Who is responsible or accountable for offences committed under POPIA and POPIA? Who will the regulator, a court or an industry body hold accountable? Who is going to pay the fine or go to jail? These are all questions we often get asked.
The responsible party (as the name suggests) will be held accountable
You first have to identify who the responsible party is as defined in POPIA. This might be tricky because there might be multiple legal and natural persons involved in a processing activity. The responsible party is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. Essentially, it is the person who determines why and how to process personal information. Most times this is a juristic person (like a company). So, in many cases, the regulator will hold the organisation (the entity) accountable or responsible. If the regulator fines the responsible party, it is the entity that they fine. Not an individual.
This demonstrates why it is so important for each organisation to know when they are the responsible party. You do this by mapping your activities and creating a record of your processing activities.
The default information officer is accountable
The question then is – if an organisation commits an offence and someone has to go to jail, who goes to jail? In our view, it is the default (or authorised) information officer – the person who the law specifies by default (automatically) to be it. Or the person they have duly authorised. But not the designated officer.
For a private body
The default information officer is the head. In the case of a natural person, they are it. In the case of a partnership, any partner. And in the case of a juristic person (like a company), the CEO or equivalent most senior officer (like the MD), including anyone acting as such. The default officer can authorise another person within the private body to be the information officer (authorised information officer). They should have done this using Annexure C in the guidance note (or a letter substantially similar). In this case, the authorised officer is the default officer. Accountability follows this authorisation. But the default officer “retains the accountability and responsibility for any power or the functions authorised to that person” (note 5.7). So, both the default and the authorised information officers are accountable. Presumably, jointly and severally?
For a public body
The default information officer is defined in section 1 of PAIA. Essentially, it is a senior person or effectively the head of the public body. For example, the Director-General, Head of Department or Municipal Manager. It includes anyone acting as such but they cannot authorise another person to be it.
The default information officer can authorise someone else and then both are accountable
The designated information officer is not accountable
The default information officer can delegate the duties but not the accountability
The default officer can designate or delegate someone else to perform some of the responsibilities (section 17 of PAIA and section 56 of POPIA). This person is called the designated, delegated or deputy information officer. (Note that this is different to the default officer authorising another person to be the authorised information officer.) The default officer can delegate the duties but not the accountability. This is confirmed in the regulator’s guidance note where it says “an Information Officer retains the accountability and responsibility for the functions delegated to the Deputy Information Officer. (note 8.10)”. Annexure C in the guidance note (or a letter substantially similar) is the right template to use to designate or delegate duties to another person.
Accountability does not follow this delegation – it stays with the default officer. The regulator’s guidance note says “To ensure a level of accountability by a delegated Deputy Information Officer, bodies are encouraged to ensure that such duties and responsibilities or any power delegated to a Deputy Information Officer is part of his or her job description” (note 8.9). The designated officer might face disciplinary action by its employer but not a fine or jail from the regulator.
With compliance it is usually the CEO who goes to jail
But remember that there are very few offences in PAIA and POPIA, and it is very unlikely that anyone will go to jail. Most data protection laws around the world have been de-criminalised.
The outsourced information officer is not accountable
Similar to deputy information officers, you can outsource your information officer responsibilities to an outsourced information officer. However, the accountability stays with the default information officer.
But remember any person can commit an offence
The question is – who committed the offence? Was it the responsible party or an employee? Is the information officer for a specific responsible party or a specific employee going to pay the fine or go to jail? There will no doubt be some finger pointing and some people selling others down the river.
For offences it is always important to pay particular attention to the specific working. It is normally along the following lines – Any person who does XYZ is guilty of an offence. A person means a natural person or a juristic person. So, in this case anyone could commit the offence. It could be the responsible party (the company failing to protect account numbers by not putting the necessary controls in place) or Alison in HR selling employee profiles to cyber criminals. Whoever commits the crime does the time – as the saying goes. So any person could be held accountable.
Sometimes the law (like section 90(2) of PAIA) is more specific and says – An information officer who does XYZ commits an offence. Here it is only the default information officer of a public body who could be guilty and held accountable.
Section 90(3) of PAIA is more specific and says – A head of a private body who does XYZ commits an offence. Here it is only the default (or authorised) information officer who could be guilty and held accountable, not the designated, delegated or deputy officer.