Choose your information officer wisely

When, in the early 1990s, the personal computer was becoming popular in South Africa, people were slowly but surely starting to migrate physical activity to a digital form. Soon, programs like Microsoft Word became a home and office staple. After the shift from physical data processing to digital data processing, came the shift from manual digital processes to automated processes. This digitalisation of data has brought many challenges to protecting privacy rights and thereby protecting individuals.

For this reason, data privacy laws and regulations have become prominent in national legislatures across the world. For South Africa, the laws set in place to govern the protection of private information is by way of the Promotion of Access to Personal Information Act (PAIA) as well as the Protection of Personal Information Act (POPI).

By law, all businesses or other entities who process personal information need to have a variety of measures in place to ensure the protection thereof. One of these measures is to give the responsibility of protecting information over to a responsible party within a business and hold them accountable for the use/misuse of the data they hold.

Who should I appoint as Information Officer?

By default, PAIA makes someone responsible for personal data that is processed on behalf of their business. In most cases this default person is simply the owner of the business. However, business owners may appoint someone else as Information Officer to take responsibility for the business’s handling of data.

While there are no official qualification requirements for Information Officers, it is highly advisable that you appoint a person with experience in managing digital assets. And, depending on the size of your organisation and the quantity of personal information you store, manage, and use, you may opt to create a permanent role for the Information Officer. You could also choose to give over responsibility to an outside party – however, the additional risks of this approach must be considered.

What is the role of the Information Officer?

An Information Officer, as laid out in the POPI Act, is responsible for the following:

  • Encouraging compliance with the conditions for the lawful processing of personal information (as laid out in POPI).
  • Dealing with requests made in relation to the personal information of data subjects.
  • Cooperating with the Information Regulator, as required by POPI.
  • Ensure compliance with the regulations mandated by POPI.
  • Ensuring that a compliance framework is created, implemented, supervised, and maintained.
  • Taking care to do an impact assessment to make sure that the correct standards exist, and the right measures are taken to comply with the conditions for the lawful processing of personal information.
  • Implementing protocols and policies for dealing with requests to access information.
  • Conducting internal training for employees on the provisions of POPI.
  • Developing, and maintaining a POPI manual as required by the legislation put forth in terms of POPI and PAIA. These manuals must be available in both digital and physical form, if possible, and must always be publicly available during business hours.

What must the POPI manual elucidate?

  • The purpose for the processing of personal information.
  • A description of who the data subjects are and what kind of data is captured concerning them.
  • With whom the information may be shared.
  • The movement of personal information nationally and internationally (whether in physical or digital form).

The points listed above are not exhaustive but give a good overview of what can be expected of an Information Officer. For further information, or to put a thorough process in place for POPI compliance, it is highly advised that you speak to your advisor regarding the necessary subsequent steps to take.

References:

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)