Registration of Information Officers & Deputy Information Officers in terms of POPIA

Information Officers (IO) and Deputy Information Officers (DIO) are required to register with the Information Regulator in terms of Section 55(2) of the Protection of Personal Information Act (POPIA).

Initially, the online portal had some technical challenges, but it is now live and fully functional – and is available here.  One can also register via e-mail at registrations.IO@inforegulator.org.za by completing the manual form.

What does an IO or DIO do?  Last year, the Regulator released a Guidance Note on the duties of IOs and DIOs and this is available here.  Paragraph 6 of the Guidance Note sets out the IO’s duties, but simply put, an IO and DIO must ensure compliance with POPIA and PAIA.  Organisations should develop compliance frameworks with clear policies and training regimes.  This will include:

• Performing a data impact assessment to ensure that adequate measures and standards exist to comply with the lawful processing of personal information;
• Ensuring compliance with the lawful conditions of processing personal information;
• Setting out a clear mechanism to deal with requests pursuant to POPIA;
• Providing reasonable assistance to the Regulator in relation to all investigations;
• Performing regular audits and conducting training sessions for staff;
• Ensuring compliance with PAIA, which includes developing and making available a PAIA manual; and for public bodies, filing annual reports to the Regulator.

Typically, who will be an IO or DIO?  IOs are appointed automatically by virtue of their positions – for example, the Chief Executive Officer or Managing Director of a juristic person,  or the Head of Department of Provincial Government.   However, any appropriate person may be authorised to act as IO or DIO; this must be done in writing, in a substantially similar manner to Annexure B of the Regulator’s Guidance Note referred to above.

Do not underestimate the position of IO, it is a critical role – there is potential criminal liability, and significant fines possible for non-compliance.  Recently, the Regulator issued summons against SAPS for a breach of POPIA, so it appears as if the Regulator will enforce its provisions. In our experience, the role is often underestimated and to an extent overlooked.  Following the one-year grace period, POPIA has been fully effective for over a year and all bodies, public and private must ensure compliance, or face stiff penalties.