Guidance note on information officers & Deputy information officers

GUIDANCE NOTE ON INFORMATION OFFICERS AND DEPUTY INFORMATION OFFICERS 1 APRIL 2021 Page 2 of 29 TABLE OF CONTENTS 1. RELEVANT DEFINITIONS ........................................................................................................ 3 2. INTRODUCTION ....................................................................................................................... 7 3. PURPOSE ................................................................................................................................. 7 4. LIABILITIES .............................................................................................................................. 8 5. WHO SHOULD BE REGISTERED AS AN INFORMATION OFFICER ...................................... 9 6. DUTIES OF THE INFORMATION OFFICER ............................................................................12 7. DESIGNATION OF A DEPUTY INFORMATION OFFICER ......................................................17 8. DELEGATION OF AUTHORITY BY AN INFORMATION OFFICER TO A DEPUTY INFORMATION OFFICER ........................................................................................................18 9. TRAINING OF INFORMATION OFFICERS / DEPUTY INFORMATION OFFICERS ................20 10. PROCEDURE FOR THE REGISTRATION OF THE INFORMATION OFFICER .......................20 11. UPDATING THE DETAILS OF AN INFORMATION OFFICER AND DEPUTY INFORMATION OFFICER(S) .............................................................................................................................21 12. PUBLICATION OF THE PARTICULARS OF AN INFORMATION OFFICER ...........................21 13. CONTACT DETAILS OF THE REGULATOR……………………………………………………….21 ANNEXURE A- INFORMATION OFFICER’S REGISTRATION FORM .............................................23 ANNEXURE B- DESIGNATION AND DELEGATION OF AUTHORITY TO THE DEPUTY INFORMATION OFFICER ........................................................................................28 ANNEXURE C- AUTHORISATION OF INFORMATION OFFICER ....................................................29 Page 3 of 29 1. RELEVANT DEFINITIONS These definitions are taken from the Promotion of Access to Information Act 2 of 2000 as amended (PAIA) and the Protection of Personal Information Act 4 of 2013 (POPIA). 1.1. “Body” means a public or private body; 1.2. “Data Subject” means the person to whom personal information relates. 1.3. “Head” of, or in relation to, a private Body means- (a) in the case of a natural person, that natural person or any person duly authorised by that natural person; (b) in the case of a partnership, any partner of the partnership or any person duly authorised by the partnership; (c) in the case of a juristic person- (i) the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or (ii) the person who is acting as such or any person duly authorised by such acting person. 1.4. “Information Officer”: of, or in relation to, a – a) public body means an Information Officer or Deputy Information Officer as contemplated in terms of section 1 or 17 of the Promotion of Access to Information Act; or Page 4 of 29 b) private body means the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act. 1.5. “Person” means a natural person or a juristic person. 1.6. “Personal Information” – means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including, but not limited to— a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; b) information relating to the education or the medical, financial, criminal or employment history of the person; c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; d) the biometric information of the person; e) the personal opinions, views or preferences of the person; f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; g) the views or opinions of another individual about the person; and Page 5 of 29 h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person. 1.7. “Private Body” means- (a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity. (b) a partnership which carries or has carried on any trade, business or profession; or (c) any former or existing juristic person, but excludes a public body. 1.8. “Processing” means- any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; b) dissemination by means of transmission, distribution or making available in any other form; or c) merging, linking, as well as restriction, degradation, erasure or destruction of information. 1.9. “Public Body” means- (a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or (b) any other functionary or institution when- Page 6 of 29 i. exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or ii. exercising a public power or performing a public function in terms of any legislation. 1.10. “Requester”, in relation to- (a) a public body, means- (i) any person (other than a public body contemplated in paragraph (a) or (b) (i) of the definition of ‘public body’, or an official thereof) making a request for access to a record of that public body; or (ii) a person acting on behalf of the person referred to in subparagraph (i). (b) a private body, means- (i) any person, including, but not limited to, a public body or an official thereof, making a request for access to a record of that private body; or (ii) a person acting on behalf of the person contemplated in subparagraph (i). 1.11. ‘‘Responsible Party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information; 1.12. The usage of the words “responsible party” and “body” interchangeably throughout this document depends on the contents of a specific paragraph. Page 7 of 29 2. INTRODUCTION 2.1. The Protection of Personal Information Act 4 of 2013 (POPIA) was enacted to give effect to the constitutional right of privacy by safeguarding personal information processed by a responsible party and prescribes- 2.1.1. the minimum threshold requirements for the lawful processing of personal information, 2.1.2. an obligation on Information Officers of public and private bodies to designate and/or delegate1 any power or duty to Deputy Information Officers, as necessary to make the body as accessible as reasonably possible; and 2.1.3. compulsory requirements for registration of Information Officers with the Information Regulator (Regulator). 2.2. PAIA allows the Information Officer of a private body to authorise any person as an Information Officer. 2.3. The Information Officers and Deputy Information Officers are required, in terms of Section 55(2) of POPIA, to take up their duties only after being registered with the Regulator. 2.4. The Information Officers referred to in section 55(1) of POPIA are the same Information Officers referred to in sections 1 or 14 and 51 of PAIA. 2.5. The Information Officers of public and private bodies perform their duties and responsibilities in terms of both PAIA and POPIA. 3. PURPOSE 1 Section 56 of POPIA and section 17(1) of PAIA Page 8 of 29 The purpose of this Guidance Note is to provide guidance and procedures for the– 3.1. obligations and liabilities of Information Officers and Deputy Information Officers; 3.2. registration of Information Officers with the Information Regulator; 3.3. updating the details of Information Officers; 3.4. designation of Deputy Information Officers; 3.5. delegation of duties and responsibilities of the Information Officers to the Deputy Information Officers. 4. LIABILITIES 4.1 Section 93(b)(ii) of POPIA empowers the Enforcement Committee to make any recommendation to the Regulator necessary or incidental to any action that should be taken against an Information Officer in terms of PAIA. 4.2 An Information Officer may, on conviction, be held criminally liable for the following offences, in terms of PAIA-