South Africa POPIA: Information Regulator publishes guidance on the application for Prior Authorisation
Data Protection & Privacy
South Africa's Information Regulator has been ramping up its efforts to deliver practical guidance in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”) as the 1 July 2021 compliance deadline draws closer. The Information Regulator has in this regard finalised and published the ‘Guidance Note on Information Officers and Deputy Information Officers’ on 1 April 2021. In this article, we set out at some key aspects of the Guidance Note that should be considered by organisations.
The ‘Guidance Note on Information Officers and Deputy Information Officers’ (Guidance Note) provides that certain persons, by virtue of their positions, are appointed automatically in terms of the POPIA and the Promotion of Access to Information Act 2 of 2000 (“PAIA”) as an organisation’s designated Information Officer.
The Guidance Note identifies Director-Generals, Head of Department, Municipal Managers or chief executive officers (or any person acting as such) in public bodies as those person appointed automatically to the position of Information Officer for public bodies.
The Guidance Note also provides welcome clarification in respect of the role of the Information Officer for private bodies that are juristic persons. The default position is that the chief executive officer, managing director or equivalent officer of a juristic person is the Information Officer of the organisation, however according to the Guidance Notice, such person may authorise any natural person within the organisation to act as the Information Officer of the organisation. Such authorisation of a natural person as an Information Officer should be affected by way of a written authorisation, which shall be substantially similar to the form attached as Annexure B to the Guidance Note. It is important to note that the head of a private body (i.e. the default Information Officer of an organisation), who has authorised another person to act as the Information Officer, will retain the accountability and responsibility for any power or functions authorised to that authorised person.
The Information Officer of a multinational entity based outside of South Africa, should authorise any natural person located in South Africa as its Information Officer. In addition, the Guidance Note prescribes that the Information Officer should be at an executive level or equivalent position, being an employee of the private body at a level of management or above. This means that the Information Officer must be an employee of the private body, thus outsourcing of the role of Information Officer to a service provider for example would not be permitted.
The Guidance Note further provides that a Deputy Information Officer may designate Deputy Information Officer(s), in writing, and delegate certain powers, duties and responsibilities by way of written designation and delegation in a form substantially similar to Annexure C attached to the Guidance Note. Deputy Information Officers must also be employees of the relevant body. Deputy Information Officers are designated to assist the Information Officer in the execution of its responsibilities under POPIA. According to the Guidance Note however, the Information Officer remains ultimately accountable and responsible for the functions that it has delegated to the Deputy Information Officer. The Guidance Note reminds organisations that Deputy Information Officers must be given adequate resources (i.e. time and financial means) and must have sufficient understanding of POPIA, PAIA and institutional knowledge of the organisation business knowledge to fulfil their obligations.
Each responsible party is required to register its Information Officer with the Information Regulator. The Guidance Note emphasises that registration of an Information Officer with the Information Regulator is compulsory for all responsible parties and is pre-requisite for the Information Officers to take up their duties and responsibilities in terms of POPIA.
The Information Officer of each responsible party, must complete the online registration form or complete the ‘Information Officers’ Registration Form’ attached as Annexure A to the Guidance Note and submit same to the Information Regulator. The registration form also provides for information relating to Deputy Information Officers where applicable.
In this regard and as it relates to groups of companies, the Guidance Note clarifies that each subsidiary must register its own Information Officer and Deputy Information Officer(s) with the Information Regulator.
The particulars of an Information Officer and Deputy Information Officer(s) recorded with the Information Regulator must be updated at least once a year and must align to the particulars contained in the PAIA manual.
In the accompanying media statement issued by the Information Regulator on 1 April 2021, the Information Regulator advised that is in the process of establishing an online portal which will go live prior to the commencement of registration of Information Officers and Deputy Information Officers on 1 May 2021. This portal will assist responsible parties in registering their Information Officers and Deputy Information Officers. The Information Regulator has also requested that all applications previously submitted using the old forms appearing in the draft Guidance Note must be resubmitted using the online registration or the template registration form included within Guidance Note.
The Guidance Note confirms that the Information Officer’s duties are set out in section 32 of PAIA (in respect of public bodies only) and section 55(1) of POPIA and Regulation 4 of the Regulations under POPIA.
These key responsibilities of the Information Officer include:
Information Officers are reminded that the Enforcement Committee established in terms of POPIA is empowered to recommend enforcement action against an Information Officer specifically in relation to any contravention of its responsibilities under PAIA. The offences in terms of PAIA relate to destruction, alteration of records or gross or negligent failure to comply with sections 14 and/or 51 (the obligation for public and private bodies to have an update a PAIA manual) and non-compliance with Information Regulator’s enforcement notices.
In view of the above, it is important for organisations to prioritise the following:
If you require any further assistance in understanding the impact of this Guidance Note on your business, POPIA training or related advice, please reach out to Ernie van der Vyver and Savanna Stephens.