Information Regulator calls on info officers to register online
The Information Regulator of South Africa is developing an online portal for the registration of information officers (IOs) and deputy information officers (DIOs), which it says is expected to be live by the end of April.
Accordingly, the IR has published the Guidance Note for the registration of IOs and DIOs, in order to ensure proper understanding of the legislative requirements, as it makes the final preparations for the Protection of Personal Information Act (POPIA), which is set to kick in on 1 July.
The registration of IOs and/or DIOs is expected to commence on 1 May, and the IR is encouraging organisations and responsible parties to submit their applications for registration through the online portal.
“Responsible parties may also submit their applications as of 1May for the registration of IOs and/or DIOs, if any, by manually completing the application form attached to the Guidance Note.
“The application form for the registration of IOs and/or their DIOs can also be downloaded from the IR’s Web site. Responsible parties who have submitted their applications using the old forms are encouraged to re-apply using the online platform to register IOs.”
POPIA prescribes compulsory requirements for the registration of IOs with the IR. The existing IOs under the Promotion of Access to Information Act 2 of 2000 (PAIA) will have to register once the IR has started the registration process, according to a statement.
The purpose of POPIA is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information, by holding them accountable should they abuse or compromise personal information in any way.
The IO plays an important role as they are responsible for ensuring the organisation complies with PAIA and POPIA compliance requirements.
According to law firm Michalsons,the IO is the person responsible for ensuring the organisation complies with the POPIA by encouraging compliance with conditions for the lawful processing of personal information,dealing with requests made pursuant to POPIA (presumably by the Information Regulator or data subjects), and working with the IR in relation to investigations conducted related to prior authorisations (pursuant to Chapter 6 in relation to the body), among other duties.
“It is the duty of the responsible parties and their IOs to ensure strict compliance with the relevant provisions of the POPIA and PAIA and respective regulations under the above-mentioned legislation,” notes the IR.
In an e-mail interview with ITWeb last month, advocate Pansy Tlakula warned theone-year grace period given to South African companies to comply with POPIA will not be extended.
On 1 July 2020, the Act as a whole came into effect. However, local firms were given a one-year grace period to comply with the law.
“The grace period provided for in section 114(1) of POPIA will come to an end on 1 July 2021 and this period will not be extended,” said Tlakula at the time.
Businesses that don't comply with POPIA, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.