Over the last 20 years of presenting, workshopping and consulting on POPIA, the South African data protection law, we have frequently been asked the same questions. We thought we’d help you find answers by publishing the POPIA FAQs and answers to make them accessible. We’ve categorised them to make them easier to find. If you don’t find answers to your questions, please join our data protection programme or seek our legal advice. You can also read all data protection FAQs.
Now, there is a question. It depends on the organisation, but often, it is someone in legal or compliance. But no formal qualifications are required by law. It is essential that the person you select as your information officer (IO) has a thorough knowledge of data protection law and what it entails. In larger organisations, this could take longer to learn, and more in-depth knowledge would also be necessary. In larger organisations, it is vital to consider someone with institutional knowledge of the business, who can then learn what POPIA requires. This could be a better alternative for someone who knows what POPIA requires but lacks the institutional knowledge of the business.
Can the role be outsourced?
Yes. We see two main aspects of the information officer role: authority (being accountable for getting something done) and responsibility (being the person who actually gets it done). The regulator says that you can’t outsource authority, in their guidance note on information and deputy information officers. You can, however, outsource some of the responsibilities. If you do, let it be someone who has knowledge on the context in which the organisation operates (sector, etc).
You can outsource the role or the responsibilities to Michalsons
Can one person be the information officer for many bodies?
Yes. For example, one person can be the information officer for multiple companies in a group. But each subsidiary of a group of companies must register an officer.
Should someone be paid more to take on the information officer role?
This will depend on the organisation. There aren’t great risks associated, so maybe not, but there will be more work to do, so maybe yes.
Is the information officer role a full or part-time role?
This also depends on your organisation, the impact data protection has on it and the size of it.
Should the information officer be someone in IT?
In our view, no. It is tempting to make the Chief Information Officer (CIO) the information officer (IO) but this is a mistake. The IT department is often more involved with technology than information. The business owns the information. IT has an important role to play (especially with security) but the information officer role including the balancing of rights and interests – this is not something that It normally does.
Can the default information officer delegate the responsibility to a person who is not employed by the organisation?
Yes, our understanding is that it is permissible to outsource responsibility (being the person who gets something done), but not authority (being accountable for getting it done). But the person registered as the Default Information Officer or Deputy Information Officer must be an employee of the organisation according to the regulator in their guidance note on information officers and deputy information officers.
When should we considering outsourcing responsibilities?
It may be useful to outsource the role of your information officer if: your current team is not suitably qualified; your current team is overworked and low on capacity; you can’t afford to add new members to your team; you are losing team members and can’t afford to train replacements; turnover in your team is leading to business continuity issues.
What responsibilities can we outsource?
Almost all of them, if you manage the project effectively. POPIA breaks the various information officer responsibilities down into four main sections, being:
- encouraging compliance – like running awareness campaigns, or guiding board decisions;
- dealing with requests – like responding to data subject access requests, or regulator questions;
- working with the regulator – like helping the regulator with investigations;
- otherwise ensuring compliance – like registering your information officer, mapping activities, performing impact assessments, developing policies, or implementing frameworks and procedures.
What options are there for outsourcing our information officer responsibilities?
You could:
- outsource your entire data protection function, like through an Information Officer as a Service offering
- outsource specialist responsibilities, to supplement your internal data protection generalists, like through a customer retainer
- outsource only the tools needed by your internal data protection specialists, like through the Michalsons Data Protection Programme
Does the person need to be in South Africa?
Yes, according to the regulator’s guidance note.
Do you need a POPIA representative in South Africa?
Yes, if you are required to register with the regulator, but have no physical presence in South Africa. Michalsons can be your authorised representative in South Africa.
Responsible parties should register their information officer online (encouraged) as soon as possible. Failing to register your information officer is not a criminal offence, but there can be severe consequences. If you struggle to register on the portal, we can help. You can also read more about the Information officer role for POPI and PAIA.
Register on the information regulator portal online
The regulator has created an electronic platform, the Information Officer eServices Portal on their website to enable you to do this. You need to create a profile and log into your profile to use the portal. You can register yourself if you are an Information Officer or an Admin Officer like an attorney or another person doing administration in an organisation can register an IO on the portal. A few tips:
- If you struggle with technical problems with the portal, wait and try again in a few days.
