POPIA - who is your information officer?

• South Africa

• Privacy, data protection and cybersecurity
• Technology, Media and Telecoms

14-12-2022

In South Africa, in terms of the Promotion of Access to Information Act, 2 of 2000 (PAIA), and the Protection of Personal Information Act, 4 of 2013 (POPIA), each organisation has an information officer (IO) who is tasked with ensuring compliance with PAIA and POPIA, and the promotion of the constitutional rights of access to information, and privacy.

POPIA, read with PAIA, specifies that the head of a private body, being its CEO or equivalent officer, is the default IO; however, it may not be practical for this person, particularly in a large or multinational organisation, to perform the daily duties of the IO. To cater for this, POPIA and PAIA make provision for the appointment of other persons, duly appointed by such officer, as the IO, and the designation of persons as deputy information officers (DIOs). However, the legislation is rather vague when it comes to who should be appointed as IO or DIO, with neither POPIA nor PAIA setting out any specifics on who can or should be appointed, or where they must be based, and “person” being broadly defined to include any natural and juristic persons.

In order to provide some guidance, the Information Regulator issued a Guidance Note on Information Officers and Deputy Information Officers, April 2021 (Guidance Note), which states that these officers must be natural persons, in the employ of the organisation, at a management level or above, and based in South Africa. The Guidance Note goes further to provide that a multinational entity based outside of South Africa must authorise a person within South Africa as the IO, and must delegate persons within South Africa as DIOs, as applicable. This is aimed at ensuring that the officers are as accessible as reasonably possible to data subjects and the Information Regulator.

It is important to note that, notwithstanding any delegation of responsibility, the default, or authorised, IO retains accountability and responsibility for any functions delegated to a DIO, which means that such appointments must not be done lightly.

While the Guidance Note provides some insight into what the Information Regulator deems appropriate for the appointment of IOs and DIOs, it does not necessarily solve the dilemma facing multinational organisations, who may not have suitable employees based in South Africa, or who may have centralised their privacy functions outside South Africa. Furthermore, although the Guidance Note is not strictly binding, it has been published by the Information Regulator to assist organisations with their implementation of and compliance with POPIA and PAIA, and will no doubt be used by the Information Regulator to determine whether an organisation is compliant. It is therefore recommended that organisations take all reasonable measures to ensure that they comply with the Guidance Note.

Whether your organisation’s IO is the default IO, or an authorised IO, your organisation must register your IO, and any DIOs, with the Information Regulator either:

• manually, using the template available here: InfoRegSA-eForm; or

• online using the Information Regulator portal: https://inforegulator.org.za/portal/.

If you have any queries regarding the appointment of your IO, and DIOs, please get in touch with our Technology, Media, and Telecommunications team.