Registration of Information Officers
The Information Regulator has published a Guidance Note giving further clarity on registration of Information Officers (“IO’s”) and Deputy Information Officers (DIO’s”).
The Guidance Note confirms that the CEO or managing director of a juristic person may authorise any natural person within the organisation to act as IO. The indication is that the role cannot be outsourced and that the CEO or managing director retains accountability and responsibility for any power or function authorised to the appointed IO.
The IO must be at an executive level or equivalent position and IO duties should be included as part of that person’s job description.
Authorisation must made using the prescribed form, must be capable of being withdrawn or amended and must not prohibit the person (CEO or managing director) who made the authorisation from exercising the power or performing the duty themselves.
Where the IO wishes to appoint a DIO, authorisation must also be in writing and in the prescribed form and such person must be afforded sufficient time, adequate resources and financial means to devote to compliance with POPIA and PAIA.
It is recommended that the DIO should report to the highest management office. As such, the DIO should be at a level of management or above. The DIO should have a reasonable understanding of POPIA and PAIA and the business operations and processes of the organisation.
Where an organisation comprises a group of companies, the Guidance Note specifies that each subsidiary must register its IO and DIO with the Information Regulator as separate entities.
The Information Regulator has requested that responsible parties use the online registration portal from 1 May 2021.