An organisation’s information officer (IO) is essential for protecting personal information and providing access to information. Every organisation has one by default, and the law sets out specific responsibilities for them. You must register your default information officer with the South African Information Regulator. Where necessary, the default information officer might designate a deputy information officer, who you must also register.
Not the Chief Information Officer (CIO)
The information officer isn’t the Chief Information Officer or CIO, but an IO. They perform very different roles. At one point, it was referred to as the Information Protection Officer, but the correct term is Information Officer. Some people also refer to the Privacy Officer, but in our view, this is the incorrect terminology. The role of a Privacy Officer is something else and may encompass the Information Officer. But the two should not be confused. The officer performs a similar role to a Data Protection Officer under the GDPR.
Do I already have an Information Officer?
Yes, the law (more specifically, the Promotion of Access to Information Act or PAIA) automatically specifies which person in each organisation is the default information officer. Every organisation has a default one: all public bodies, like national departments, provincial administrations, or municipalities, and all private bodies, like companies, CCs, partnerships, and trusts. We offer a strategy session for the default information officer.
What are their responsibilities?
It’s important to remember that your information officer is responsible for handling your POPIA and PAIA compliance journeys. We like to think of these collectively as your information governance journeys. PAIA requires that your organisation makes information accessible, including personal information. POPIA requires that you protect the personal information that your organisation processes.
Each piece of legislation has different requirements that your organisation must meet. Your organisation’s information officer oversees that these requirements are met and that you are handling information lawfully, whether it is information, records, or personal information. We have highlighted stand-out responsibilities for PAIA and POPIA below.
Under PAIA
Officers are essential because they ensure that the organisation complies with PAIA. An IO of a responsible party (or body) must take action.
- Encourage and ensure compliance with PAIA following the body’s definition of compliance.
- Develop, create, monitor, maintain, update and make available a PAIA manual.
- Evaluate and approve requests for access to information received regarding the grounds set out in PAIA within the time constraint or any extended period.
Under POPIA and the regulations
They are also responsible for ensuring that the organisation complies with the POPI Act. They are vital to any project or programme. An information officer of a responsible party (or body) must take action.
- Encourage compliance with conditions for the lawful processing of personal information.
- Deal with requests made pursuant to POPIA (presumably by the Information Regulator or data subjects).
- Work with the Regulator about investigations conducted related to prior authorisations (pursuant to Chapter 6 in relation to the body).
- Otherwise ensure compliance by the body with the provisions of POPIA.
- Develop, implement, monitor and continually improve a POPIA compliance framework.
- Ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist.
- Develop internal measures and adequate systems to process requests for access to information.
- Ensure that internal awareness sessions are conducted.
- Take other action as prescribed (presumably by the Minister or the Information Regulator).
These responsibilities are in section 55 of POPIA and the POPIA Regulations.
As part of the Michalsons data protection programme, we help members develop, implement and monitor a compliance framework that contains all the latest global developments and best practices. Some will argue that these regulations mean that you need one manual that deals with both PAIA and POPIA – an information manual of sorts. Is this the end of the PAIA manual? We think not. We think you should still have a PAIA manual and a privacy policy.
So, who should the designated information officer be?
Many organisations are busy trying to work out who the person should be. Is it the CIO, the IT Manager, the information security officer, the legal adviser, or the compliance officer? What should the structure be, and how many people do you need? Do you need one officer and two deputies, or just two deputies? Should one deal with PAIA and the other with POPI? Who is accountable, and who is responsible? Should the responsibility be designated to someone else? Should you have one for the group or each entity within the group?
Do I need to appoint a POPIA representative?
If you are based outside of South Africa and process personal information in South Africa, you may need to appoint a third party POPIA representative in South Africa. We can help you with this role.
Register them with the Information Regulator
The responsible party must register the officers with the Information Regulator before they start performing their duties. They must also register their POPIA representative, if they have one, to help the regulator contact the responsible party if necessary. The regulator has created a Registration Portal on its website to enable this. If you struggle to do this, we can help you.
The regulator estimates that there are about 3 million information officers who have not registered. Consequently, they are acting unlawfully and their organisations do not comply with the law.
