Compliance with POPIA, is mandatory for any individual or entity (the “responsible party”) who processes and records personal information.
In terms of POPIA, every business (which includes individuals) is required to appoint, in writing, an Information Officer (and Deputy Information Officers, where applicable) as part of compliance with POPIA. The Information Officer, in terms of the Act and Regulations, is responsible for the implementation of POPIA and has to ensure that the responsible party remains compliant with POPIA.
The Information Officer (and any Deputy Information Officers) must be registered with the Information Regulator.
According to the latest published information from the Information Regulator, the registration of Information Officers commenced on the 1st of May 2021. Also, the portions of POPIA relating to Information Officers, became effective on the 1st of May 2021.
Section 1 of POPIA defines an “information officer” of, or in relation to, a public body as an information officer or deputy information officer as contemplated in terms of section 1 or 17 of the Promotion of Access to Information Act, 2 of 2000 (PAIA).
Section 1 of POPIA defines a “private body” to mean—
- a natural person who carries or has carried on any trade, business or profession, but only in such capacity;
- a partnership which carries or has carried on any trade, business or profession; or
- any former or existing juristic person, but excludes a public body.
Section 1 of POPIA defines an “information officer” of, or in relation to, a private body as the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act (PAIA).
In terms of section 56 of POPIA, headed “Designation and delegation of deputy information officers”, each public and private body must make provision, in the manner prescribed in section 17 of PAIA, with the necessary changes, for the designation of—
- such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
- any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.
DUTIES OF AN INFORMATION OFFICER as per SECTION 55 OF POPIA
Section 55 of POPIA sets out the duties and responsibilities of an information officer.
An information officer’s responsibilities include—
- the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
- dealing with requests made to the body pursuant to this Act;
- working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
- otherwise ensuring compliance by the body with the provisions of this Act; and
- as may be prescribed.
Officers must take up their duties in terms of this Act only after the responsible party has registered them with the Information Regulator.
DUTIES AND RESPONSIBILITIES OF INFORMATION OFFICERS as per REGULATION 4 OF POPIA
Subject to the provisions of section 55 of the Act, an information officer must ensure that—
- a compliance framework is developed, implemented and monitored;
- adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- preliminary assessments are conducted;
- a manual for the purpose of the Promotion of Access to Information Act and the Act is developed detailing the purpose of the processing; a description of the categories of data subjects and of the information or categories of information relating thereto; the recipients or categories of recipients to whom the personal information may be supplied; the planned trans-border or cross border flows of personal information; and a general description allowing preliminary assessment of the suitability of information security measures to be implemented and monitored by the responsible party;
- the manual is available — on the website of the responsible party and at the office or offices of the responsible party for public inspection during normal business hours of that responsible party;
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
As the provisions relating to Information Officers in POPIA will be effective as of the 1st of May 2021, all business should attend to the nomination, appointment and registration of their Information Officer and any Deputy Information Officers without any further delay. Following the registration of the Information Officer (including Deputies) with the Information Regulator, this Information Officer and his or her Deputies, will then have to adhere to the requirements of POPIA to ensure that their business is POPIA compliant by the 1st of July 2021.
FHBC is able to assist its clients with a full POPIA Implementation Framework, including guidance, documentation and training to assist them in becoming POPIA compliant. We are aware of the different needs of various businesses due the difference in size and nature, and invite you to contact our POPIA Team for further information, a quotation and/or assistance.