POPIA: The difference between Chief Information Officer and Information Officer

Under the POPI Act, there is a mandate that all organizations must appoint an Information Officer (IO) – also previously referred to as the Privacy Officer, where then does the Chief Information Officer (CIO) then fit in?

The CIO’s role and responsibilities are vastly different in that this role has no direct link with the mandate of the POPI Act, in fact, this role is unique to an organisation that is primarily engaged in the provision of technology and software services where the CIO in context is regarded as an organizational executive, responsible for the management, implementation, and utilization of information and computer technologies.

With the increased reshaping of global technology, a CIO would typically be concerned with the analysis of how various technologies could benefit the organization or improve an existing business model process with an integrated system to realize the benefit or improvement.

CIOs would typically develop strategies and computer systems that ensure competitiveness in a fast-changing global marketplace, thus they will further focus on technology trends to contribute to an organization’s continuity and sustainability.

The Information Officer on the other hand is an appointment made under the prescription of the POPI Act, by default, every single organisation in South Africa has one as the POPI Act (Promotion of Access to Information Act or PAIA) automatically designates a person in each organisation as an officer. Not the Chief Information Officer or CIO, but an Information Officer.

The Information Officer performs the same role as a Data Protection Officer under the GDPR.

The IO is responsible for ensuring that the organisation complies with PAIA and is thus mainly concerned with the:

  • Encouragement and insurance of compliance with PAIA in accordance with the body’s definition of compliance,
  • Creation, maintenance, and updates of a PAIA manual
  • Evaluation and approval of requests for access to information received in terms of the grounds set out in PAIA, within the time constraint or any extended period.

They are also the person who is responsible for ensuring that the organisation complies with the POPI Act. They are a key person in any project or programme and must further adhere to the requirements as set out in Section 55 of the POPA Act:

  • Reassure compliance with conditions for the lawful processing of personal information,
  • deal with requests made pursuant to POPIA (presumably by the Information Regulator or data subjects),
  • Co-operate with the Regulator in relation to investigations conducted related to prior authorisations
  • Develop, implement and monitor a compliance framework,
  • Certify that a personal information impact assessment is done to ensure that adequate measures and standards exist,
  • Develop, monitor, maintain and make available a PAIA manual,
  • Develop internal measures and adequate systems to process requests for access to information,
  • Ensure that internal awareness sessions are conducted, and as may be prescribed (presumably by the Minister or the Information Regulator).

Accountability:

In the event of any offences committed – the responsible party as defined in the Act will be held accountable and or responsible – which might be tricky as

The responsible party (as the name suggests) will be held accountable which might be tricky as there can be multiple legal and natural persons involved in a processing activity.

The responsible party – as defined in the act – is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information” therefore, it is essentially, the person who determines why and how to process personal information. In most instances, this is a juristic person (such as an organization) for whom the regulator will hold the organisation accountable or responsible (the entity and not the individual might be fined by the regulator)

This demonstrates why it is so important for each organisation to know when they are the responsible party; a useful tip is for organizations to map their activities and create a record of the processing activities.

Achieving compliance doesn’t need to be complex

Ensuring that a company is adequately compliant with POPIA might seem like a mammoth task but there are a few practical steps that the Information Officer and the organization can undertake to achieve compliance:

Firstly, organizations should conduct a personal information impact assessment, which will assist with identifying the personal information that the business processes in each of its business units/functions need to be addressed, this will then guide the measures that need to be implemented to ensure POPIA compliance.

It is important to gain a clear understanding of what, and how, personal information is collected, used, and processed within the business by tracking the flow of information as well as the individuals who have access to this information.

Understanding and monitoring who has rights to what information is key to ensuring compliance.

Where any gaps have been identified, Information Officers must set clear and achievable targets and implement enforceable policies and processes addressing and closing such gaps)

Organizations must further review all electronic systems and technology related to business operations where personal information is processed and ensure they are secure to external alteration or unauthorized access.

Finally, companies must build a work culture that places compliance at its foundation to ensure that it becomes part of the everyday business by educating all interested parties (both internally and externally) on their role in POPIA compliance.

It is important to note that while the hard deadline for compliance is set, adhering to the prescripts set out by the POPI Act is an ongoing and continuous process for businesses in South Africa, and companies will have to consistently assess their progress and update their policies and frameworks to adapt to the rapidly evolving privacy landscape.

As such, the role of the Information Officer is fundamental to ensuring an organization’s compliance with POPIA.

It is important to note that while the hard deadline for compliance is set, adhering to the prescripts set out by the POPI Act is an ongoing and continuous process for businesses in South Africa, and companies will have to consistently assess their progress and update their policies and frameworks to adapt to the rapidly evolving privacy landscape.

As such, the role of the Information Officer is fundamental to ensuring an organization’s compliance with POPIA.

Contact Us