A guide to the role and responsibilities of an Information Officer in a South African context as it pertains to the POPI act.
While the Protection of Personal Information Act 4 of 2013 (“the POPI Act”) has been around for years, it only commenced on 1 July 2020 and became fully effective a year later. While the buzz around it may have settled down, the legal and practical implications should still be very much top-of-mind for South African companies and Information Officers. We wrote this short guide to help you get on top of this critical, often frustrating position (especially for you poor souls who inherited the role despite your desperate wishes to the contrary — we feel you).
POPIA requires every private and public body to have an Information Officer. This requirement has been in existence for the past 20 years, but in terms of another piece of legislation, the Promotion of Access to Information Act, which we refer to as PAIA.
WHO IS IT?
In terms of PAIA, the head of the private entity – let’s say the CEO or the MD – is automatically appointed as the entity’s Information Officer. This Information Officer is the same Information Officer referred to in POPIA.
Does this mean it's possible that your company already has an Information Officer, they just aren’t aware of the role that’s been assigned to them? Absolutely.
The role of Information Officer in a private entity can be delegated, but it must be delegated to someone in an executive or position equivalent to that of an executive role. It's also possibility for you to appoint a Deputy Information Officer.
Importantly, the Information Officer must be an employee. Who ever takes on the role of Information Officer must be registered with the Information Regulator, which is something we can help you with.
Here, it’s important to note that, even where the role is delegated to someone else, the buck stops with the head of the organisation. In other words, it’s really important to not only appoint the right person, but to be assured that they’ll do their job properly.
WHAT DOES IT ENTAIL?
So, you’re either the head of your organisation or the role has been delegated to you – now what? We’re so glad you asked. Here, we'll be working with the acronym STIR, because, well, we think it's catchy. Let's have a look at what your role will entail.
Support | Your job is not only a hands-on one, but also a supportive one. You'll be providing support to those working above you, below you, and next to you. You'll also be working with the Information Regulator, dealing with queries and concerns they might have. You'll encourage compliance and raise awareness. If someone has a question, you'll be the one they'll turn to. |
|---|---|
Theory | This will undoubtedly be the part where you'll need our help the most, because this is where it gets technical. This will, for the most part, be mostly paperwork. You'll ensure that various manuals, policies and protocols are drafted and developed. Think: POPIA manual, Data Retention Policy, Data Quality Policy, Disclaimers. |
Implement | Next up, you'll use the prepared paperwork and apply it to real life scenarios. Before you can do that, you'll have to ensure that everyone in your organisation is trained and up to date with all of the various policies and protocols. You'll also ensure that assessments are carried out to evaluate and address risk areas in your organisation. |
Recur | Unfortunately, complying with POPIA isn't a once-off thing. Because your organisation is constantly processing personal information in one way or another, the work never stops. You'll continuously offer support, monitor the implementation of the theory and always be on the lookout for risks and ways in which you can circumvent them. |
WHY?
Why do you have to do all of this? Because POPIA says so. And because it prescribes some not-so-fun consequences if you don't. Let's have a look at the possible repercussions of not adhering to POPIA:
Imprisonment — while you can technically be sent to jail, we really don't think that's going to happen any time soon, especially not for smaller transgressions at small to medium size organisations. But that doesn't mean it can't happen, and we'd really prefer you don't end up in the history books as the first one.
Fines — these guys can be a pain. The Information Regulator will send you something called an Infringement Notice describing the details of the offence and the fine that your organisation is liable for, which can be anything up to R10 million.
Reputational damage — at the end of they day, you care about your name. You also care about your the people you do business with, both internally and externally.
Personal liability — the Information Officer can also be held personally liable in terms of the Companies Act for the damages suffered by the organisation as a result of a data breach.
If you're unsure about your role as Information Officer or you're not 100% certain that your Organisation is POPIA Compliant, reach out to us - we'd love to help.