South Africa POPIA: Final Guidance Note for Information Officers and Deputy Information Officers now published

South Africa's Information Regulator has been ramping up its efforts to deliver practical guidance in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”) as the 1 July 2021 compliance deadline draws closer. The Information Regulator has in this regard finalised and published the ‘Guidance Note on Information Officers and Deputy Information Officers’ on 1 April 2021. In this article, we set out at some key aspects of the Guidance Note that should be considered by organisations.

Who may be appointed as an Information Officer and Deputy Information Officer?

The ‘Guidance Note on Information Officers and Deputy Information Officers’ (Guidance Note) provides that certain persons, by virtue of their positions, are appointed automatically in terms of the POPIA and the Promotion of Access to Information Act 2 of 2000 (“PAIA”) as an organisation’s designated Information Officer.

The Guidance Note identifies Director-Generals, Head of Department, Municipal Managers or chief executive officers (or any person acting as such) in public bodies as those person appointed automatically to the position of Information Officer for public bodies. 

The Guidance Note also provides welcome clarification in respect of the role of the Information Officer for private bodies that are juristic persons. The default position is that the chief executive officer, managing director or equivalent officer of a juristic person is the Information Officer of the organisation, however according to the Guidance Notice, such person may authorise any natural person within the organisation to act as the Information Officer of the organisation. Such authorisation of a natural person as an Information Officer should be affected by way of a written authorisation, which shall be substantially similar to the form attached as Annexure B to the Guidance Note.  It is important to note that the head of a private body (i.e. the default Information Officer of an organisation), who has authorised another person to act as the Information Officer, will retain the accountability and responsibility for any power or functions authorised to that authorised person.

The Information Officer of a multinational entity based outside of South Africa, should authorise any natural person located in South Africa as its Information Officer. In addition, the Guidance Note prescribes that the Information Officer should be at an executive level or equivalent position, being an employee of the private body at a level of management or above. This means that the Information Officer must be an employee of the private body, thus outsourcing of the role of Information Officer to a service provider for example would not be permitted.

Deputy Information Officers

The Guidance Note further provides that a Deputy Information Officer may designate Deputy Information Officer(s), in writing, and delegate certain powers, duties and responsibilities by way of written designation and delegation in a form substantially similar to Annexure C attached to the Guidance Note. Deputy Information Officers must also be employees of the relevant body. Deputy Information Officers are designated to assist the Information Officer in the execution of its responsibilities under POPIA. According to the Guidance Note however, the Information Officer remains ultimately accountable and responsible for the functions that it has delegated to the Deputy Information Officer. The Guidance Note reminds organisations that Deputy Information Officers must be given adequate resources (i.e. time and financial means) and must have sufficient understanding of POPIA, PAIA and institutional knowledge of the organisation business knowledge to fulfil their obligations.

Are you required to register your Information Officer and Deputy Information Officer?

Each responsible party is required to register its Information Officer with the Information Regulator. The Guidance Note emphasises that registration of an Information Officer with the Information Regulator is compulsory for all responsible parties and is pre-requisite for the Information Officers to take up their duties and responsibilities in terms of POPIA.

The Information Officer of each responsible party, must complete the online registration form or complete the ‘Information Officers’ Registration Form’ attached as Annexure A to the Guidance Note and submit same to the Information Regulator. The registration form also provides for information relating to Deputy Information Officers where applicable.

In this regard and as it relates to groups of companies, the Guidance Note clarifies that each subsidiary must register its own Information Officer and Deputy Information Officer(s) with the Information Regulator.

The particulars of an Information Officer and Deputy Information Officer(s) recorded with the Information Regulator must be updated at least once a year and must align to the particulars contained in the PAIA manual.

In the accompanying media statement issued by the Information Regulator on 1 April 2021, the Information Regulator advised that is in the process of establishing an online portal which will go live prior to the commencement of registration of Information Officers and Deputy Information Officers on 1 May 2021. This portal will assist responsible parties in registering their Information Officers and Deputy Information Officers. The Information Regulator has also requested that all applications previously submitted using the old forms appearing in the draft Guidance Note must be resubmitted using the online registration or the template registration form included within Guidance Note.

What are the duties of the Information Officer and when do they take effect?

The Guidance Note confirms that the Information Officer’s duties are set out in section 32 of PAIA (in respect of public bodies only) and section 55(1) of POPIA and Regulation 4 of the Regulations under POPIA.

These key responsibilities of the Information Officer include:

• ensuring the body’s compliance with the POPIA and the conditions for lawful processing;
• dealing with the requests made to the body both in terms of POPIA and PAIA;
• working with the Information Regulator in relation to investigation;
• ensuring internal measures are developed to process requests made to the body;
• ensuring a PAIA manual is developed, monitored, maintained and made available as required;
• conducting a personal information impact assessment to ensure that adequate measures and standards exist; and
• conducting internal awareness sessions on POPIA and any guidance or code of conducts issued thereunder.

Is there any liability for Information Officers?

Information Officers are reminded that the Enforcement Committee established in terms of POPIA is empowered to recommend enforcement action against an Information Officer specifically in relation to any contravention of its responsibilities under PAIA. The offences in terms of PAIA relate to destruction, alteration of records or gross or negligent failure to comply with sections 14 and/or 51 (the obligation for public and private bodies to have an update a PAIA manual) and non-compliance with Information Regulator’s enforcement notices.

What are the next steps for organisations?

In view of the above, it is important for organisations to prioritise the following:

• if the head of the private body wishes to authorise another person in the organisation as the Information Officer, identify a suitable candidate for the role of Information Officer taking into consideration the responsibilities and the required specifications set out in this Guidance Note, POPIA and PAIA and authorise such person as the Information Officer by way of the written authorisation;
• identify suitable candidates for the role of Deputy Information Officer taking into consideration the required specifications set out in this Guidance Note, POPIA and PAIA and designate such person(s) in writing as the Deputy Information Officer and delegate the relevant powers, duties and functions by way of written delegation of authority;
• the registration of the Information Officers from 1 May 2021; and
• the training of the Information Officers and Deputy Information Officers on their duties during the remaining months of the grace period and their obligations post the grace period. As the effective date of Regulation 4 of the POPIA Regulations is also 1 May 2021, we would recommend that registration is completed as soon as possible on 1 May 2021, to ensure that the Information Officers are appropriately authorised and registered as such before they can take up the duties therein. For more information on the effective date of the Regulations, please see our previous article here.

If you require any further assistance in understanding the impact of this Guidance Note on your business, POPIA training or related advice, please reach out to Ernie van der Vyver and Savanna Stephens.