- The first section is for the default information officer (or authorised officer) that the law automatically makes the information officer. For example, the CEO. This is the person who is accountable. Note the handy “Copy Organisation Address” button, which will save you time. Give the organisation’s address rather than the residential address of the officer.
- The second section is for the deputy or designated information officer.
- The portal allows you to register one person for multiple entities. One person can be the officer for more than one entity.
- The portal won’t allow you to appoint someone outside of South Africa. You will either need to appoint an employee based in South Africa as deputy or designated information officer, or appoint a POPIA representative.
You can also do it manually offline in paper form (not recommended)
You can do this offline by completing and emailing the Information Officer’s Registration Form to the regulator. You will find the form as Annexure A to the regulator’s guidance note on information officers and deputy information officers. This caters for those organisations who do not have access to the Internet. If you have trouble accessing the portal you can complete an eform to register the information officer and submit it by email to the regulator.
The regulator encourages people to submit their applications online.
The regulator should really have provided two application forms. One for public bodies and one for private bodies. One form creates confusion. If you are a private body trying to complete the form, here is some guidance.
- Part A is for the default information officer that the law automatically makes the information officer. For example, the CEO. This is the person who is accountable.
- Part B is for the designated information officer. For public bodies, this is called the deputy information officer but for private bodies, we prefer to call them the designated IO.
- Part C is for the responsible party details. For example, the company details.
- The default information officer should sign it.
You have to register both the default and the designated (deputy) officer with the regulator, and put both of their details in your PAIA Manual.
Who should sign the application form?
In our view, the default information officer (not the designated or delegated one) should sign the form. The default officer is accountable to the regulator and are the one that the law specifies as being the information officer by default.
What if we have already registered using an old form or portal?
You should re-register on the eServices portal.
What happens if you deregister on the portal?
If you deregister from the portal, you will remove your company registration from the regulator’s database. The removal isn’t immediate and subject to the approval of the regulator. You should use the deregistration option if you have registered yourself as an information officer on the portal but later either resign or appoint someone else as an information officer.
If you registered multiple people in an organisation it is not advised that you deregister from the portal because you will remove all the following information you have created on the portal:
- your user profile, and personal details including your login details;
- any company registration certificates whether they are current or historical;
- your company profile;
- the information officer and deputy information officer details you registered;
- any company registrations that you drafted but haven’t submitted yet;
- any PAIA reports you submitted; and
- any other data and information that you added to the portal that relates to your organisation.
The Information Regulator (IR) does communicate with other regulators but because each regulator has its own mandates, the IR is confined to the parameters of POPI and PAIA and anything that falls outside the four corners of these Acts will be ultra vires.
The initial difficulty that South Africa is facing is that it does not have a cybercrimes commission. At present, the Information Regulator works closely with the police and the Hawks but uses its own processes separate to those used by the police and the Hawks when receiving data breach notifications and providing adequate measures to safeguard against future data breaches.
The Information Regulator will have a similar role with the Cybersecurity Act as it does now when receiving data breach notifications. A data breach is usually occurring at the same time as when a cybercrime is happening. The difficulty with this is that you will be approaching the Information Regulator for a data breach and the police for a cybercrime at or around the same time. It would be beneficial for one agency to be conducting these investigations and handling these matters and that is why the proposal for a cybercrime commission has been raised by the Information Regulator for Parliament to address. The Information Regulator encourages people to write to relevant decision makers to push for the institution of a cybercrime agency.
The Information Regulator plans to clarify its updates on prior authorisation such as making application forms easier to use, in an upcoming guidance note. When dealing with personal information, remember to consider it in a holistic point of view. There are eight key conditions you need to follow for lawful processing. The Information Regulator suggests taking a moment to understand what permission you’re requesting and how it fits into these eight conditions. This helps ensure you’re following the rules the right way.
The Information Regulator (IR) has discretion in when to assess organisations’ data processing practices under both POPIA and PAIA. They follow prescribed procedures and inform applicants about the scope and reasons for the assessment. For POPIA assessments, factors considered include information officer presence, data type, training, security, retention policies, and cross-border data flows. A guidance note on direct marketing is coming soon. Unlike POPIA, PAIA assessments are not mandatory, but the IR encourages transparency and considers factors like the information’s purpose and potential impact of non-compliance. Resources are available for smaller organisations to ensure compliance. The IR avoids affordability-based penalties, but considers the organisation’s size and data volume.