Guidance note on the Registration of Information Officers
The regulator has published a final guidance note.
Actions you can take:
- Correctly appoint a designated information officer and ensure they know their responsibilities by asking us to draft a letter of appointment for the head to sign.
- Keep aware of complaints and regulator communications by appointing Michalsons as your POPIA representative.
- Register your information officers by asking Michalsons for help.
- An entity based outside South Africa can have an information officer within South Africa by appointing one of the attorneys at Michalsons as your information officer’s authorised representative in South Africa.
- Outsource the responsibilities of the information officer to Michalsons by asking us for a quote.
- Empower your officers with knowledge and tools related to the POPI Act by joining our data protection programme.
- Train your officers by sending them on training for information officers.
- Find answers to your questions by getting our legal advice.
- Brief the head of your organisation (or body) on the role by asking us to draft a written brief for the CEO or present it to them for you.
- Help your default information officer set a strategy by setting up a private strategy session.
- Find the right person to perform the role by asking us to provide you with a Job Specification or Description for the information officer.
Watch a video on the role of the Information Officer
If you are currently the Information Officer, now is the time to ask – Do I want to continue to be the IO? If yes, the question is – Am I the right person to be the officer? If no, the question is – Who should I appoint as the Information Officer? To help you find answers to these questions, watch our video.
You can watch an older version of this video recorded on 7 July 2020.
FAQs about the information officer
Here are answers to some frequently asked questions.
Now, there is a question. It depends on the organisation, but often, it is someone in legal or compliance. But no formal qualifications are required by law. It is essential that the person you select as your information officer (IO) has a thorough knowledge of data protection law and what it entails. In larger organisations, this could take longer to learn, and more in-depth knowledge would also be necessary. In larger organisations, it is vital to consider someone with institutional knowledge of the business, who can then learn what POPIA requires. This could be a better alternative for someone who knows what POPIA requires but lacks the institutional knowledge of the business.
Can the role be outsourced?
Yes. We see two main aspects of the information officer role: authority (being accountable for getting something done) and responsibility (being the person who actually gets it done). The regulator says that you can’t outsource authority, in their guidance note on information and deputy information officers. You can, however, outsource some of the responsibilities. If you do, let it be someone who has knowledge on the context in which the organisation operates (sector, etc).
You can outsource the role or the responsibilities to Michalsons
Can one person be the information officer for many bodies?
Yes. For example, one person can be the information officer for multiple companies in a group. But each subsidiary of a group of companies must register an officer.
Should someone be paid more to take on the information officer role?
This will depend on the organisation. There aren’t great risks associated, so maybe not, but there will be more work to do, so maybe yes.
Is the information officer role a full or part-time role?
This also depends on your organisation, the impact data protection has on it and the size of it.
Should the information officer be someone in IT?
In our view, no. It is tempting to make the Chief Information Officer (CIO) the information officer (IO) but this is a mistake. The IT department is often more involved with technology than information. The business owns the information. IT has an important role to play (especially with security) but the information officer role including the balancing of rights and interests – this is not something that It normally does.
Can the default information officer delegate the responsibility to a person who is not employed by the organisation?
Yes, our understanding is that it is permissible to outsource responsibility (being the person who gets something done), but not authority (being accountable for getting it done). But the person registered as the Default Information Officer or Deputy Information Officer must be an employee of the organisation according to the regulator in their guidance note on information officers and deputy information officers.
When should we considering outsourcing responsibilities?
It may be useful to outsource the role of your information officer if: your current team is not suitably qualified; your current team is overworked and low on capacity; you can’t afford to add new members to your team; you are losing team members and can’t afford to train replacements; turnover in your team is leading to business continuity issues.
What responsibilities can we outsource?
Almost all of them, if you manage the project effectively. POPIA breaks the various information officer responsibilities down into four main sections, being:
- encouraging compliance – like running awareness campaigns, or guiding board decisions;
- dealing with requests – like responding to data subject access requests, or regulator questions;
- working with the regulator – like helping the regulator with investigations;
- otherwise ensuring compliance – like registering your information officer, mapping activities, performing impact assessments, developing policies, or implementing frameworks and procedures.
