Every organisation must have one. All public bodies, private bodies such as companies, CCs, partnerships, and trusts. Everybody has to have an Information Officer (IO) by law.

The Information Regulator has developed draft Guidelines on the Registration of IOs, which require that a responsible party registers its IO with the Regulator, and that this be done before taking up his or her respective duties, in terms of the Protection of Personal Information Act 4 of 2013 and the Promotion of Access to Information Act 2 of 2000 (POPIA and PAIA).

As things stand, IO’s must complete and submit the registration form to the Regulator on, or before 31 March 2021.

Keeping up with compliance

According to Michalson’s law firm, the role of an IO is not to be confused with the Chief Information Officer (CIO). The two jobs perform very different roles. An IO performs much the same role as a Data Protection Officer as under General Data Protection Regulation (GDPR).

An IO of a responsible party (or body) must encourage and ensure compliance with PAIA in accordance with the body’s definition of compliance. They must create, maintain and update a PAIA manual for the body, and evaluate and approve requests for access to information. This has to be done in terms of the grounds set out in PAIA, and within the time constraint or any extended period.

The IO is a key person in any project or programme involving POPIA and data protection in general. These full responsibilities are clearly stipulated in section 55 of POPIA and in the POPIA Regulations.

What qualifies an IO?

An IO must be a leader who possesses appropriate communication skills and understands the key principles of data protection. Effectively, the IO is the champion of data protection, but not the policeman.  It remains the firm’s responsibility to comply with data protection legislation, but the IO plays a crucial role in helping a firm fulfil its data protection obligations.  An IO needs to be reasonably tech savvy with an in-depth understanding of the business, and knowledge of how the organisation processes client activities.

POPIA doesn’t specify the precise credentials that are expected, but it does say skills must be proportionate to the type of processing you carry out, taking into consideration the level of protection that personal data requires. Where the processing of personal data is particularly complex or risky, the knowledge and abilities of the IO should be correspondingly advanced enough to provide effective oversight.

The IO must be adequately resourced, and report to the highest management level. In some cases, several organisations can appoint a single IO between them. It should be an internal appointment at middle or senior management level, and executive bodies must support the IO in getting data protection right.

South Africa is about three decades behind some jurisdictions in data protection. Appreciation levels need to increase to bring us in line with many other markets.

Article by James George, Compliance Manager, Compli-Serve