Consider there is a strategic imperative which should be at the heart of every appointment of an Information Officer. That is, if a company is serious about implementing the principles of the Protection of Personal Information (POPI) legislation in their organisation.
The Strategic Imperative
During the years when the POPI legislation was being developed, Tim O’Hanlon of TOSMS had numerous discussions with the Information Commissioner in the UK, as well as many discussions with the South African Law Reform Commission, the drafters of POPI. Over the years, the following was what became clear:
- The POPI legislation is merely codifying good business practice. Where companies fall foul of the legislation and breaches occur, those companies which are able to demonstrate that good business practices are in place, are not likely to be named and shamed. Staff make mistakes and as long as rectification action is reasonable, the authorities indicated there should be no problem if a company can demonstrate that they have good business practices in place.
The point here is that the Information Officer must ensure that good business practices are in place when it comes to processing personal information. Key to this is the establishment of appropriate Policies, Standards, Practices and Guidelines – what we at TOSMS refer to as PSPGs – along with sound enforcement and oversight using a suitable regulatory compliance model.
This is the strategic imperative that should be at the heart of every Information Officer appointment.