Now, there is a question. It depends on the organisation, but often, it is someone in legal or compliance. But no formal qualifications are required by law. It is essential that the person you select as your information officer (IO) has a thorough knowledge of data protection law and what it entails. In larger organisations, this could take longer to learn, and more in-depth knowledge would also be necessary. In larger organisations, it is vital to consider someone with institutional knowledge of the business, who can then learn what POPIA requires. This could be a better alternative for someone who knows what POPIA requires but lacks the institutional knowledge of the business.
Can the role be outsourced?
Yes. We see two main aspects of the information officer role: authority (being accountable for getting something done) and responsibility (being the person who actually gets it done). The regulator says that you can’t outsource authority, in their guidance note on information and deputy information officers. You can, however, outsource some of the responsibilities. If you do, let it be someone who has knowledge on the context in which the organisation operates (sector, etc).
You can outsource the role or the responsibilities to Michalsons
Can one person be the information officer for many bodies?
Yes. For example, one person can be the information officer for multiple companies in a group. But each subsidiary of a group of companies must register an officer.
Should someone be paid more to take on the information officer role?
This will depend on the organisation. There aren’t great risks associated, so maybe not, but there will be more work to do, so maybe yes.
Is the information officer role a full or part-time role?
This also depends on your organisation, the impact data protection has on it and the size of it.
Should the information officer be someone in IT?
In our view, no. It is tempting to make the Chief Information Officer (CIO) the information officer (IO) but this is a mistake. The IT department is often more involved with technology than information. The business owns the information. IT has an important role to play (especially with security) but the information officer role including the balancing of rights and interests – this is not something that It normally does.
Can the default information officer delegate the responsibility to a person who is not employed by the organisation?
Yes, our understanding is that it is permissible to outsource responsibility (being the person who gets something done), but not authority (being accountable for getting it done). But the person registered as the Default Information Officer or Deputy Information Officer must be an employee of the organisation according to the regulator in their guidance note on information officers and deputy information officers.
When should we considering outsourcing responsibilities?
It may be useful to outsource the role of your information officer if: your current team is not suitably qualified; your current team is overworked and low on capacity; you can’t afford to add new members to your team; you are losing team members and can’t afford to train replacements; turnover in your team is leading to business continuity issues.
What responsibilities can we outsource?
Almost all of them, if you manage the project effectively. POPIA breaks the various information officer responsibilities down into four main sections, being:
- encouraging compliance – like running awareness campaigns, or guiding board decisions;
- dealing with requests – like responding to data subject access requests, or regulator questions;
- working with the regulator – like helping the regulator with investigations;
- otherwise ensuring compliance – like registering your information officer, mapping activities, performing impact assessments, developing policies, or implementing frameworks and procedures.
What options are there for outsourcing our information officer responsibilities?
You could:
- outsource your entire data protection function, like through an Information Officer as a Service offering
- outsource specialist responsibilities, to supplement your internal data protection generalists, like through a customer retainer
- outsource only the tools needed by your internal data protection specialists, like through the Michalsons Data Protection Programme
Does the person need to be in South Africa?
Yes, according to the regulator’s guidance note.
Do you need a POPIA representative in South Africa?
Yes, if you are required to register with the regulator, but have no physical presence in South Africa. Michalsons can be your authorised representative in South Africa.
Responsible parties should register their information officer online (encouraged) as soon as possible. Failing to register your information officer is not a criminal offence, but there can be severe consequences. If you struggle to register on the portal, we can help. You can also read more about the Information officer role for POPI and PAIA.
Register on the information regulator portal online
The regulator has created an electronic platform, the Information Officer eServices Portal on their website to enable you to do this. You need to create a profile and log into your profile to use the portal. You can register yourself if you are an Information Officer or an Admin Officer like an attorney or another person doing administration in an organisation can register an IO on the portal. A few tips:
- If you struggle with technical problems with the portal, wait and try again in a few days.
- The first section is for the default information officer (or authorised officer) that the law automatically makes the information officer. For example, the CEO. This is the person who is accountable. Note the handy “Copy Organisation Address” button, which will save you time. Give the organisation’s address rather than the residential address of the officer.
- The second section is for the deputy or designated information officer.
- The portal allows you to register one person for multiple entities. One person can be the officer for more than one entity.
- The portal won’t allow you to appoint someone outside of South Africa. You will either need to appoint an employee based in South Africa as deputy or designated information officer, or appoint a POPIA representative.
You can also do it manually offline in paper form (not recommended)
You can do this offline by completing and emailing the Information Officer’s Registration Form to the regulator. You will find the form as Annexure A to the regulator’s guidance note on information officers and deputy information officers. This caters for those organisations who do not have access to the Internet. If you have trouble accessing the portal you can complete an eform to register the information officer and submit it by email to the regulator.
The regulator encourages people to submit their applications online.
The regulator should really have provided two application forms. One for public bodies and one for private bodies. One form creates confusion. If you are a private body trying to complete the form, here is some guidance.
- Part A is for the default information officer that the law automatically makes the information officer. For example, the CEO. This is the person who is accountable.
- Part B is for the designated information officer. For public bodies, this is called the deputy information officer but for private bodies, we prefer to call them the designated IO.
- Part C is for the responsible party details. For example, the company details.
