Legal SA: Article on Popi Regulations and Role Of Information Officer


We’ve all heard the saying: ‘The future is bright or it is just the lights of an oncoming train’? Likewise with all the alarmist comments about POPI being bandied about of late, I ask myself: are they alarms bells or has Xmas come early?

Let’s be honest, POPI (The Protection of Personal Information Act, Act 4 of 2013) has effectively been around for some 8 years (The Bill was issued in 2009!) so why these sudden noises of Armageddon? What makes it even more perplexing is that not much has changed in terms of content over this period during which a myriad of articles have been written, workshops conducted and there are plenty of videos on ‘You Tube’ .

So let’s get to the point: the regulations were issued for comment recently and based on the content, I believe it is cause for celebration rather an alarm – in fact in terms of POPI Xmas has come early! The reason for this observation is that the regulations spell out the duties of the Information Officer (Referred to in the ‘early days’ as the Information Protection officer) (‘IO’) to be appointed by each entity that is subject to POPI. The bottom line is that the appointee must ensure compliance with POPI by the entity.

Clearly that easier said than done: as the saying goes ‘Doing the right things is easy – the challenge is to know what the right thing is’!! Likewise appointing an IO is easy but the question is: who is the right person? More about that at the end of this article and first I will look at the duties ascribed to the IO (The numbers in brackets are the sections in POPI).

‘Compliance framework’ – this would be the broad canvass incorporating how the entity will meet the 8 conditions prescribed by POPI namely accountability (1): one of which is the appointment of the IO; process limitation (2 & 4); purpose specification (3); information quality (5); openness (6); security safeguards (7) and data subject (i.e. the person to whom the personal information [‘PI’] pertains) and in addition the issues of direct marketing & Spam (69 – 71).       

Adequate measures’ – this would entail a business plan addressing the compliance strategy (‘lawful processing’) as well as the brand issue i.e. how to deal with any transgressions given the serious nature of especially security breaches –

‘Global hospitality firm Hilton has been ordered to pay a $700,000 penalty for failing to disclose two separate payment card data breaches promptly enough’

Louis the Lawyer