The Information Officer of an organisation is an important person. By default, every single organisation in South Africa has one. The law (more particularly the Promotion of Access to Information Act or PAIA) automatically designates a person in each organisation as the Information Officer. Not the Chief Information Officer or CIO, but an Information Officer. They perform very different roles.
At a point in time, it was referred to as the Information Protection Officer, but the correct term is Information Officer. Some people also refer to the Privacy Officer, but in our view, this is the incorrect terminology. The role of a Privacy Officer is something else and may encompass the Information Officer. But the two should not be confused. The Information Officer performs the same role as a Data Protection Officer under the GDPR.
Do I have an Information Officer?
Every organisation has one. All public bodies, like a national department, provincial administration, or municipality. And all private bodies, like companies, CCs, partnerships, and trusts. Unlike the PAIA Manual, nobody is exempt. Every body has one whether you like it or not?
What are their responsibilities?
The Information Officer is an important person because they are responsible for ensuring that the organisation complies with PAIA. They are also the person who is responsible for ensuring that the organisation complies with the POPI Act. They are a key person in any PAIA or POPI project. They must also be registered with the Information Regulator.
So, who should the Information Officer be?
Many organisations are busy trying to work out who the person should be. Is it the CIO, the IT Manager, the information security officer, the legal adviser, the compliance officer? What should the structure be and how many people do you need? Do you need one Information Officer and two deputies, or just two deputies? Should one deal with PAIA and the other with POPI? Who is accountable and who is responsible? Should the responsibility be designated to someone else?
Actions you can take:
- Find answers to your questions by getting our advice.
- Brief the head of your organisation (or body) on the role by asking us to draft a written brief for you or asking us to present to them for you.
- Find the right person to perform the role by asking us to provide you with a Job Specification or Description.
- Appoint the person correctly and ensure the person knows what their responsibilities are by asking us to draft a letter of appointment for the head to sign.
- Empower yourself with knowledge on the POPI Act and its potential impact on your organisation by attending one of our Data Protection Workshops.