News / Legal Brief

Blessing or Curse: POPIA requires that an Information Officer must be appointed

Apr 7,2021

by Ahmore Burger-Smidt, Director and Head of Data Privacy Practice and member of Competition Law Practice and Dimakatso Khumalo, Candidate Attorney


  • The digital representation of data or personal information, has brought many challenges to protecting privacy rights and thereby protecting individuals. In terms of the Protection of Personal Information Act 4 of 2013 (“POPIA“), all organisations who process personal information need to adopt measures to ensure the protection of personal information. One of these measures is ensuring that there is an individual who is endowed with the responsibility of protecting information within an organisation and held accountable for the use/misuse of the data they hold. Such a person is referred to as the Information Officer. A notice has been issued by the Information Regulator stipulating that regulation 4, which deals with the appointment of the Information Officer, will be effective on 1 May 2021.
  • While POPIA designates the head of the business of a private entity as an Information Officer, an Information Officer in respect of a public body means an Information Officer or Deputy Information Officer as contemplated in sections 1 and 17 of the Promotion of Access to Information Act 2 of 2000 (“PAIA”)[1].

Outsourcing of an Information Officer

  • There are indeed questions relating to whether or not the role of an Information Officer can be outsourced by private companies. It is unfortunate that aside from making it mandatory for organisations to cater for the appointment of an Information Officer, providing for prescribed proposed timelines, the delegation of authority, and what the respective duties and responsibilities of the Information Officer are, POPIA, the POPIA Regulations, PAIA and the Draft Guidelines on the Registration of an Information Officer (“Draft Guidelines“) provide little guidance on how to approach the appointment of an Information Officer practically, especially in circumstances whereby default position (e.g. CEO in the case of a private body) is deviated from. It is therefore foreseen that once the Information Regulator’s office finalises its review of the comments on the Draft Guidelines, clarification regarding who is eligible to be an Information Officer in certain circumstances will be provided.
    • It is hoped that the Information Regulator will take guidance from the interpretation and implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“) when providing clarity on the outsourcing of the role of an Information Officer. In terms of article 37 (6) of the GDPR, an Information Officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract, or in other words, an outsourced contractor.
    • An Information Officer of a public or private body can, in writing, delegate his or responsibilities to a duly authorised person in terms of section 56 of POPIA. It should however be noted that whoever “determines the purpose of and means for processing personal information” remains ultimately responsible for ensuring that the processing of personal information is done in a lawful manner.
    • The pros and cons will need to be weighed up when deciding whether to appoint an internal or external person as the Information Officer (should the Information Regulator give the go ahead for an external appointment) or delegate Information Officer. Appointing someone internally means the internal Information Officer is able to take advantage of existing work relationships to fulfil their role. An external Information Officer on the other hand will likely have more compliance knowledge and experience and find it easier to keep up with developments in the field.

The following important aspects (as addressed in the Draft Guidelines) should be noted:

  • an Information Officer who fails to adequately perform his/her responsibilities and duties in terms of POPIA or POPIA regulations may be held personally liable. The proposed penalty imposed in this regard is a fine and/or imprisonment, with the fine capped at a maximum of R3,000 per infringement. The proposed imprisonment time is not stipulated in the Draft Guidelines; and
  • the appointment of the Information Officer and of any deputies must be effected in writing. Once doing so the Information Officer must be registered with the Information Regulator. The Draft Guidelines propose at this stage that a manual hardcopy application form (which is annexed to the Draft Guidelines) be completed and submitted for registrations.

Skills of an Information Officer

  • While POPIA does not set out specific skills for an Information Officer, guidance can be gleaned from the GDPR whose requirements for a Data Protection Officer (Information Officer in terms of POPIA) reflect directly upon the skills required by the Information Officer Role. The skills relevant to POPIA and its requirements can be summarised as follows –

Knowledge of IT functions

  • The Information officer not only has to be well versed in data protection law, but they have to be able to offer guidance on things such as risk assessments and data protection impact assessments. Ultimately, this knowledge will likely have to be gleaned from IT programming know-how, IT infrastructure and Information technology audits. This knowledge will have to evolve constantly to keep up with how the landscape of threats evolves so that the Information Officer can protect companies at every turn from potential breaches;


  • The Information Officer must understand relevant data protection and privacy laws and keep up with evolving legislation. Furthermore, the Information Officer must be experienced in discovering potential legal gaps and facilitating gap mitigation and compliance.

cultural competency

  • Many organisations handle personal data of people beyond their borders, so the Information Officer must be able to engage with responsible parties and data operators in other countries. The Information officer must therefore be flexible and have a global focus.


  • The Information Officer is going to serve companies as a consultant for any issues that may arise with regard to personal data rights. This necessitates both a lot of interaction and instruction. The Information Officer must be prepared to be called on often to provide advice and guidance pertaining to requests or complaints.


  • The Information Officer must have the competence and skills to carry out their role without guidance and know where to find necessary information. The Information Officer is also required to have board level presence and be able to deal with experienced business people.
  • We eagerly await the Information Regulator to issue final guidelines informing:
    • whether the role of an Information Officer may be outsourced;
    • the liability of an information officer; and
    • the skills that an Information Officer is required to have.

[1]       Protection of Personal Information Act 4 of 2013, s1.




Latest News