Share, , Google Plus, Pinterest,

Posted in:

POPI: the duties and responsibilities of the information officer

Article provided by SEESA

The Protection of Personal Information Act 4 of 2013 (POPI) which was signed into law on the 19th of November 2013 introduces the definition of an “Information Officer” as:

“of, or in relation to, a –

(a) Public body means an information officer or deputy information officer as contemplated in terms of Section 1 or 17, or
(b) Private body means the head of a private body as contemplated in Section 1 of the Promotion of Access to Information Act.”

The POPI Act further describes the duties and responsibilities of the Information Officer in Section 55(1) of the Act as the following:

“An information officer’s responsibilities include –

(a) The encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
(b) Dealing with requests made to the body pursuant to his Act;
(c) Working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
(d) Otherwise ensuring compliance by the body with the provisions of this Act; and
(e)As may be prescribed.”

The Information Officer will only take up his/her duties in terms of the above after the business has registered him/her with the Regulator.

Following the above, the POPI Regulations which were published on the 14th of December 2018, more specifically Regulation 4, determines the further duties and responsibilities of the Information Officer. The Regulation specifically states that: “An information officer must, in addition to the responsibilities referred to in Section 55(1) of the Act, ensure that-” and continues to list the further duties and responsibilities, the implementation of which I will explain as they are mentioned:“(a) a compliance framework is developed, implemented, monitored and maintained” – Your POPI legal advisor will assist with this process by establishing the risk areas of your business in terms of the Act, drafting the legal framework to address these risk areas by providing a POPI guidelines document with a specific “Areas of Concern”. The correct policies and procedures to be implemented by the business will then also be suggested to the business through a POPI Internal Approval Document and can be monitored and maintained by regular POPI training with key staff members.

“(a) a compliance framework is developed, implemented, monitored and maintained” – Your POPI legal advisor will assist with this process by establishing the risk areas of your business in terms of the Act, drafting the legal framework to address these risk areas by providing a POPI guidelines document with a specific “Areas of Concern”. The correct policies and procedures to be implemented by the business will then also be suggested to the business through a POPI Internal Approval Document and can be monitored and maintained by regular POPI training with key staff members.

“(b) a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information” – I refer to the POPI Guidelines above and the specific “Areas of Concern” drafted by your Legal Advisor, to be implemented by the business as suggested.

“(c) a manual is developed, monitored, maintained and made available as prescribed in Sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)” – It is suggested that you discuss the above with your auditor/bookkeeper as the abovementioned manual in terms of PAIA only applies to certain businesses;

“(d) internal measures are developed together with adequate systems to process requests for information or access thereto” – Discuss the above with your POPI Legal Advisor to ensure that the correct practices are followed when processing personal information or providing an outside third party with access thereto;

“(e) internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.” – This particular part of the Regulations highlights the importance of training. It is therefore vital to ensure that you book a POPI training session with your POPI Legal Advisor for key staff members to receive training. It is also vital to continue with ongoing training and ensuring awareness of the correct procedures to follow in terms of the Act, as well as awareness of the POPI policies suggested by your legal advisor and to create a culture of protection of personal information in the business. POPI Compliance is an ongoing process and booking a once-off training session never-to-be-repeated within the business will not be considered compliance by the Information Regulator.

SEESA is a proud Partner of the NSBC.

ABOUT THE AUTHOR

Marike Brand obtained her LLB from the University of Stellenbosch and thereafter practised for three years as an admitted attorney in commercial civil litigation. She thereafter joined SEESA Cape Town on November 2014 as a Consumer Protection & POPI Legal Advisor.