Now, there is a question. It depends on the organisation, but often, it is someone in legal or compliance. But no formal qualifications are required by law. It is essential that the person you select as your information officer (IO) has a thorough knowledge of data protection law and what it entails. In larger organisations, this could take longer to learn, and more in-depth knowledge would also be necessary. In larger organisations, it is vital to consider someone with institutional knowledge of the business, who can then learn what POPIA requires. This could be a better alternative for someone who knows what POPIA requires but lacks the institutional knowledge of the business.
Can the role be outsourced?
Yes. We see two main aspects of the information officer role: authority (being accountable for getting something done) and responsibility (being the person who actually gets it done). The regulator says that you can’t outsource authority, in their guidance note on information and deputy information officers. You can, however, outsource some of the responsibilities. If you do, let it be someone who has knowledge on the context in which the organisation operates (sector, etc).
You can outsource the role or the responsibilities to Michalsons
Can one person be the information officer for many bodies?
Yes. For example, one person can be the information officer for multiple companies in a group. But each subsidiary of a group of companies must register an officer.
Should someone be paid more to take on the information officer role?
This will depend on the organisation. There aren’t great risks associated, so maybe not, but there will be more work to do, so maybe yes.
Is the information officer role a full or part-time role?
This also depends on your organisation, the impact data protection has on it and the size of it.
Should the information officer be someone in IT?
In our view, no. It is tempting to make the Chief Information Officer (CIO) the information officer (IO) but this is a mistake. The IT department is often more involved with technology than information. The business owns the information. IT has an important role to play (especially with security) but the information officer role including the balancing of rights and interests – this is not something that It normally does.
Can the default information officer delegate the responsibility to a person who is not employed by the organisation?
Yes, our understanding is that it is permissible to outsource responsibility (being the person who gets something done), but not authority (being accountable for getting it done). But the person registered as the Default Information Officer or Deputy Information Officer must be an employee of the organisation according to the regulator in their guidance note on information officers and deputy information officers.
When should we considering outsourcing responsibilities?
It may be useful to outsource the role of your information officer if: your current team is not suitably qualified; your current team is overworked and low on capacity; you can’t afford to add new members to your team; you are losing team members and can’t afford to train replacements; turnover in your team is leading to business continuity issues.
What responsibilities can we outsource?
Almost all of them, if you manage the project effectively. POPIA breaks the various information officer responsibilities down into four main sections, being:
- encouraging compliance – like running awareness campaigns, or guiding board decisions;
- dealing with requests – like responding to data subject access requests, or regulator questions;
- working with the regulator – like helping the regulator with investigations;
- otherwise ensuring compliance – like registering your information officer, mapping activities, performing impact assessments, developing policies, or implementing frameworks and procedures.
What options are there for outsourcing our information officer responsibilities?
You could:
- outsource your entire data protection function, like through an Information Officer as a Service offering
- outsource specialist responsibilities, to supplement your internal data protection generalists, like through a customer retainer
- outsource only the tools needed by your internal data protection specialists, like through the Michalsons Data Protection Programme
Does the person need to be in South Africa?
Yes, according to the regulator’s guidance note.
Do you need a POPIA representative in South Africa?
Yes, if you are required to register with the regulator, but have no physical presence in South Africa. Michalsons can be your authorised representative in South Africa.