POPIA… questions answered
The Protection of Personal Information Act (POPIA) wait is finally over. However, for some, there are still questions.
Who is the Information Officer, and who can be Deputies? What are the Information Officer’s duties and responsibilities?
During an iTOOsday webinar, the Norton Rose Fulbright data privacy team, Rosalind Lake and Ushenta Naidoo explained the roles and responsibilities of the Information Officer and how to comply with the requirements.
Parties involved
“The responsible party controls the procedures and purpose of processing of personal information. The operator processes personal information on behalf of the responsible party. An operator must only process personal information with the responsible party’s knowledge or authorisation and treat all personal information as confidential,” said Lake.
“POPIA requires a written contract between responsible parties and operators. At a minimum, the operator must comply with security safeguards, and provide immediate notification when there are reasonable grounds to believe that a breach has occurred. But, responsible parties remain liable for breaches of any of the conditions for lawful processing by operators,” added Lake.
The Information Officer
“Who qualifies as an Information Officer? It must be a natural person who carries on any trade, business or profession, but only in such capacity or any person duly authorised by that natural person. Any partner of the partnership or any person duly authorised by the partnership. By default, the Chief Executive Officer or the Managing Director or equivalent officer of an organisation will be the Information Officer,” said Naidoo.
“Information Officers may delegate any of their powers or duties to Deputy Information Officers. Deputy Information Officers may be appointed at the discretion of the organisation. Only employees of an organisation can be designated as Deputy Information Officers. Information Officers must remain in control of the Deputy Information Officer’s activities. Delegation of powers does not prevent an Information Officer from exercising the delegated power or duty. Guidelines provide a template form for the appointment of DIOS,” added Naidoo.”
Roles and responsibilities
“An Information Officer’s has a number of responsibilities otherwise ensuring compliance by the body with the provisions of POPI and as may be prescribed. Officers must take up their duties in terms of POPI only after they have registered with the regulator,” said Naidoo.
Norton Rose Fulbright explained that in order to ensure effective compliance with POPIA, and in particular the organisation’s compliance with the conditions for lawful processing of personal information, the Information Officer must:
1. Know what personal information is in the organisation’s possession or is collected;
2. Know where such information is stored;
3. Know the purpose for which it is collected;
4. Know the uses to which it is put;
5. Have a comprehensive knowledge of popia and all the requirements which apply to the organisation;
6. Be empowered to enforce compliance with popia.
POPIA sets out the following duties for the Information Officer, the Information Officer must:
• Be able to handle all requests for access to information;
• Have a good understanding of the grounds for refusal, including handling of partial requests;
• Verify the identity of data subjects when handling data access requests;
• Be trained on how to deal with investigations by the information regulator or requests from the information regulator;
• Ensure that a compliance framework is developed, implemented, monitored and maintained;
• Ensure that a personal information impact assessment is done on all processing activities to ensure that adequate measures and standards exist, so to comply with the conditions for lawful processing of personal information;
• Make certain that a manual is developed, maintained and made available in accordance with the promotion of access to information act (paia) and will on request provide copies of the manual to any person who requests it, on payment of a fee determined by the regulator;
• Ensure that internal measures are developed together with adequate systems to process requests for information or access thereto; and
• Ensure that internal awareness sessions are conducted regarding the provisions of popia, regulations made in terms of popia, codes of conduct, or information obtained from the information regulator.
Lake added that it is important to keep records of all data subject requests, processing activities and personal information impact assessments in case there is a complaint to respond to down the line. Public companies are required to report to the Information Regulator annually on data subject requests.
Personal consequences
The Information Officer may be held liable for the failure to adequately perform their responsibilities in terms of POPIA and its Regulations, or PAIA. In certain circumstances, criminal consequences may personally attach to the Information Officer which may include a fine or imprisonment of up to two years.
POPIA empowers the Information Regulator to serve the Information Officer with an enforcement notice which sets out, amongst other things, actions that the Information Officer is required to take or must refrain from taking. Should the Information Officer fail to comply with the enforcement notice, they will commit a criminal offence. The Information Officer may also be found criminally liable should they commit any of the following acts:
1. With intent to deny a data subject’s right of access to their personal information: (a) destroys, damages or alters a record; (b) conceals a record; or (c) falsifies a record or makes a false record; and
2. Wilfully or in a grossly negligent manner fail to comply with section 51 of paia which regulates the procedure for publishing a manual that describes to data subjects how to access and request their records of personal information.
Norton Rose Fulbright recommends that all organisations take data privacy compliance very seriously.
Writer’s Thoughts:
There are significant risks for individuals who are appointed as Information Officers, and it is critical that the Information Officer complies with all their obligations. For those who are still unsure, partner with someone who has extensive experience and understanding of the POPI Act. If you have any questions please comment below, interact with us on Twitter at @fanews_online or email me - myra@fanews.co.za.
