top of page

EOHCB Reminder to Register as Information Officer

Registration of an information officer is in terms of the New POPIA act which comes into full force on the 1st July 2021.

PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 (‘POPIA’) It’s been a long time coming, and the Protection of Personal Information Act 4 of 2013 (“POPIA”) finally come into full force on the 1st of July 2021. The Protection of Personal Information Act (or POPI Act) is South Africa’s equivalent of the European Union General Data Protection Regulation. It sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (both natural and juristic persons). The Protection of Personal Information Act was enacted to promote the protection of personal information processed by public and private bodies and to provide for the minimum conditions for the lawful processing of personal information, to establish an obligation on Information Officers of public and private bodies to designate and delegate any power or duty to Deputy Information Officers; and to outline the compulsory requirements for registration of Information Officers with the Information Regulator. Essentially, the purpose of the Protection of Personal Information Act (POPIA) is to protect people from harm by protecting their personal information. To stop their money from being stolen, to stop their identity from being stolen, and generally to protect their privacy, which is a fundamental human right. To achieve this, the Protection of Personal Information Act sets conditions for when it is lawful for someone to process someone else’s personal information. The POPI Act is important because it protects data subjects from harm, like theft and discrimination. The risks of non-compliance include reputational damage, fines and imprisonment, and paying out damages claims to data subjects. The Protection of Personal Information Act (POPIA) involves three parties (who can be natural or juristic persons) The data subject: the person to whom the information relates. The responsible party: the person who determines why and how to process. For example, profit companies, non-profit companies, governments, state agencies and people. Called controllers in other jurisdictions. The operator: a person who processes personal information on behalf of the responsible party. For example, an IT vendor. Called processors in other jurisdictions. The Protection of Personal Information Act places various obligations on the responsible party, which is the body ultimately responsible for the lawful processing of personal information. Responsible parties should only use operators that can meet the requirements of lawful personal information processing prescribed by the Protection of Personal Information Act. “Personal information” means – information relating to an identifiable, living, natural person, and where it is applicable and identifiable, existing juristic person, including, but not limited to;

information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well- being, disability, religion, conscience, belief, culture, language and birth of the person;

information relating to the education or the medical, financial, criminal or employment history of the person;

​any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignments to the person;

the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

​the views or opinions of another individual about the person; and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person. This registration of an Information Officer is compulsory and must be done by the latest 30 JUNE 2021!

​The Information Officer is required, in terms of Section 55(2) of the POPIA, to take up his/her duties only after being registered with the Regulator. The Information Officer referred to in section 55(1) of the POPIA is the same Information Officer referred to in sections 1 or 14 and 51 of the Promotion of Access to Information Act (PAIA). The Information Officer of public or private bodies performs his/her duties and responsibilities in terms of both PAIA and POPIA. ​Appoint an Information Officer (IO) and register with the Information Regulator The Protection of Personal Information Act requires that every business within South Africa register a Protection of Personal Information Officer (IO) who is either employed by the business (managerial position) and accepts the responsibilities and duties of an Information Officer, or the business owner(s) (responsible party) need to register by default as the Information Officer.

​An information officer’s responsibilities include; the encouragement of compliance by the body, with the conditions for the lawful processing of personal information; dealing with requests made to the body pursuant to the POPI Act;

​working with the Information Regulator in relation to investigations conducted in relation to the body; otherwise ensuring compliance by the body with the provisions of the Act; and as may be prescribed.

​An information officer must also ensure that a compliance framework is developed, implemented, monitored and maintained,

​a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information,

​and that a manual is developed, monitored, maintained and made available as prescribed in section 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);

​internal measures are developed together with adequate systems to process requests for information or access thereto;

​and internal awareness sessions are conducted regarding the provisions of the POPI Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator. The information officer shall upon request by any person, provide copies of the manual to that person upon the payment of a fee to be determined by the Regulator from time to time. How to register as or an information officer? The Information Officer (IO) registration portal is now live on the Information Regulator website You have until 30 June 2021 to register your IO but we recommend that you do so asap. The registration of an Information Officer is the first step to being POPI compliant. Every business within South Africa needs to meet all 6 steps in order to be compliant, and evidence of this compliance must be presented upon inspection or request by the Regulator. Step 1: Information Officer and Deputy Officer Registration,

Step 2: Map and Analyse all Personal information,

Step 3: Risk Assessment - Conduct audit on measures to protect personal information,

Step 4: Draft POPI Privacy Policy, and include in contracts of employment and third- party contracts,

Step 5: Training – Provide training to employees and other stakeholders to ensure compliance operationally,

Step 6: Information Regulator & South African Human Rights Commission – Update Industrial Relations with regularly updated audits. What are the Penalties for Non-compliance? There are essentially two legal penalties or consequences for the responsible party:

A fine or imprisonment of between R1 million and R10 million or one to ten years in jail, and paying compensation to data subjects for the damage they have suffered.

​Other penalties include; Reputation damage, losing customers/clients, and failing to attract new customers/clients.

​Should you require assistance with POPIA compliance, feel free to contact the EOHCB Information Officer at


bottom of page