Our global pages
Close- Global home
- About us
- Global services/practices
- Industries/sectors
- Our people
- Events/webinars
- News and articles
- Eversheds Sutherland (International) Press Hub
- Eversheds Sutherland (US) Press Hub
- News and articles: choose a location
- Careers
- Careers with Eversheds Sutherland
- Careers: choose a location
POPIA - who is your information officer?
- South Africa
- Privacy, data protection and cybersecurity
- Technology, Media and Telecoms
14-12-2022
In South Africa, in terms of the Promotion of Access to Information Act, 2 of 2000 (PAIA), and the Protection of Personal Information Act, 4 of 2013 (POPIA), each organisation has an information officer (IO) who is tasked with ensuring compliance with PAIA and POPIA, and the promotion of the constitutional rights of access to information, and privacy.
POPIA, read with PAIA, specifies that the head of a private body, being its CEO or equivalent officer, is the default IO; however, it may not be practical for this person, particularly in a large or multinational organisation, to perform the daily duties of the IO. To cater for this, POPIA and PAIA make provision for the appointment of other persons, duly appointed by such officer, as the IO, and the designation of persons as deputy information officers (DIOs). However, the legislation is rather vague when it comes to who should be appointed as IO or DIO, with neither POPIA nor PAIA setting out any specifics on who can or should be appointed, or where they must be based, and “person” being broadly defined to include any natural and juristic persons.
In order to provide some guidance, the Information Regulator issued a Guidance Note on Information Officers and Deputy Information Officers, April 2021 (Guidance Note), which states that these officers must be natural persons, in the employ of the organisation, at a management level or above, and based in South Africa. The Guidance Note goes further to provide that a multinational entity based outside of South Africa must authorise a person within South Africa as the IO, and must delegate persons within South Africa as DIOs, as applicable. This is aimed at ensuring that the officers are as accessible as reasonably possible to data subjects and the Information Regulator.
It is important to note that, notwithstanding any delegation of responsibility, the default, or authorised, IO retains accountability and responsibility for any functions delegated to a DIO, which means that such appointments must not be done lightly.
While the Guidance Note provides some insight into what the Information Regulator deems appropriate for the appointment of IOs and DIOs, it does not necessarily solve the dilemma facing multinational organisations, who may not have suitable employees based in South Africa, or who may have centralised their privacy functions outside South Africa. Furthermore, although the Guidance Note is not strictly binding, it has been published by the Information Regulator to assist organisations with their implementation of and compliance with POPIA and PAIA, and will no doubt be used by the Information Regulator to determine whether an organisation is compliant. It is therefore recommended that organisations take all reasonable measures to ensure that they comply with the Guidance Note.
Whether your organisation’s IO is the default IO, or an authorised IO, your organisation must register your IO, and any DIOs, with the Information Regulator either:
- manually, using the template available here: InfoRegSA-eForm; or
- online using the Information Regulator portal: https://inforegulator.org.za/portal/.
If you have any queries regarding the appointment of your IO, and DIOs, please get in touch with our Technology, Media, and Telecommunications team.
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.
- Assignment of arbitral claims and arbitral awards: uncertain legal landscape in France
- A round-up podcast: ESG for the UK asset management industry
- Education briefing - Student accommodation: A vision for the future
- Distribution of surplus assets in a creditors’ voluntary liquidation
- UK Covid-19 Inquiry Latest update: Module 2A