POPIA: Who is the information officer?
MAIN IMAGE: Melanie Coetzee, legal consultant
In terms of Regulation 4 to the Protection of Personal Information Act (POPIA), from 1 May all real estate businesses must have an information officer (IO). Who is this information officer? Can anyone be appointed?
On 22 February 2021 a notice was issued by the Information Regulator, which stipulated that Regulation 4 to POPIA becomes effective on 1 May 2021. Regulation 4 deals with the appointment of the business’s information Officer as well as the duties of such a person.
Guideline on appointment of an information officer
Luckily for all businesses, the information regulator published a Guidance Note in respect of information officers that should hopefully answer most questions. The purpose of this guideline is to provide guidance and procedures for:
- the obligations and liabilities of information officers and deputy information officers;
- registration of information officers with the Information Regulator;
- updating the details of information officers;
- designation of deputy information officers and delegation of duties and responsibilities of the information officers to the deputy information officers.
In terms of this guideline, if the business operates as a company, trust or close corporation, the information officer will by default be the chief executive officer or managing director unless another person is duly authorised by the CEO or MD. If the company has subsidiary companies attached to it, then each subsidiary company will have to appoint its own information officer.
Each person authorised as information officer must be at executive level or similar so it is clear that this function cannot be delegated to a mere administrator. In as far as unincorporated associations are concerned (like sports clubs, charities, body corporates and small sole proprietors), the most senior person in management will by default be the information officer unless another person has been authorised to fulfil the functions of IO.
Duties of the IO
The duties of the information officer include but are not limited to:
- encouraging compliance with POPIA in the business;
- contact for requests from the Information Regulator;
- assist the Regulator with investigations and ensure general revision of the business’s privacy policies.
All information officers are to be registered with the Information Regulator on the application form supplied with the guideline and registration opens on 1 May 2021.
- Determining WHO the appointed information officer will be is the most important step to be taken by all organisations and associations;
- Once the information officer is identified, he/she must be appointed in writing;
- Once appointed, that person must proceed to register his/her details with the Information Regulator;
- Then the duties commence.
About the author: Melanie Coetzee started her own legal consultancy in October 2021 after more than 20 years in corporate law firms. She specialises in property law and in particular foreign investors, exchange control and all elements compliance related, including FICAA, Privacy Laws and Covid-19.