With the Protection of Personal Information Act, 2013 ("POPIA") deadline looming on 1 July 2021, many organisations are starting to feel the mounting pressure of becoming compliant with the provisions of POPIA. A good starting point for any business embarking on its POPIA compliance journey is the identification and appointment of an Information Officer
for your organisation, not only from a practical perspective to engage this process, but this is also a legal requirement under POPIA.No matter the turnover, number of employees, or type of body (public or private), every organisation is required to identify, appoint and register an information officer in terms of POPIA.
In general, the role of the Information Officer is to ensure the responsible party’s compliance with both POPIA and the Promotion of Access to Information Act 2 of 2000 (“PAIA”).
Under PAIA, an Information Officer is expected to –
- encourage and ensure compliance with PAIA;
- create, maintain and update a PAIA manual for the body (that is if the organisation is required to have such a manual and does not fall under the current exemptions);
- evaluate and approve requests for access to information received in terms of the grounds set out in PAIA, within applicable timelines.
Under POPIA, an Information Officer is expected to-
- encourage compliance with the conditions for the lawful processing of personal information in terms of POPIA;
- deal with requests made pursuant to POPIA (presumably by the Information Regulator or data subjects);
- work with the Information Regulator in relation to investigations;
- otherwise ensure compliance by the body/entity with the provisions of POPIA;
- develop, implement and monitor a compliance framework for the POPIA compliance within such entity;
- ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- develop, monitor, maintain and make available a PAIA manual as prescribed in terms of POPIA and PAIA (subject to the aforementioned exemptions);
- develop internal measures and adequate systems to process requests for access to information;
- ensure that internal awareness sessions are conducted; and
- any other responsibilities as may be prescribed from time to time (presumably by the Minister or the Information Regulator).
With the deadline for compliance looming, we suggest that you contact an information and data protection attorney
as soon as possible to ensure that the information officer and his/her deputies are best positioned to implement your POPIA compliance framework and ensure that your business remains POPIA compliant thereafter.