The information regulator would like to clarify that it is not a cybercrime agency and does not investigate cybercrimes. They do concede that there is a need for a cybercrime agency to assist in the regulation of cybercrimes in the country. A cybercrimes agency was proposed in legislation last year but has not been discussed in greater detail by Parliament as yet.
The rules that apply to when sending data to EU countries is not straightforward. The person who is sending that data will have to make an assessment as to whether making a transfer to the intended country has the appropriate safeguards and measures adequate for the specific cross-border transfer. The information regulator cannot give an exhaustive list of these countries because an assessment will differ case-by-case.
While the Information Regulator (IR)’s plan is to keep an eye on international developments regarding AI regulation, AI is not an immediate priority for the Information Regulator right now. Their current focus lies on amending existing legislation like POPI and PAIA. Cybersecurity takes the top spot on their priority list due to the surge in data breaches and its significant impact on various industries. The IR is actively developing guidance for organisations on data breach notification procedures and available remedies. Additionally, they are exploring the practicalities of penalising cybercrimes and foresee upcoming legislative updates in this area. In essence, the IR prioritises adapting existing laws and addressing pressing concerns like cybersecurity before delving into complex issues like AI regulation.
There are several issues that the information regulator is aiming to address this year. Still, the two key priorities are addressing concerns around AI and automated decisions and regulating cross-border transfers of personal information.
- AI and automated decision-making: international data protection agencies are worried about large language models used in AI that process vast amounts of personal and general data. South Africa’s current legislation lacks provisions for situations where automated decisions are made without human oversight. The information regulator monitors proposed international legislation on AI regulation but hasn’t formed its own opinion yet.
- Regulating cross-border transfers of personal information: The information regulator prefers a model similar to the EU’s GDPR, which uses adequacy determinations to assess data protection levels in other countries. The GDPR framework doesn’t offer the information regulator enough power to make these adequacy findings. The information regulator is developing a guidance note for entities doing cross-border transfers, including recommending appropriate measures based on existing laws.
At some point, your information officer is bound to leave your organisation. It might be the default, authorised, designated, delegated or deputy information officer. These are the steps you can take if your information officer wants to resign.
- Your information officer should resign as the information officer in writing. This is in addition to resigning as an employee or director. The resignation can be very short and in an email – this counts as being in writing.
- You should submit a request to deregister the information officer by emailing the Information Regulator.
- The CEO or head of your organisation should appoint a new information officer in writing.
- You must register the new information officer with the Information Regulator.
See more information officer FAQs.
From 1 July 2021 the information regulator will take over the regulation of PAIA from the SAHRC.
Yes, one person can be the default or designated information officer (IO) for multiple entities or responsible parties. The regulator’s portal allows you to register one person as the information officer for multiple entities. You can register multiple default or designated IOs on the portal.
Some examples
- I am the only director of a private company, a trustee of a trust and the director of a personal liability company. I am the default IO for all three.
- Someone is the CEO for many private companies and therefore the default IO for all the responsible parties.
- Someone is the designated IO for multiple entities. Many group companies will do this. According to the regulator’s guidance note, each company in the group needs to have an IO but it can be the same person.
What should I do?
All you need to do is register the information officer on the portal. To register the default IO you must select the first tab that says Information Officer. To register the designated IO you must select the Deputy Information Officer tab, type in the first IOs details and then select the option to save to the list. This will create a list of multiple designated IOs for one organisation.
If you are registering the same information officer for different entities, you’ll need to first submit the details of the officer, default officer and organisation details. Once you have successfully submitted the registration of the first entity you can draft another registration and the portal will allow you to enter the same details of the information officer but for another entity.
You could fill in the manual form to register an information officer and email it to the regulator. But we understand that emails to the regulator are bouncing because their mailboxes are full. The regulator is encouraging people to register information officers on their registration portal. We have created a guide on how to register your information officer on the regulator’s portal.
It would be better to do it online for many reasons.
It is not a criminal offence
The regulator will not hold organisations accountable if their systems are not working.
Failing to register your officer is not a criminal offence. Failing to get prior authorisation if you need it, is a criminal offence. People often get these two mixed up. The regulator has confirmed that no action will be taken against people who do not register because the portal was not working.