- The default information officer should sign it.
You have to register both the default and the designated (deputy) officer with the regulator, and put both of their details in your PAIA Manual.
Who should sign the application form?
In our view, the default information officer (not the designated or delegated one) should sign the form. The default officer is accountable to the regulator and are the one that the law specifies as being the information officer by default.
What if we have already registered using an old form or portal?
You should re-register on the eServices portal.
What happens if you deregister on the portal?
If you deregister from the portal, you will remove your company registration from the regulator’s database. The removal isn’t immediate and subject to the approval of the regulator. You should use the deregistration option if you have registered yourself as an information officer on the portal but later either resign or appoint someone else as an information officer.
If you registered multiple people in an organisation it is not advised that you deregister from the portal because you will remove all the following information you have created on the portal:
- your user profile, and personal details including your login details;
- any company registration certificates whether they are current or historical;
- your company profile;
- the information officer and deputy information officer details you registered;
- any company registrations that you drafted but haven’t submitted yet;
- any PAIA reports you submitted; and
- any other data and information that you added to the portal that relates to your organisation.
POPIA aims to protect the privacy and security of personal information processed by public and private bodies. It sets out conditions for the lawful collection, use, storage, and destruction of personal information. PAIA aims to give effect to the constitutional right to access information held by the state or another person that is needed to protect or exercise any rights. It sets out the framework and procedures for requesting such information.
In summary, the main difference between POPIA and PAIA is that POPIA focuses on protecting personal information, while PAIA focuses on access to information.
The Information Regulator (IR) has discretion in when to assess organisations’ data processing practices under both POPIA and PAIA. They follow prescribed procedures and inform applicants about the scope and reasons for the assessment. For POPIA assessments, factors considered include information officer presence, data type, training, security, retention policies, and cross-border data flows. A guidance note on direct marketing is coming soon. Unlike POPIA, PAIA assessments are not mandatory, but the IR encourages transparency and considers factors like the information’s purpose and potential impact of non-compliance. Resources are available for smaller organisations to ensure compliance. The IR avoids affordability-based penalties, but considers the organisation’s size and data volume.
At some point, your information officer is bound to leave your organisation. It might be the default, authorised, designated, delegated or deputy information officer. These are the steps you can take if your information officer wants to resign.
- Your information officer should resign as the information officer in writing. This is in addition to resigning as an employee or director. The resignation can be very short and in an email – this counts as being in writing.
- You should submit a request to deregister the information officer by emailing the Information Regulator.
- The CEO or head of your organisation should appoint a new information officer in writing.
- You must register the new information officer with the Information Regulator.
See more information officer FAQs.
No, the information regulator has been very clear that the exemption will not be extended. From 1 January 2022, every body needs to have a PAIA manual.
From 1 July 2021 the information regulator will take over the regulation of PAIA from the SAHRC.
Yes, one person can be the default or designated information officer (IO) for multiple entities or responsible parties. The regulator’s portal allows you to register one person as the information officer for multiple entities. You can register multiple default or designated IOs on the portal.
Some examples
- I am the only director of a private company, a trustee of a trust and the director of a personal liability company. I am the default IO for all three.
- Someone is the CEO for many private companies and therefore the default IO for all the responsible parties.
- Someone is the designated IO for multiple entities. Many group companies will do this. According to the regulator’s guidance note, each company in the group needs to have an IO but it can be the same person.
What should I do?
All you need to do is register the information officer on the portal. To register the default IO you must select the first tab that says Information Officer. To register the designated IO you must select the Deputy Information Officer tab, type in the first IOs details and then select the option to save to the list. This will create a list of multiple designated IOs for one organisation.
If you are registering the same information officer for different entities, you’ll need to first submit the details of the officer, default officer and organisation details. Once you have successfully submitted the registration of the first entity you can draft another registration and the portal will allow you to enter the same details of the information officer but for another entity.
You could fill in the manual form to register an information officer and email it to the regulator. But we understand that emails to the regulator are bouncing because their mailboxes are full. The regulator is encouraging people to register information officers on their registration portal. We have created a guide on how to register your information officer on the regulator’s portal.
It would be better to do it online for many reasons.
It is not a criminal offence
The regulator will not hold organisations accountable if their systems are not working.
Failing to register your officer is not a criminal offence. Failing to get prior authorisation if you need it, is a criminal offence. People often get these two mixed up. The regulator has confirmed that no action will be taken against people who do not register because the portal was not working.
Not at the moment. But we think that some bodies should be exempt from having to register their information officer (IO).
Is any body exempt from registering their information officer?
Unfortunately, the guidance note on information officers and deputy information officers does not touch on exemptions. Surely, not every body needs to register an officer? A private body includes “a natural person who carries or has carried on any trade, business or profession…”.
- Does a street vendor selling tomatoes to passersby have to register an officer?
- Does an investment company need one?
- What about a restaurant or tavern?
Is this just more red tape for small business? Will the regulator’s systems even cope when everyone in South Africa tries to register their officer?
Is it possible for someone to argue that they are not a responsible party? Maybe. But virtually everyone does process personal information for some purpose.
What about an exemption?
We suggest that the information regulator exempt some bodies from having to register an information officer. In the EU GDPR, only certain controllers (AKA responsible parties) need to have an officer (not every body).