What options are there for outsourcing our information officer responsibilities?
You could:
- outsource your entire data protection function, like through an Information Officer as a Service offering
- outsource specialist responsibilities, to supplement your internal data protection generalists, like through a customer retainer
- outsource only the tools needed by your internal data protection specialists, like through the Michalsons Data Protection Programme
Does the person need to be in South Africa?
Yes, according to the regulator’s guidance note.
Do you need a POPIA representative in South Africa?
Yes, if you are required to register with the regulator, but have no physical presence in South Africa. Michalsons can be your authorised representative in South Africa.
Responsible parties should register their information officer online (encouraged) as soon as possible. Failing to register your information officer is not a criminal offence, but there can be severe consequences. If you struggle to register on the portal, we can help. You can also read more about the Information officer role for POPI and PAIA.
Register on the information regulator portal online
The regulator has created an electronic platform, the Information Officer eServices Portal on their website to enable you to do this. You need to create a profile and log into your profile to use the portal. You can register yourself if you are an Information Officer or an Admin Officer like an attorney or another person doing administration in an organisation can register an IO on the portal. A few tips:
- If you struggle with technical problems with the portal, wait and try again in a few days.
- The first section is for the default information officer (or authorised officer) that the law automatically makes the information officer. For example, the CEO. This is the person who is accountable. Note the handy “Copy Organisation Address” button, which will save you time. Give the organisation’s address rather than the residential address of the officer.
- The second section is for the deputy or designated information officer.
- The portal allows you to register one person for multiple entities. One person can be the officer for more than one entity.
- The portal won’t allow you to appoint someone outside of South Africa. You will either need to appoint an employee based in South Africa as deputy or designated information officer, or appoint a POPIA representative.
You can also do it manually offline in paper form (not recommended)
You can do this offline by completing and emailing the Information Officer’s Registration Form to the regulator. You will find the form as Annexure A to the regulator’s guidance note on information officers and deputy information officers. This caters for those organisations who do not have access to the Internet. If you have trouble accessing the portal you can complete an eform to register the information officer and submit it by email to the regulator.
The regulator encourages people to submit their applications online.
The regulator should really have provided two application forms. One for public bodies and one for private bodies. One form creates confusion. If you are a private body trying to complete the form, here is some guidance.
- Part A is for the default information officer that the law automatically makes the information officer. For example, the CEO. This is the person who is accountable.
- Part B is for the designated information officer. For public bodies, this is called the deputy information officer but for private bodies, we prefer to call them the designated IO.
- Part C is for the responsible party details. For example, the company details.
- The default information officer should sign it.
You have to register both the default and the designated (deputy) officer with the regulator, and put both of their details in your PAIA Manual.
Who should sign the application form?
In our view, the default information officer (not the designated or delegated one) should sign the form. The default officer is accountable to the regulator and are the one that the law specifies as being the information officer by default.
What if we have already registered using an old form or portal?
You should re-register on the eServices portal.
What happens if you deregister on the portal?
If you deregister from the portal, you will remove your company registration from the regulator’s database. The removal isn’t immediate and subject to the approval of the regulator. You should use the deregistration option if you have registered yourself as an information officer on the portal but later either resign or appoint someone else as an information officer.
If you registered multiple people in an organisation it is not advised that you deregister from the portal because you will remove all the following information you have created on the portal:
- your user profile, and personal details including your login details;
- any company registration certificates whether they are current or historical;
- your company profile;
- the information officer and deputy information officer details you registered;
- any company registrations that you drafted but haven’t submitted yet;
- any PAIA reports you submitted; and
- any other data and information that you added to the portal that relates to your organisation.
At some point, your information officer is bound to leave your organisation. It might be the default, authorised, designated, delegated or deputy information officer. These are the steps you can take if your information officer wants to resign.
- Your information officer should resign as the information officer in writing. This is in addition to resigning as an employee or director. The resignation can be very short and in an email – this counts as being in writing.
- You should submit a request to deregister the information officer by emailing the Information Regulator.