Who is responsible or accountable for offences committed under POPIA and POPIA? Who will the regulator, a court or an industry body hold accountable? Who is going to pay the fine or go to jail? These are all questions we often get asked.
The responsible party (as the name suggests) will be held accountable
You first have to identify who the responsible party is as defined in POPIA. This might be tricky because there might be multiple legal and natural persons involved in a processing activity. The responsible party is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. Essentially, it is the person who determines why and how to process personal information. Most times this is a juristic person (like a company). So, in many cases, the regulator will hold the organisation (the entity) accountable or responsible. If the regulator fines the responsible party, it is the entity that they fine. Not an individual.
This demonstrates why it is so important for each organisation to know when they are the responsible party. You do this by mapping your activities and creating a record of your processing activities.
The default information officer is accountable
The question then is – if an organisation commits an offence and someone has to go to jail, who goes to jail? In our view, it is the default (or authorised) information officer – the person who the law specifies by default (automatically) to be it. Or the person they have duly authorised. But not the designated officer.
For a private body
The default information officer is the head. In the case of a natural person, they are it. In the case of a partnership, any partner. And in the case of a juristic person (like a company), the CEO or equivalent most senior officer (like the MD), including anyone acting as such. The default officer can authorise another person within the private body to be the information officer (authorised information officer). They should have done this using Annexure C in the guidance note (or a letter substantially similar). In this case, the authorised officer is the default officer. Accountability follows this authorisation. But the default officer “retains the accountability and responsibility for any power or the functions authorised to that person” (note 5.7). So, both the default and the authorised information officers are accountable. Presumably, jointly and severally?
For a public body
The default information officer is defined in section 1 of PAIA. Essentially, it is a senior person or effectively the head of the public body. For example, the Director-General, Head of Department or Municipal Manager. It includes anyone acting as such but they cannot authorise another person to be it.
The default information officer can authorise someone else and then both are accountable
The designated information officer is not accountable
The default information officer can delegate the duties but not the accountability
The default officer can designate or delegate someone else to perform some of the responsibilities (section 17 of PAIA and section 56 of POPIA). This person is called the designated, delegated or deputy information officer. (Note that this is different to the default officer authorising another person to be the authorised information officer.) The default officer can delegate the duties but not the accountability. This is confirmed in the regulator’s guidance note where it says “an Information Officer retains the accountability and responsibility for the functions delegated to the Deputy Information Officer. (note 8.10)”. Annexure C in the guidance note (or a letter substantially similar) is the right template to use to designate or delegate duties to another person.
Accountability does not follow this delegation – it stays with the default officer. The regulator’s guidance note says “To ensure a level of accountability by a delegated Deputy Information Officer, bodies are encouraged to ensure that such duties and responsibilities or any power delegated to a Deputy Information Officer is part of his or her job description” (note 8.9). The designated officer might face disciplinary action by its employer but not a fine or jail from the regulator.
With compliance it is usually the CEO who goes to jail
But remember that there are very few offences in PAIA and POPIA, and it is very unlikely that anyone will go to jail. Most data protection laws around the world have been de-criminalised.
The outsourced information officer is not accountable
Similar to deputy information officers, you can outsource your information officer responsibilities to an outsourced information officer. However, the accountability stays with the default information officer.
But remember any person can commit an offence
The question is – who committed the offence? Was it the responsible party or an employee? Is the information officer for a specific responsible party or a specific employee going to pay the fine or go to jail? There will no doubt be some finger pointing and some people selling others down the river.
For offences it is always important to pay particular attention to the specific working. It is normally along the following lines – Any person who does XYZ is guilty of an offence. A person means a natural person or a juristic person. So, in this case anyone could commit the offence. It could be the responsible party (the company failing to protect account numbers by not putting the necessary controls in place) or Alison in HR selling employee profiles to cyber criminals. Whoever commits the crime does the time – as the saying goes. So any person could be held accountable.
Sometimes the law (like section 90(2) of PAIA) is more specific and says – An information officer who does XYZ commits an offence. Here it is only the default information officer of a public body who could be guilty and held accountable.
Section 90(3) of PAIA is more specific and says – A head of a private body who does XYZ commits an offence. Here it is only the default (or authorised) information officer who could be guilty and held accountable, not the designated, delegated or deputy officer.
Yes, there are a few templates you can use to appoint an information officer. Some are publicly available and others you can get from us.
