The 1st of July 2021 the Protection of Personal Information Act 4 of 2013 (POPIA) will come completely into force; therefore, companies and multinationals located within South Africa shall be liable for becoming POPIA compliant. This regulation, along with the Promotion of Access to Information Act 2 of 2000 (PAIA) comprise the main data protection laws in South Africa.
Below we will provide an overview of the aforementioned regulations and the implications of the recently published guidelines by the Information Regulator (The Data Protection Authority of South Africa.) concerning the positions of the Information Officer and Deputy Information Officer.
Overview of the South African Regulation
POPIA established the framework for the exercise of the constitutional right to privacy and laid down the legal background for the processing of personal information. Therefore, it addresses subjects such as the lawful basis for the processing of personal data, the rights of the data subjects, duties and responsibilities of the parties processing personal data, conditions for its transfer and provisions concerning the enforceability of the Act. As such, POPIA is similar to the General Data Protection Regulation (GDPR). An example of this would be the reproduction within POPIA of the data processing principles laid down in the GDPR.
On the other hand, the South African data protection regulation is complemented by PAIA, under which the constitutional right of access to information was developed, and thus supplements certain topics addressed in POPIA.
Despite the similarities between the European and the South African Law, there are certain contrasts between the regulations. A difference worth mentioning involves the positions of the Information Officer and the Deputy Information Officer.
Information Officer (IO)
According to Section 55 of the POPIA, the IO has the duty to ensure that legal entities comply with the lawful processing of personal information, deal with data subject requests and collaborate with investigations conducted by the authorities. In this regard, the similarities between the figure of the IO and the tasks of the Data Protection Officer (DPO) under Art. 38 and 39 of the GDPR are evident.
POPIA also established that the IO in private entities must be the head of a private body, as follows from Section 1. In contrast with the European data protection regulation, the appointment of the IO on the highest office of a company could lead to:
- Conflict of interest: The IO/DPO must continuously audit and control compliance with Data Protection Law; however, the head of a company may determine or influence the means and purposes of the processing of personal data. In such situations the head of a company would require to self-monitor its decisions and this could be incompatible to the obligations within Art. 38 para. 6 of the GDPR according to some European data protection authorities (for example here and here).
- Lack of Accessibility. Both the head of a company and the IO/DPO are positions very demanding with a high workload. Displaying both could render the IO/DPO unable to fulfil its day-to-day duties; especially, when addressing request from data subjects and authorities.
On July 2020 the Information Regulator published the Draft Guidelines on the Registration of Information Officers. This document aimed to help entities on their duty to register the IO as established in Section 55(2) of the POPIA. In paragraph 1.3 of this document the Regulator envisaged the possibility that private entities delegate the IO in any person authorized by the CEO or equivalent office. An interpretation of this wording suggested the possibility for entities to delegate the duties and responsibilities of the IO to external parties.
However, on April 1st 2021, the Regulator published the Guidance Note on Information Officers and Deputy Information Officers. Within this guidance, the Information Regulator confirmed the following regarding the IO:
1) The appointment of the IO on the Chief Executive Officer (CEO), General Manager (GM) or equivalent, is automatic (Paragraph 5.1, Guidance Note on Information Officers and Deputy Information Officers.), and
2) The authorized IO must have the following characteristics:
a) must be an employee of the company;
b) the employee should hold an executive level or equivalent position (Paragraph 5.9, Ibid.); and
c) the employee must be located within South Africa (Paragraph 5.2, Ibid.).
Nevertheless, the Guidance laid down that the CEO, GM or equivalent shall retain the accountability and responsibility of any authorization (Paragraph 5.7, Ibid.).
The position taken by the South African data protection Authority in regards to the designation of the IO seems to slightly deviate from that of the GDPR, since the European regulation promotes the independence of the DPO from the company’s management or any position that leads to a conflict of interest.
As law and guidance currently stands, the Regulator has decided to ensure compliance with POPIA by assigning liability over the tasks of the IO within the highest office of the juristic persons despite their delegation, requiring the IO or their Deputy to be located within South Africa, and ensuring compliance with their duties and responsibilities by establishing civil and criminal liability.
Deputy Information Officer (DIO)
POPIA introduced the DIO as a figure to support the IO to accomplish entities compliance as established under Section 56. The designation of the DIO must be carried out by the IO directly, and they may designate as many DIOs as is necessary to perform their duties and responsibilities.
The appointment of the DIO was also addressed on the Guidance Note on Information Officers and Deputy Information Officers. The Information Regulator laid down that the DIO must be:
- an employee of the entity (Paragraph 7.2, Ibid.);
- a person with knowledge of PAIA and POPIA regulations (Paragraph 7.11, Ibid.);
- a person who understands the company business operations (Paragraph 7.12, Ibid.);
- accessible to data subjects (Paragraph 7.10, Ibid.) and authorities; and
- located within South Africa (Paragraph 7.6, Ibid.).
The guidelines also recommend that the DIO displays a management position and reports to the highest office. Note that, although the GDPR does not contemplate the figure of the DIO, the requirements to carry out this position have a close similarity to those established within Art. 38 of the GDPR.
The DIO does not solve the potential issue concerning the deviation of the IO figure from that of the DPO under the GDPR, that may be interpreted as a conflict of interest with the appointment of the IO on the CEO or GM of juristic persons; however, the DIO may be adequate to cope with the tasks of ensuring accessibility to data subjects and authorities.
In summary, company groups with juristic persons located in South Africa should comply with the following obligations under South African Data Protection regulation:
- Companies and multinationals established in South Africa must be POPIA compliant by the 1st of July 2021.
- South African regulation contains an automatic appointment of the IO on the CEO, GM or equivalent role within of a juristic person.
- The IO is responsible for the juristic person compliance with the POPIA.
- To help the IO carry out its duties and responsibilities the POPIA established the possibility of the figure of the DIO.
- Both, the IO and the DIO must be employees of the company, directly report to the highest office of the company, and must be located within South Africa.