- The CEO or head of your organisation should appoint a new information officer in writing.
- You must register the new information officer with the Information Regulator.
See more information officer FAQs.
Yes, one person can be the default or designated information officer (IO) for multiple entities or responsible parties. The regulator’s portal allows you to register one person as the information officer for multiple entities. You can register multiple default or designated IOs on the portal.
Some examples
- I am the only director of a private company, a trustee of a trust and the director of a personal liability company. I am the default IO for all three.
- Someone is the CEO for many private companies and therefore the default IO for all the responsible parties.
- Someone is the designated IO for multiple entities. Many group companies will do this. According to the regulator’s guidance note, each company in the group needs to have an IO but it can be the same person.
What should I do?
All you need to do is register the information officer on the portal. To register the default IO you must select the first tab that says Information Officer. To register the designated IO you must select the Deputy Information Officer tab, type in the first IOs details and then select the option to save to the list. This will create a list of multiple designated IOs for one organisation.
If you are registering the same information officer for different entities, you’ll need to first submit the details of the officer, default officer and organisation details. Once you have successfully submitted the registration of the first entity you can draft another registration and the portal will allow you to enter the same details of the information officer but for another entity.
You could fill in the manual form to register an information officer and email it to the regulator. But we understand that emails to the regulator are bouncing because their mailboxes are full. The regulator is encouraging people to register information officers on their registration portal. We have created a guide on how to register your information officer on the regulator’s portal.
It would be better to do it online for many reasons.
It is not a criminal offence
The regulator will not hold organisations accountable if their systems are not working.
Failing to register your officer is not a criminal offence. Failing to get prior authorisation if you need it, is a criminal offence. People often get these two mixed up. The regulator has confirmed that no action will be taken against people who do not register because the portal was not working.
Who is responsible or accountable for offences committed under POPIA and POPIA? Who will the regulator, a court or an industry body hold accountable? Who is going to pay the fine or go to jail? These are all questions we often get asked.
The responsible party (as the name suggests) will be held accountable
You first have to identify who the responsible party is as defined in POPIA. This might be tricky because there might be multiple legal and natural persons involved in a processing activity. The responsible party is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. Essentially, it is the person who determines why and how to process personal information. Most times this is a juristic person (like a company). So, in many cases, the regulator will hold the organisation (the entity) accountable or responsible. If the regulator fines the responsible party, it is the entity that they fine. Not an individual.
This demonstrates why it is so important for each organisation to know when they are the responsible party. You do this by mapping your activities and creating a record of your processing activities.
The default information officer is accountable
The question then is – if an organisation commits an offence and someone has to go to jail, who goes to jail? In our view, it is the default (or authorised) information officer – the person who the law specifies by default (automatically) to be it. Or the person they have duly authorised. But not the designated officer.
For a private body
The default information officer is the head. In the case of a natural person, they are it. In the case of a partnership, any partner. And in the case of a juristic person (like a company), the CEO or equivalent most senior officer (like the MD), including anyone acting as such. The default officer can authorise another person within the private body to be the information officer (authorised information officer). They should have done this using Annexure C in the guidance note (or a letter substantially similar). In this case, the authorised officer is the default officer. Accountability follows this authorisation. But the default officer “retains the accountability and responsibility for any power or the functions authorised to that person” (note 5.7). So, both the default and the authorised information officers are accountable. Presumably, jointly and severally?
For a public body
The default information officer is defined in section 1 of PAIA. Essentially, it is a senior person or effectively the head of the public body. For example, the Director-General, Head of Department or Municipal Manager. It includes anyone acting as such but they cannot authorise another person to be it.
The default information officer can authorise someone else and then both are accountable
The designated information officer is not accountable
The default information officer can delegate the duties but not the accountability
The default officer can designate or delegate someone else to perform some of the responsibilities (section 17 of PAIA and section 56 of POPIA). This person is called the designated, delegated or deputy information officer. (Note that this is different to the default officer authorising another person to be the authorised information officer.) The default officer can delegate the duties but not the accountability. This is confirmed in the regulator’s guidance note where it says “an Information Officer retains the accountability and responsibility for the functions delegated to the Deputy Information Officer. (note 8.10)”. Annexure C in the guidance note (or a letter substantially similar) is the right template to use to designate or delegate duties to another person.
