in terms of POPIA).
POPIA, by
default, designates the head of any private body as the Information
Officer (be it the chief executive officer, managing director or
otherwise). It is important to keep in mind that POPIA also requires
that the Information Officer register with the Information Regulator
prior to taking up their duties as an Information Officer under POPIA,
and in a published Guidance Note issued by the Information Regulator,
this requirement of registration has taken effect from 01 May 2021.
A
business may also appoint one or more Deputy Information Officers, who
may assist the Information Officer in the performance of their duties
under POPIA. These persons must also be registered with the Information
Regulator.
Neither POPIA nor PAIA specifically provide for the
qualifications that a person should have to hold the position of
Information Officer. However, from the listed duties and
responsibilities it is evident that such a person is bestowed with
significant responsibilities and the duty to ensure that the body,
whether private or public, fulfils its POPIA and PAIA mandate. There are
also consequences should this not be done and POPIA is breached.
As
both PAIA and POPIA impose strict requirements on responsible parties
to ensure compliance with the provisions thereof, an organisation must
therefore carefully consider who will take the position of Deputy
Information Officer. Will it be the organisation’s the Head of
Information Technology, Head of Human Resources or another individual or
both? Selecting the right individual(s) for this role is important
because if a Deputy Information Officer fails to perform the duties
delegated to him/her, it could have adverse implications for not only
the responsible party (as defined in POPIA) but also the Information
Officer.
It is of course also advisable that the Information
Officer and deputies receive the necessary training in relation to POPIA
to ensure that they are able to ensure effective data governance and
POPIA compliance in the day-to-day operations of the business.
One can therefore summarize the role of the Information Officer as follows:
Under PAIA, an Information Officer is expected to:
- Encourage and ensure compliance with PAIA.
- Create, maintain and update a PAIA manual for the body, if not exempted.
- Evaluate and approve requests for access to information received in terms of the grounds set out in PAIA, within the applicable timelines.
- Encourage compliance with the conditions for the lawful processing of personal information in terms of POPIA.
- Deal with requests made pursuant to POPIA (presumably by the Information Regulator or data subjects).
- Work with the Information Regulator in relation to investigations.
- Ensure compliance by the body/entity with the provisions of POPIA.
- Develop, implement and monitor a compliance framework for the POPIA compliance within such entity.
- Ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.
- Develop, monitor, maintain and make available a PAIA manual as prescribed in terms of POPIA and PAIA, if not exempted.
- Develop internal measures and adequate systems to process requests for access to information.
- Ensure that internal awareness sessions are conducted.
- Any other responsibilities as may be prescribed from time to time (by the Minister or the Information Regulator).
Make sure that your Information Officer and any deputies are appointed and registered and that these persons receive the necessary training from specialists to enable them to fulfil their roles in your organisation as part of preparing for your overall POPIA compliance by 1 July 2021.
Comments
Post a Comment