The duties and responsibilities of the Information Officer listed in this article should be included in the letter of appointment for the Information Officer for an organisation that qualifies as a Responsible Party in terms of the POPI Act, 2013. These responsibilities should be regarded as a minimum and organisations may choose to extend those responsibilities thus increasing the scope of work of the Information Officer.
The Information Officer role is by default that of the Designated Head of a Private Body in terms of the provisions of both the Promotion of Access to Information (PAI) Act, 2000 (see Appendix A of this document) and the Protection of Personal Information (POPI) Act, 2013 (see Appendix B of this document). The responsibilities defined for these roles in [company name], a private body in terms of the POPI Act and PAI Act, are:
POPI Act Section 55(1): An information officer’s responsibilities include—
(a) the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
(b) dealing with requests made to the body pursuant to this Act;
(c) working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
(d) otherwise ensuring compliance by the body with the provisions of this Act; and
(e) as may be prescribed.
Regulations relating to the Protection of Personal Information, 2018: Responsibilities of Information Officers
4. (1) An information officer must, in addition to the responsibilities referred to in section 55(1) of the Act, ensure that-
(a) a compliance framework is developed, implemented, monitored and maintained
(b) a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
(c) a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
(d) internal measures are developed together with adequate systems to process requests for information or access thereto; and
(e) internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
(2) The information officer shall upon request by any person, provide copies of the manual to that person upon the payment of a fee to be determined by the Regulator from time to time.
POPI Act, 2013 Part B: Designation and delegation of deputy information officers
56. Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of—
(a) such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
(b) any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.
Examples of specific duties for the information officer which could be included in the appointment letter:
POPI Act Information Officer / Deputy Role Responsibilities:
- Complete initial and ongoing compliance assessments
- Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act
- Reviewing the POPI Act and periodic updates as published
- Ensuring that POPI Act induction training takes place for all staff
- Ensuring that periodic communication awareness on POPI Act responsibilities takes place
- Ensuring that Privacy Notices for internal and external purposes are developed and published
- Handling data subject access requests
- Approving unusual or controversial disclosures of personal data
- Approving contracts with operators as defined in the POPI Act
- Ensuring that appropriate policies and controls are in place for ensuring the acceptable quality of personal information in line with the POPI Act are in place
- Ensuring that appropriate security safeguards in line with the POPI Act for personal information are in place
- Handling all aspects of relationship with the Information Regulator as foreseen in the POPI Act
- Provide direction to any Deputy Information Officer if and when appointed
PAI Act (PAIA) Information Officer / Deputy Role Responsibilities:
Developing, publishing and maintaining a PAIA Manual which addresses all relevant provisions of the PAIA Act, including but not limited to the following:
- Meets the requirements for contents of the Manual
- Establishing processes for information requests
- Handling requests for information
- Provide direction to any Deputy Information Officer if and when appointed
Appendix A
Promotion of Access to Information Act (PAIA), 2000
[reference to appointment and designation of Information Officer and Deputy Information Officer for a Private Body:]
PART 1: INTRODUCTORY PROVISIONS (ss 1-10)
CHAPTER 1: DEFINITIONS AND INTERPRETATIONS (ss 1-2)
1 Definitions
In this Act, unless the context otherwise indicates-
‘private body’ means-
(a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity;
(b) a partnership which carries or has carried on any trade, business or profession; or
(c) any former or existing juristic person, but excludes a public body;
‘head’ of or in relation to a private body means-
(a) in the case of a natural person, that natural person or any person duly authorised by that natural person;
(b) in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership;
(c) in the case of a juristic person-
(i) the chief executive officer or equivalent officer of the juristic person or any, person duly authorised by that officer; or
(ii) the person who is acting as such or any person duly authorised by such acting person;
Please note that PAIA makes no provision for appointment of one or more Deputy Information Officers in a Private Body. Thus, the accountability in a Private Body rests with the head of the body. The responsibility may be delegated but the accountability cannot.
Appendix B
Protection of Personal Information Act (POPIA), 2013
[reference to appointment and designation of Information Officer and Deputy Information Officer for a Private Body:]
CHAPTER 1 DEFINITIONS AND PURPOSE
Definitions
1. In this Act, unless the context indicates otherwise—
‘‘information officer’’ of, or in relation to, a—
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;
[Note, there is no reference to a Deputy Information Officer for a Private Body in section 1 or 17 of PAIA.]
Designation and delegation of deputy information officers
56. Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of—
(a) such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of this Act; and
(b) any power or duty conferred or imposed on an information officer by this Act to a deputy information officer of that public or private body.
Please note that POPIA makes no additional provision for appointment of one or more Deputy Information Officers in a Private Body as it refers to Section 17 of PAIA which only deals with Designation of deputy information officers, and delegation for Public Bodies. Thus, the accountability in a Private Body rests with the head of the body. The responsibility may be delegated but the accountability cannot.
In summary, the “Head” of a Private Body can delegate responsibility but not accountability.
An Information Officer Appointment letter Template based on the text above, can be downloaded here.