POPI compliance | Is your information officer ready?

In the Pandemic-hit era of Covid-19, more and more of us are switching on to the digital way of life. The Protection of Personal Information Act, No. 4 of 2013 (POPI Act) is now in operation, effective since 1 July 2020, following a lengthy process which started in 2013. 

The core focus of the act is to ensure the sharing and use of personal information is done correctly and for the purposes intended, to protect the privacy and rights of those individuals who are sharing their information with companies and organisations. 

While the act is now a legal obligation, penalties for non-compliance are enforceable from July 2021. It is also important to note that these penalties do not apply retroactively. 

A key requirement of the POPI Act is the appointment of an Information Officer for your organisation. According to Bregmans Attorneys, the Protection of Personal of Personal Information Act, 2013 (“POPIA”) requires entities have an active Information Officer, defining the appointment of role according to Section 1 of POPIA as follows:

The “information officer” in relation to a private body as “the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act” (PAIA) that, in turn, defines the “head”, concerning a private body and in the case of a juristic person, to be “the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer”.

“It thus seems that the CEO of a juristic person can delegate that role.”

“The Information Officer may delegate his or her powers and duties to one or more Deputy Information Officers to ensure compliance.”

Add to this, “POPIA can impose personal liability on the Information Officer, and any delegated Information Officers and the Enforcement Committee can take appropriate action against them.”

What are the responsibilities and liabilities of the Information Officer?

– Encouraging compliance for the lawful processing of personal information and the provisions of POPIA

– Dealing with requests made to the private body

– Working with the Information Regulator concerning investigations

– Developing and maintain a compliance framework

– Conducting personal information impact assessments to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information

– Developing, monitoring, maintaining and making available the manual as prescribed by PAIA

– Ensuring internal measures are developed together with adequate systems to process requests for information or access; and

– Conducting internal POPIA awareness sessions.

Bregmans further advise once a private body has appointed an Information Officer, they need to register details of the Information Officer with the Information Regulator following the Information Regulator’s guidelines.

“Organisations should ensure that their PAIA manuals comply with section 51 of PAIA by including the postal and street address, phone and fax number, and, if available, electronic mail address of the head of the body or his delegated Information Officer.”

Still not sure where to begin? Start you POPI Act compliance with this simple pop.law checklist:   

Step 1: Audit

Do an audit of all of the existing information being processed by your business and why your business is collecting it. You also need to consider how it is being stored. 

“Review agreements you have with others, especially looking at what the third party’s responsibilities are regarding the information you share with them.”

Step 2: Clean Up 

Remove any information that is no longer required by the business, including customers who are no longer using your services, but especially customers who have not consented to being on your database.

Step 3: Write up procedures  

Put in place “best practice” procedures for how you want to move forward and for how long you will keep your customers information.  

Step 4: Communicate

Communicate your processes to your users. Draft the relevant documents that your customers will need for knowing what’s happening to their information. These should include: 

  • Consent forms
  • Privacy policies
  • Cookies notices
  • CCTV notices 

Step 5: Train your people 

Train everyone in your organisation to recognise when they are dealing with personal information, understand what their own responsibilities are within your business and to know who to contact if they have questions or concerns about your processes and procedures. 

“Even the most robust compliance plan will fail if the people on the ground are not equipped to implement it. Training and education can never be a once-off exercise, and the business should have some idea of how often and in what way constant training needs to take place,” advises pop.law. 

Article courtesy of Lexis Digest and property24