The duties of the Information Officer are covered in this article. Previous articles covered the requirements in POPI that specify the level of seniority of the Information Officer, the appointment of Deputy Information Officers and the need to register the person with the Information Regulator. All of these topics fall under the “Governance” workstream.
Duties of the Information Officer
There are three main duties of the Information Officer that are prescribed by the POPI Act. These duties should fit into what the role of the Information Officer is in a company’s own compliance model. That will be covered under the “Three Lines of Assurance model” which will be written about in an upcoming article.
- Handling requests –there are a number of rights conferred on the data subject by the POPI Act regarding their personal information. This may result in requests being made to responsible parties. We will deal with all these requests under the workstream called “Data Subject Servicing” in a future article.
- Dealings with the Regulator – the first need is to register the Information Officer with the regulator and there are various other instances throughout the POPI Act where you may need to engage with the Regulator. For example: obtaining prior authorisation under various circumstances before being able to process Personal Information; dealing with complaints from the Regulator; handling Assessments by the Regulator and Enforcement Notices that have been issued to a company.
- Compliance with POPI – the whole aim of specifying the requirement to have such a person formally employed by the responsible party is to make sure companies don’t make do without any formal accountability being established. As mentioned earlier, there is a section for looking at the compliance model that POPI would need to dovetail with.