Kick the tires and light the fires – guidance note on Information Officers and Deputy Information Officers finally published

by Ahmore Burger-Smidt, Director and Head of Data Privacy Practice and member of Competition Law Practice; and Dale Adams, Associate 

On 1 April 2021, the Information Regulator (“the Regulator“) published a Guidance Note for Information Officers and Deputy Information Officers (“Guidance Note“), which seeks to provide (long-awaited) clarity on, amongst others, –

• the obligations and liability of Information Officers (“IO“) and Deputy Information Officers (“DIO“);
• who can be registered as an IO;
• designation of a DIO; and
• delegation of authority by an IO to a DIO.

The Guidance Note was published following public consultation in terms of which the Regulator invited and duly considered comments on the draft Guidelines on Registration of Information Officers. On the same day, the Regulator issued a media statement stating that –

“The Information Regulator (IR) of South Africa has published the Guidance Note for the registration of Information Officers (IOs) and Deputy Information Officers (DIOs), in order to ensure proper understanding of the legislative requirements…

The Protection of Personal Information Act 4 of 2013 (POPIA) prescribes compulsory requirements for the registration of Information Officers (IOs) with the IR. The existing IOs under the Promotion of Access to Information Act 2 of 2000 (PAIA) will have to register once the IR as started the registration process.” [Emphasis added]

In relation to who may be appointed as an IO and particularly whether the role of the IO may be outsourced, the Guidance Note provides some clarity as follows –

• as with POPIA, the Guidance Note designates the head of the business as the IO. Depending on the nature of the business, the IO will therefore be a sole trader, a partner in a partnership of CEO (or equivalent officer) in a company or close corporation. Additionally, the IO may also delegate his or her responsibilities to any other duly authorised person, being the DIO;
• as to whether the role of an IO may be outsourced (i.e. external appointment), the Guidance Note provides that the IO must “only” be an employee of a private body and must be an employee at an executive level or equivalent position at a level of management. This also applies to the appointment of DIOs.

Consequently, in order to be eligible for appointment as an IO and DIO, one must be an employee of that body concerned.

An IO may appoint as many DIOs as necessary depending on the structure, size and complexity of the operations of a specific body. The appointment of a DIO must however be done in writing, specifically using the template substantially similar to the Authorisation template “B” attached to the Guidance Note.

Interestingly, the Guidance Note also provides that –

• the IO of a multinational entity based outside South Africa must authorise any person within South Africa as an IO; and
• each subsidiary of a group of companies must register its IO and DIOs with the Regulator. Depending on the structure a particular group, this, in our view, may lead to an unnecessary duplication of duties and may not be efficient.

The role of an IO is complex, serving as the point of contact between the organisation and the Regulator as well as being responsible for educating employees on compliance requirements and training staff responsible for the processing of personal information. Additionally, an IO must also conduct regular security audits and make recommendations to foster compliance with POPIA and best practices.

The Guidance Note recognises the above unique role played by an Information Officer and accordingly recommends that an IO and DIO receive appropriate training and keep abreast with the latest developments in POPIA and PAIA to execute his/her duties. However, such training will not be provided by the Regulator.

To facilitate the registration process, the Regulator is developing an online portal for the registration of IOs which is expected to be live by the end of April 2021. Accordingly, the registration of IOs and DIOs is expected to commence on 1 May 2021.

The role of an IO and/or DIO presents big shoes to fill for many South African companies. Many companies face uncertainty regarding the appointment of suitable IOs and/or DIOs, particularly, what skills are required of an IO and DIO? Can you simply promote an existing employee to the role? Will they meet the demands required in terms of POPIA and PAIA? What about training and ensuring overall compliance?

With just under 85 days left for companies to become POPIA compliant, it is important to ensure compliance with the above prior to the end of what is left with the remaining grace period. Werksmans is well placed to assist your company in affirmatively answering the above questions and in navigating towards compliance with POPIA and PAIA.

Please contact Ahmore Burger-Smidt at aburgersmidt@werksmans.com for further information.