The office of the South African Information Regulator recently published its first draft regulations in terms of the Protection of Personal Information Act, 2013 (“POPI”), entitled “Regulations relating to the Protection of Personal Information, 2017”. The draft regulations are open for public comment until 7 November 2017. The draft regulations address various procedural aspects of POPI, which include the manner in which data subjects may object to the processing of their personal information and the manner in which to request a data subject’s consent to the processing of personal information for direct marketing purposes. The draft regulations refer to, and have attached to them, various forms that prescribe how these requests may be obtained. Regulation 4 of the draft regulations expands on the duties and responsibilities of information officers. Information officers are defined in terms of the Promotion of Access to Information Act, 2000 (“PAIA”) to mean the “head” of the private body, which is, in the case of:
- a natural person: that person or any person duly authorised by that natural person;
- a partnership: any partner or duly authorised person; and
- a juristic person: the chief executive officer, equivalent, acting officer or duly authorised officer.
Information officers must be registered with the Information Regulator. This function may be delegated to other members of the organisation and deputy officers may be appointed to assist with duties. An information officer’s duties, as set out in section 55 of POPI, include:
- encouraging compliance with the conditions for the lawful processing of personal information;
- dealing with requests made to an organisation;
- working with the Information Regulator in relation to investigations conducted; and
- otherwise ensuring compliance by an organisation with the provisions of POPI.
Regulation 4 of the draft regulations expands on these duties to include that information officers must ensure that:
- a compliance framework is developed, implemented and monitored;
- adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- preliminary assessments are conducted;
- a manual for the purpose of PAIA and POPI is developed, which must be available on an organisation’s website and at its offices for public inspection during normal business hours. Copies of the manual must also be made available upon payment of a fee to be determined by the organisation, which may not be more than ZAR3.50 per page. This manual must detail:
- the purpose of the processing;
- a description of the categories of data subjects and of the information or categories of information relating thereto;
- the recipients or categories of recipients to whom the personal information may be supplied;
- the planned trans-border or cross-border flows of personal information; and
- a general description allowing preliminary assessment of the suitability of information security measures to be implemented and monitored by the responsible party.
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- awareness sessions are conducted regarding the provisions of POPI, regulations made in terms of POPI, codes of conduct, or information obtained from the Information Regulator.
Based on these developments, it is clear that the role of every organisation’s information officer is not one to be taken lightly. An information officer’s duties are wide and their role is one that every organisation needs to review.