Navigating the Maze: Understanding the Roles and Responsibilities of Information Officers under GDPR and POPIA

Compared to the DPO role under GDPR in Europe, the information officer’s term of office under PAIA, being the CEO for the private sector and the DG for the public sector, is ‘as long as the incumbent is in the leadership role in the organisation’. The term under POPIA is also unlimited.?

In the implementation of the Protection of Personal Information Act (POPIA), the roles and responsibilities of Information Officers are crucial yet complex. Let's unravel the intricacies surrounding the term of office, duties, and registration requirements for these pivotal figures in data protection compliance.

Term of office poses a unique challenge, especially when compared to the Data Protection Officer (DPO) role under GDPR in Europe. Unlike the fixed term for DPOs, Information Officers in South Africa's private sector (CEO) and public sector (DG) hold their position 'as long as the incumbent is in the leadership role in the organization'. This unlimited term, while intended to ensure continuity, raises questions about potential conflicts of interest and the need for clearer guidelines.

Delving deeper into the duties and responsibilities of Information Officers under POPIA, we encounter a spectrum of tasks aimed at fostering compliance and safeguarding data subjects' rights. From providing guidance on lawful data processing to handling requests from both data subjects and regulators, Information Officers play a pivotal role in ensuring organizational adherence to POPIA regulations.

However, challenges arise in interpreting the extent of their responsibilities, particularly concerning compliance enforcement. While the Act mandates Information Officers to ensure compliance, ambiguity persists on whether they bear ultimate responsibility or merely provide assistance to the Responsible Party.

Moreover, the issue of registration adds another layer of complexity. Despite the Act's requirement for Information Officers' registration, technical glitches in the regulator's system have left many unregistered. This oversight not only hampers data subjects' ability to hold Information Officers accountable but also raises concerns about the protection of data service rights.

In light of these complexities, it becomes imperative for organizations to navigate the landscape of POPIA compliance with clarity and diligence. By understanding the nuances of Information Officers' roles, addressing registration challenges, and upholding the spirit of data protection, businesses can foster a culture of accountability and safeguard individuals' personal information effectively.?

In terms of POPIA, the specific duties or responsibilities as an information officer include the encouragement of compliance by the body with the conditions for the lawful processing of personal information. So the appointed person or persons need to provide guidance to everybody in your organisation, on how to comply. But the word encouragement is not very descriptive. People say ‘well, maybe it's just a little bit of encouragement as needed’, but I say maybe you need a whole lot more advice, and maybe you need to properly inform the organisation of what they need to do. So in dealing with requests of data subjects and the regulator, one must note that there is no qualification, or ranking of requests: all data subject requests need to be read, and responded to. If the Responsible Party does not provide the information officer with the necessary assistance, there is a high probability that data subject requests will not be handled as they should be handled and the requests most likely not be concluded as they should.?

Let us not forget that there is also cooperation with the Regulator that is required: when the Regulator is investigating the responsible party, pursuant to Chapter 6 of the Act, (Prior Authorisation).?

What should happen with the prior authorization? The regulator should have approached the information officers of all the companies registered under CIPC and asked them for a set of details starting off with a personal information impact assessment, almost as if to say, ‘you are requesting the processing of sensitive personal information. Let me check on your compliance to the Act’; and the companies should have send those to the regulator.?

And then the last point is ensuring compliance by the party with the provisions of the Act. Some people have questioned whether the information officer must ensure compliance or are they just encouraging compliance? So I guess this one has to be settled in court as it is unclear. But do remember that under Section 8, the responsible party is clearly responsible for compliance with the conditions. So I would say we didn't create a contract if the information officer was also responsible for compliance. The duty as far as I'm concerned, is to assist the responsible party in every way possible; providing assistance, but doesn't actually become responsible for the compliance itself. And then finally, as may be prescribed in the regulations, you'll see that there are other duties assigned to the information officer, officers must take up the duties and only after the responsible party has registered them with the information regulator. The regulator came out and said that the information officers don't have to be registered, solely because the requirement should have been met on 1 March 2021, but then their registration system crashed so technically responsible parties could not register their information officers until then. The sad outcome of this is that a data subject cannot hold an information officer accountable if they are not registered with the regulator. This is because the Act explicitly requires that an information officer be registered. A data subject can't actually complain about an Information Officer not supporting or assisting the data subject until they actually registered. So what it means is that the data service rights are not being protected currently, by the regulator, because it failed to enable responsible parties to register the information officer with the regulator. The POPIA requires that every company has to make provision for one person who's to be registered with information as an admission officer, and if necessary, is such a number of Deputy information officers.?