top of page

POPIA - 6 main obligations of the Information Officer

The Information Officer is the central person in your organisation that, in terms of the Protection of Personal Information Act, is tasked with POPIA compliance.

What are the main responsibilities of the Information Officer?

The Information Officer has a huge responsibility in terms of POPIA to ensure that your organisation processes personal information of data subjects in a lawful, responsible and transparent manner. The main obligations of the Information Officer are set out in section 55 of POPIA and the regulations to the Act. They include:

1. Encourage POPIA compliance

The Information Officer must encourage compliance by your organisation with the provisions of POPIA. This is an initial and ongoing responsibility that entails continuous monitoring of the processing environment, creating awareness and arrange for applicable training where necessary.

2. Develop a POPIA compliance framework

A POPIA compliance framework is a structured set of guidelines that details your organisation's processes for complying with POPIA and its regulations. It outlines the regulatory compliance standards relevant to your organisation and the business processes and internal controls the organization has in place to follow to these standards.

The Information Officer must develop, implement and monitor the POPIA framework. This means that it is not just a once-off task but an ongoing one, where the Information Officer will need to continually monitor the framework to ensure that it is updated with any future changes in legislation as well as ongoing compliance within the organisation.

3. Do a Personal Information Impact Assessment

A Personal Information Impact Assessment or PIIA, is an analysis where your organisation must:

  • ascertain what personal information it processes as well as why, how, when and by whom such personal information is being processed, stored and used

  • ascertain what policies, processes, guidelines or rules are in place relating to the processing of personal information

  • identifying the gaps in how your organisation currently processes personal information compared to what is required by POPIA

4. Ensure POPIA compliance

The onus to ensure that your organisation complies with POPI rests on the Information Officer. This is an ongoing process where the Information Officer will have to monitor compliance, identify new gaps or risks, explore measures to mitigate those risks and implement those measures, with the necessary training and awareness.

5. Deal with data subject requests

Data subjects have rights in terms of POPIA. These rights include request to access certain information, changing of personal information and even deleting of personal information.

It is the responsibility of the Information Officer to ensure that these data subject access requests or DSAR's are properly managed and executed within the organisation and that proper feedback is given to data subjects, within the time frames, specified in POPIA.

6. Make available a PAIA manual

Section 32 of the Constitution entrenches the fundemental right of access to information. It provides a statutory right to request certain types of records held by an organisation, including the State, certain public and private bodies. The Promotion of Access to Information Act 2 of 2000 or PAIA prescribes that every public and private body must publish an information manual to assist requesters who whisk to access a certain record.

The Information Officer is responsible to develop, make available and maintain a PAIA manual and to deal with any requests that may be done in terms of the manual.

Failure by an Information Officer to comply with their responsibilities could have very serious consequences, which includes hefty fines and even imprisonment. It is therefore imperative that you appoint the correct person and ensure that the legal obligations of the Information Officer are complied with. Please contact EeziLaw if you require any advice on the appointment or the role of the Information Officer within your organisation.

Follow the following link to learn more about POPIA - EeziLaw POPIA information


bottom of page