There are two simple templates in the guidance note on information officers and deputy information officers. One is called the “Designation and Delegation of Authority to the Deputy Information Officer” and the other is called “Authorisation of Information Officer”. the guidance note does not explain how they differ. You can use these templates to appoint your information officer but, in our view, you need to have a much more comprehensive letter of appointment.
An information officer must be appointed in writing
Information officer letter of appointment template
We have drafted an information officer letter of appointment template. You can access this template by joining the Michalsons data protection programme or you can ask Michalsons to draft a letter of appointment for you using the Michalsons template.
In terms of the process, in our experience, the CEO of an organisation would delegate the responsibilities of the information officer to a person in the organisation.
A board resolution
The board then confirms the appointment by way of a resolution. The advantage of this, is that the board is aware of the information officer’s role, and they can question the appointment if they believe it is necessary.
Not at the moment. But we think that some bodies should be exempt from having to register their information officer (IO).
Is any body exempt from registering their information officer?
Unfortunately, the guidance note on information officers and deputy information officers does not touch on exemptions. Surely, not every body needs to register an officer? A private body includes “a natural person who carries or has carried on any trade, business or profession…”.
- Does a street vendor selling tomatoes to passersby have to register an officer?
- Does an investment company need one?
- What about a restaurant or tavern?
Is this just more red tape for small business? Will the regulator’s systems even cope when everyone in South Africa tries to register their officer?
Is it possible for someone to argue that they are not a responsible party? Maybe. But virtually everyone does process personal information for some purpose.
What about an exemption?
We suggest that the information regulator exempt some bodies from having to register an information officer. In the EU GDPR, only certain controllers (AKA responsible parties) need to have an officer (not every body).
Generally speaking, no. The information regulator makes a distinction between guidance and advice. Guidance is where the regulator applies its knowledge, skill and expertise to a generic legal issue. Advice is where the regulator applies its knowledge, skill and expertise to an organisation’s specific issue. The regulator has been very clear that it will not provide advice and will only give guidance of general application. If the regulator was to give advice, it could create conflicts of interest. Only legal practitioners (like Michalsons) should give legal advice.
The regulator publishes guidelines and guidance on its website. But if you ask it a specific question regards your organisation you probably will not get a response. You can find their contact details on their website under the contact us section.
Yes, public bodies must. Some people think that they don’t and it is not that clear when you read POPIA. But it is clear – all public bodies must comply. The Information Regulator has confirmed this.
POPIA “applies to the processing of personal information entered in a record by or for a responsible party” (Section 3). A responsible party includes “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”. A ‘‘public body’’ means:
- any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
- any other functionary or institution when:
- exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
- exercising a public power or performing a public function in terms of any legislation.
So a public body includes government departments, municipalities, and any institution performing a public power.
So, the answer is yes. All public bodies must comply with POPIA.
Have you been appointed as the information officer and are looking for a guide or handbook for information officers? What support is there for information officers?
Guide for information officers
Our data protection programme (and in particular our training for information officers) was designed to empower information officers with what they need to succeed in the role. It is a guide or handbook but it is also so much more.
Don’t confuse this with the guidance note on information officers published by the information regulator – that is something different. You might also like to read about How to increase your knowledge of data protection.
The information regulator will not likely have any issue with you using software to implement POPIA if the software helps you protect personal information and avoid non-compliance.
It is likely that the information regulator will encourage you to use data protection management software, especially when you process large volumes of personal information. There are many examples in other jurisdictions where data protection authorities encourage the use of Privacy Enhancing Tools (PETS).
This seems unlikely for the foreseeable future. The regulator does not currently seem to have any plans to do this. Each responsible party will have to assess whether a country does have adequate protection and record their decision. This is very important because if a country does have adequate protection, personal information can flow from South Africa to that country without the responsible party having to take extra steps.
Will the EU be regarded as having adequate laws considering it does not protect juristic persons? No. Strictly speaking, the GDPR does not “provide an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person” (section 72).
This is a difficult one to answer. A related question is. What are we going to do in South Africa to ensure that data exporters in the EU/EEA are able to export data to data importers in South Africa?
No. The regulator has consistently said no. It will not be extended.
Related questions are – Do you anticipate the regulator taking enforcement action soon after the deadline? Will the regulator expect responsible parties to comply right after the deadline? The answer from the regulator is yes.