The information regulator has published a guidance note on information officers and deputy information officers to provide guidance, procedures and forms to enable responsible parties to do various things required by law. To save you time, we have summarised what the guidance note covers and given our comments or thoughts about it. We have also highlighted the key guidance that may have a significant impact on your organisation. To find out more about the role of the information officer attend a complementary webinar or read more about it.

Is any body exempt from having an information officer?

Unfortunately, the guidance note does not touch on exemptions. Surely, not everybody needs to register an officer? A private body includes “a natural person who carries or has carried on any trade, business or profession…”. Does a street vendor selling tomatoes to passersby have to register an officer? Does an investment company need one? What about a restaurant or tavern? Is this just more red tape for small businesses? Is it possible for someone to argue that they are not a responsible party? Maybe. However, virtually everyone processes personal information for some purpose. In the EU GDPR, only specific controllers (AKA responsible parties) need to have an officer (not every body).

The information officer must be within or based in South Africa

“To ensure accessibility of a private body, the Information Officer of a multinational entity based outside the Republic must authorise any person within the Republic of South Africa as an Information Officer” (note 5.2). To meet this regulatory requirement, an entity based outside South Africa can appoint one of the attorneys at Michalsons to be their authorised representative within South Africa. This is similar to the EU GDPR requirement for a controller based outside the EU that processes the personal data of data subjects in the EU to appoint a representative in the EU.

Michalsons can be your authorised representative in South Africa

“To ensure accessibility, the designated Deputy Information Officer(s) of a multinational entity must be based within the Republic” (note 7.13). To meet this responsibility, a multinational entity based outside South Africa (but which has employees in South Africa) can appoint an employee (see below) in South Africa to be the officer but only delegate the responsibility to act as a representative in South Africa. This person can then be registered with the regulator and be accessible to the regulator. But all other responsibilities will be with the head of the body or the data protection officer.

Information officers must be an employee

The guidance note currently says the officer must be an employee of a body (note 2.2, 5.9, 7.2, 8.2). This is the regulator’s official and written word on this question. Unofficially, though, the word has started to change. In some of the regulator’s most recent public webinars and private meetings, the regulator has started to suggest that the officer doesn’t have to be an employee. Our understanding is that the regulator is now saying an organisation (like a community scheme, for example) can outsource the role, but the person they outsource to has to be a human being, not a legal person. For a community scheme, this means that you can outsource to the employee of a Managing Agent.

You can outsource the role or the responsibilities to Michalsons

While we have for many years recommended that the officer generally be an internal resource and that responsible parties not outsource the role, in certain scenarios we have sometimes shifted from the recommendation. We have recognised that it is sometimes better for someone outside the organisation to perform the role. The relationship between community schemes and managing agents is one example. Another example is that of pension funds. We’re happy that the regulator is now starting to come around to the idea that the officer has to sometimes come from outside of the organisation.

Regardless of whether the officer is internal or outsourced by the organisation, the officer can still ask various lawyers or consultants (like Michalsons) to help them. In other words, the officer can contract with someone else to perform (delegate) most of the duties or responsibilities. For example, the board of trustees of a pension fund is probably the default information officer because they are the head of the pension fund. They can contract with someone else, like the principal officer of the fund or an employee of the participating employer, to perform the role.

They can delegate the responsibility but not the accountability.

Each subsidiary of a group of companies must register an officer

“Each subsidiary of a group of companies must register its Information Officer and Deputy Information Officer(s) with the Regulator” (Note 5.3). Does each subsidiary have to have its own dedicated officer? Can the same person be the officer for multiple subsidiaries? Do they need to be employed by each of the subsidiaries? What if one of the subsidiaries has no employees?

Training of information officers

The officer must have a reasonable understanding of:

  1. the law, and
  2. the responsible party’s operations and processes (note 7.11).

The responsible party must ensure that their officer:

  1. receives appropriate training, and
  2. keeps abreast of the latest developments.

The law does not empower the regulator to train officers (note 9).

Don’t worry Michalsons can take care of this. We offer training for the information officers and we keep officers abreast of latest developments by publishing news and insights on our website and through our programme.

Who the information officer should be

The officer should be at the executive level (or equivalent position) (note 5.9) and must report to the highest management office. The officer needs to be a pretty senior person, about at the occupational level of 5 or 6.

Other guidance

These are key things that it covers.

  1. There is a table of who the default (or automatically appointed) officer is.
  2. A responsible party can have more than one, if necessary.
  3. A responsible party must give an officer sufficient time, adequate resources and financial means to perform their role.
  4. Each responsible party must appoint their officers in writing and their duties must be part of their job description (note 8.9).
  5. It is compulsory for all responsible parties to register their officer and officers should only take up their duties after registering with the regulator.
  6. A responsible party should register their officer online (encouraged) or by completing and emailing the form to the regulator.
  7. There is a table of the offences an officer could be convicted of and related penalties. This certainly won’t encourage anyone to be an officer.
  8. It gives some examples of the duties and responsibilities of officers.
  9. Officers of public bodies must annually submit a report to the regulator about access to information. The regulator can ask a private body to do this annually.
  10. The responsible party must keep the details of the officer with the regulator up-to-date.
  11. The details of the registered officer must be the same as those in the responsible party’s PAIA Manual.
  12. The responsible party must publish the officer’s details on its website (note 12).

Read the actual guidance note on information officers and deputy information officers

You can download it here.

What power does the regulator have to publish this guidance note?

We’re not sure. If you look at section 40, it is not clear which power they are using, and the guidance note itself does not say under which section they are publishing the guidance note. Does the guidance note have the force of law? Do responsible parties have to comply with the guidance note or can they ignore it if they disagree with its guidance?

Draft guidance note

In July 2020, the regulator published draft guidelines about the registration of Information Officers. The guidelines intend to expand on the sections of PAIA and POPIA that deal with the registration of Information Officers. The regulator invited the public to comment on the draft guidelines by 31 August 2020, it considering the comment and published the final guideline notes.