For private bodies, the information officer is automatically the head of the body — such as the chief executive officer — who must take up their duties after being registered with the information regulator. The procedure for the registration of an information officer is set out in the draft guidelines, which stipulate that the procedure must be completed on or before 31 March 2021.

The duties of an information officer are set out in section 55(1) of POPIA, and include encouraging compliance with the conditions for the lawful processing of personal information, dealing with requests made in terms of POPIA, working with the information regulator in relation to investigations and ensuring compliance with the provisions of POPIA. Additionally, the information officer is responsible for ensuring that:
  • a compliance framework is developed, implemented, monitored and maintained
  • a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information
  • a manual is developed, monitored, maintained and made available in terms of the Promotion of Access to Information Act 2 of 2000 (PAIA)
  • internal measures are developed together with adequate systems to process requests for information or access thereto
  • internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the information regulator
POPIA also provides the designation of one or more deputy information officers to perform these roles for a private body. The draft guidelines require that the designation must be in writing, and that a person designated as a deputy information officer must be afforded sufficient time, adequate resources and the financial means to devote to matters concerning POPIA and PAIA.

In determining who should be the deputy information officer, the draft guidelines provide that only an employee at the level of management or above should be considered for designation as a deputy information officer, and that employees with institutional knowledge should be preferred.

They further recommend that a body must ensure that an information officer and deputy information officer(s) receive appropriate training and keep abreast of the relevant developments in POPIA and PAIA.

The deadline for submissions on the draft Guidelines is 16:00 on Sunday, 16 August, and can be emailed to [email protected]

Note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice.

For more information, visit www.iabsa.net. You can follow IAB South Africa on Facebook or on Twitter.