Accountability does not follow this delegation – it stays with the default officer. The regulator’s guidance note says “To ensure a level of accountability by a delegated Deputy Information Officer, bodies are encouraged to ensure that such duties and responsibilities or any power delegated to a Deputy Information Officer is part of his or her job description” (note 8.9). The designated officer might face disciplinary action by its employer but not a fine or jail from the regulator.
With compliance it is usually the CEO who goes to jail
But remember that there are very few offences in PAIA and POPIA, and it is very unlikely that anyone will go to jail. Most data protection laws around the world have been de-criminalised.
The outsourced information officer is not accountable
Similar to deputy information officers, you can outsource your information officer responsibilities to an outsourced information officer. However, the accountability stays with the default information officer.
But remember any person can commit an offence
The question is – who committed the offence? Was it the responsible party or an employee? Is the information officer for a specific responsible party or a specific employee going to pay the fine or go to jail? There will no doubt be some finger pointing and some people selling others down the river.
For offences it is always important to pay particular attention to the specific working. It is normally along the following lines – Any person who does XYZ is guilty of an offence. A person means a natural person or a juristic person. So, in this case anyone could commit the offence. It could be the responsible party (the company failing to protect account numbers by not putting the necessary controls in place) or Alison in HR selling employee profiles to cyber criminals. Whoever commits the crime does the time – as the saying goes. So any person could be held accountable.
Sometimes the law (like section 90(2) of PAIA) is more specific and says – An information officer who does XYZ commits an offence. Here it is only the default information officer of a public body who could be guilty and held accountable.
Section 90(3) of PAIA is more specific and says – A head of a private body who does XYZ commits an offence. Here it is only the default (or authorised) information officer who could be guilty and held accountable, not the designated, delegated or deputy officer.
Yes, there are a few templates you can use to appoint an information officer. Some are publicly available and others you can get from us.
There are two simple templates in the guidance note on information officers and deputy information officers. One is called the “Designation and Delegation of Authority to the Deputy Information Officer” and the other is called “Authorisation of Information Officer”. the guidance note does not explain how they differ. You can use these templates to appoint your information officer but, in our view, you need to have a much more comprehensive letter of appointment.
An information officer must be appointed in writing
Information officer letter of appointment template
We have drafted an information officer letter of appointment template. You can access this template by joining the Michalsons data protection programme or you can ask Michalsons to draft a letter of appointment for you using the Michalsons template.
In terms of the process, in our experience, the CEO of an organisation would delegate the responsibilities of the information officer to a person in the organisation.
A board resolution
The board then confirms the appointment by way of a resolution. The advantage of this, is that the board is aware of the information officer’s role, and they can question the appointment if they believe it is necessary.
Not at the moment. But we think that some bodies should be exempt from having to register their information officer (IO).
Is any body exempt from registering their information officer?
Unfortunately, the guidance note on information officers and deputy information officers does not touch on exemptions. Surely, not every body needs to register an officer? A private body includes “a natural person who carries or has carried on any trade, business or profession…”.
- Does a street vendor selling tomatoes to passersby have to register an officer?
- Does an investment company need one?
- What about a restaurant or tavern?
Is this just more red tape for small business? Will the regulator’s systems even cope when everyone in South Africa tries to register their officer?
Is it possible for someone to argue that they are not a responsible party? Maybe. But virtually everyone does process personal information for some purpose.
What about an exemption?
We suggest that the information regulator exempt some bodies from having to register an information officer. In the EU GDPR, only certain controllers (AKA responsible parties) need to have an officer (not every body).
Have you been appointed as the information officer and are looking for a guide or handbook for information officers? What support is there for information officers?
Guide for information officers
Our data protection programme (and in particular our training for information officers) was designed to empower information officers with what they need to succeed in the role. It is a guide or handbook but it is also so much more.
Don’t confuse this with the guidance note on information officers published by the information regulator – that is something different. You might also like to read about How to increase your knowledge of data protection.