The POPI Act : Everything you need to know about Information Officers
The Protection of Personal Information Act (POPIA) aims to protect people from harm by protecting their personal information: Stop their money and identity from being stolen, and generally protect their privacy, considering it is a fundamental human right.
The act also seeks to remedy past fraudulent activity involving access to citizens' information.
The Protection of Personal Information Act (POPIA) involves three parties:
1) The data subject: the person to whom the information relates
2) The responsible party: the person who determines why and how to process the person's information.
3) The operator: a person who processes personal information on behalf of the responsible party(s)
As a company or individual, what steps will you have to take to comply with the act?
Responsible parties will have to take various steps to comply:
1) Appoint an Information Officer.
2) Draft a privacy policy.
3) Raise awareness amongst all employees.
4) Amend contracts with operators.
5) Report data breaches to the regulator and data subjects.
6) Check that they can lawfully transfer personal information to other countries.
7) Only share personal information when they are lawfully able to.
So, what is an Information Officer?
The Information Officer of an organization is an essential person regarding personal information. Every single organization in South Africa has one.
It was referred to as the Information Protection Officer before the act, but the appropriate term is Information Officer.
Who is not an Information Officer?
Some people also refer to the term 'Privacy Officer', but this is the incorrect terminology regarding the POPI Act. The role of a Privacy Officer is something else. It may encompass the law (particularly the promotion of access to Information Act or PAIA) that automatically designates a person in each organization as an officer. Not the Chief Information Officer or CIO, but an Information Officer. They perform very different roles.
Do I already have an Information Officer?
Every organization has one, including all public bodies like a national department, provincial administration, and municipalities. And all private entities, like companies, Close Corporations, Partnerships and Trust.
Who should be designated as Information Officer?
The officer should be at the executive level (or equivalent position), and the officer must report to the highest management office.
What are their responsibilities?
The information officer is the person who is responsible for ensuring that the organization complies with the POPI Act. They are a crucial person in any project or program. An information officer of a responsible party (or body) must:
1) Encourage compliance with conditions for the lawful processing of personal information,
2) Deal with requests made according to the POPIA (presumably by the Information Regulator or data subjects),
3) Work with the regulator concerning investigations conducted related to prior authorizations (pursuant to chapter 6 concerning the body),
4) Otherwise, ensure compliance by the body with the provisions of POPIA,
5) Develop, implement, and monitor a compliance framework,
6) Ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist,
7) Develop, monitor, maintain and make available a PAIA manual,
8) Develop internal measures and adequate systems to process requests for access to information,
9) Ensure that internal awareness sessions are conducted, and
10) As may be prescribed (presumably by the Minister or the Information Regulator)
These responsibilities are set out in section 55 of POPIA and the POPIA Regulations.
Do Information Officers have to be an employee?
The officer must be an employee of a body (notes 2.2, 7.2, 8.2). Interestingly, the guidance note uses all three words - delegate, designate or authorize. For many years, we have recommended that the officer be an internal resource and that responsible parties should not outsource the role. But, this does not always hold true. Sometimes someone outside the organization should perform the role, for example, with community schemes and managing agents or pension funds.
What if a body either does not have employees or very few?
Generally, an organization will have a head like a director or a trustee. Even if they might not be an employee, they are default officers, and the responsible party will then have to register them with the regulator.
What happens when there is not someone suitable to perform the role?
The officer can still ask various lawyers or consultants to help them. In other words, maybe an employee needs to be the registered officer, but they can contract someone else to perform (delegate) most of the duties or responsibilities.
A group of companies are better served with the same person being the Information Officer for all the companies in the group.
Each subsidiary of a group of companies must register its Information Officer and Deputy Information Officer(s) with the Regulator (Note 5.3). In other words, maybe an employee needs to be the registered officer, but they can contract someone else to perform (delegate) most of the duties or responsibilities. The officer can still ask lawyers or consultants to help them.
How does one train to be an Information Officer?
The officer must have a reasonable understanding of:
1) the law, and
2) the responsible party's operations and processes
The responsible party must ensure that their officer:
1) receives appropriate training, and
2) Keeps abreast of the latest developments
Is there a template to appoint the deputy Information Officer?
Yes, there are templates that Companies/Close Corporations/Partnership/Sole Proprietors can use to appoint an information officer, and some are publicly available. There are two simple templates in the guidance note on information officers and deputy information officers:
1) Designation and Delegation of Authority to the Deputy Information Officer
2) Authorization of Information Officer
A board resolution is required. The board should confirm the appointment by way of a resolution. The advantage is that the board is aware of the information officer's role, and they can question the appointment if they believe it is necessary.
How do I register my information officer with the regulator?
A responsible party should register their officer online (encouraged) before 01 July 2021. This is not currently possible, but the regulator will, in future, create an electronic platform (Information Officer Registration Portal) on their website to enable out to do this. The regulator has indicated that this will be possible from 01 May 2021.
What are the penalties for non-compliance?
There are essentially two legal penalties or consequences for the responsible party:
1) A fine or imprisonment of between R1 million and 10 million or one to ten years in jail.
2) Paying compensation to data subjects for the damage they have suffered.
It is improbable that anyone will go to jail, and the fines are small compared to other jurisdictions. Additional penalties include:
1) Reputation damage
2) Losing customers (and employees)
3) Failing to attract new customers