On 14
December 2018 the Regulations relating to
the Protection of Personal Information 2018 (POPI Regulations) were
published by the Information Regulator. The POPI Regulations, although final,
will only take effect on a date that will align with the commencement date of
the Protection of Personal Information Act 4 of 2013 (POPI).
Amongst
other things, the POPI Regulations shed further light on what the duties and
responsibilities of an Information Officer are. POPI defines an Information
Officer as follows:
- in
relation to a public body: an Information Officer or Deputy Information Officer
as contemplated in terms of section 1 or 17 of POPI; or
- in
relation to a private body: the head of a private body as contemplated in
section 1, of the Promotion of Access to Information Act 2 of 2000 (PAIA).
PAIA
provides that a “head” of a private
body means:
- in
the case of a natural person: that natural person or any person duly authorised
by that natural person;
- in
the case of a partnership: any partner of the partnership or any person duly
authorised by the partnership; or
- in
the case of a juristic person: the chief executive officer or equivalent
officer of the juristic person or any person duly authorised by that officer, or the person who is acting as such or any person duly authorised by such
acting person.
Information
Officers are appointed automatically in terms of PAIA. What this means is that
every public body (e.g. national department, provincial body, municipality,
etc.) and every private body (e.g. a company, a trust, a close corporation,
etc.) has an Information Officer by default and no one is exempt.
The
Information Officer of a public body is the head of that public body. This
means that for a national or provincial government department it is the
Director-General or the equivalent official of that department who is the
Information Officer. For a municipality the municipal manager is the
Information Officer. In the case of any other public body the Chief Executive
Officer (CEO) is the Information Officer. In the case of a private body, the
Information Officer is by default the owner of the business. Therefore, based
on the type of private body, the Information Officer will be the sole trader, a
partner in a partnership or the CEO (or equivalent) in a company or close
corporation.
Information Officers are also required to appoint (in writing), Deputy
Information Officers to assist them in the performance of their
responsibilities and duties and to ensure that the request for information made
to the body will be dealt with in an effective and efficient manner. There is
no limitation on the number of Deputy Information Officers that an Information
Officer may appoint.
The Deputy Information Officer of a public body or private body is
an employee of that public body or private body to whom the Information Officer
has delegated their powers and duties in terms of POPI, read with the
provisions of PAIA. This means that the Deputy Information Officer will receive
requests for information, facilitate these requests and provide the necessary
assistance to applicants on behalf of the Information Officer.
The Information Officer still maintains direction and control over
the Deputy Information Officer(s), meaning that the Information Officer as the
head of the public or private body who determines the purpose of and the means
for processing personal information, remains responsible for the decisions of
his or her authorised deputies. This delegation of powers must be done in
writing for it to be valid.
In terms
of section 55 of POPI, an Information Officer has the duty and responsibility
to:
- encourage
compliance by the body with the conditions for the lawful processing of
personal information in terms of POPI;
- deal
with requests made to the body in terms of POPI;
- work
with the Regulator in relation to investigations conducted in relation to the
body; and
- otherwise
ensure compliance by the body with the provisions of POPI.
The POPI
Regulations (Regulation 4) have now amplified the provisions of section 55 of
POPI and provide that an Information Officer of a body is responsible for
ensuring that:
- a
compliance framework is developed, implemented, monitored and maintained;
- a
personal information impact assessment is done to ensure that adequate measures
and standards exist in order to comply with the conditions for the lawful
processing of personal information;
- a
manual is developed, monitored, maintained and made available as prescribed in
terms of POPI and PAIA (made available on the body’s website as well as at its offices for public viewing during
normal business hours). These manuals must also be made available for copy, at payment
of a fee which fee does not exceed R3.50 per page. The manual must specify:
- the
purpose of the processing of personal information;
- a
description of the categories of data subjects and of the information or
categories of information relating thereto;
- the
recipients or categories of recipients to whom the personal information may be
supplied;
- the
planned trans-border or cross-border flows of personal information; and
- a
general description allowing preliminary assessment of the suitability of
information security measures to be implemented and monitored by the
responsible party.
- internal
measures are developed together with adequate systems to process requests for
information or access thereto; and
- internal
awareness sessions are conducted regarding the provisions of POPI.
Neither
POPI nor PAIA specifically provide for the qualifications that a person should
have in order to hold the position of Information Officer. However, from the
afore listed duties and responsibilities, it is evident that such a person is
bestowed with great responsibility and duty to ensure that the body, whether
private or public, fulfils its POPI mandate.
VDT
Attorneys has the necessary expertise to ensure that your business is fully
POPI compliant. We offer innovative POPI solutions to fit your businesses’ essential
POPI compliance needs, which in turn can be customised to equip your business
with the finer important details. For further information on complying with the
provisions of data protection legislation such as POPI and PAIA, please contact
us.
Your legal experts: PR de Wet 012 – 452 1413 or prdw@vdt.co.za Hayley Levey 012 – 452 1317 or hayley@vdt.co.za Copyright
@ VDT Attorneys, February 2019
Disclaimer: Nothing in this
article should be construed as formal legal advice from VDT Attorneys Inc. or
any attorney of the firm. Readers of
this article are advised to consult professional legal advisors for guidance on
legislation which may affect them or their businesses.