Article on POPI regulations and role of information officer (PART 2)
POPI – Alarm bells or xmas bells?
‘Preliminary Assessment’ – once appointed the IO will have to carry out a detailed assessment addressing inter alia what is the nature and frequency of PI handled by the entity; employees & third parties involved; how long is such information traditionally stored and shared with third parties; current levels of IT (Information Technology) security and whether direct marketing is done and how; cross border business; statutes pertaining to the entity that prescribe terms for information retention (and therefore exceptions) – essentially what will have to be carried out is some form of ‘GAP Analysis’
‘PAIA (Promotion of Access to Information Act, Act 2 of 2002’) manual’ – as we are/should all be aware this is a pervasive requirement (applicable to all entities) but the good news is that in preparing this document, many of the POPI requirements are met simultaneously – over and above the PAIA requirements, the manual must now address the following POPI aspects: purpose of processing; categories of data subjects, information and recipients thereof; transborder flow of PI and information security.
‘Transborder information flow’ (20 & 21) – if PI is exchanged or shared across international borders POPI contains very specific compliance parameters and one of the duties of the IO will be to earmark & ring fence these and in the process to review all agreements with such transborder third parties as well as the privacy legislation applicable in the country where the third party is located.
‘Security measures’ – these pertain mainly but not only to IT (See ‘Adequate Measures’ above). Very apparently mundane issues such as employment contracts, cell phones on the premises, personal laptops and social media (& the terms and conditions applicable to these) will all need to be addressed and one would imagine this will require an in depth review of related policies or lack thereof in each entity.
‘Internal measures’ – this has been addressed to a large extent above (See ‘Compliance framework’) but here it address the access to or request for PI
‘Awareness sessions’ – similar to the duties of the CPA (‘Consumer Protection Act, Act 68 of 2008’) Consumer, Goods & Services Ombudsman (‘CGSO’) i.e.
‘Ensure that the relevant staff and agents in their business have adequate knowledge
of the CPA and the Regulations issued thereunder, including the Code and their own internal complaints-handling procedure’
The appointment and qualifications of the IO – as mentioned above the challenge is to find and appoint the right person! POPI defines the IO (in the case of a private as opposed to a public body) as ‘the head of the private body as contemplated in section 1 of PAIA’ i.e.
- a natural person: that person or any person duly authorised by that natural person;
- a partnership: any partner or duly authorised person; and
- a juristic person: the chief executive officer, equivalent, acting officer or duly authorised officer.
POPI makes provision for the appointment of deputies (‘… a number … as is necessary to perform the duties and responsibilities..’) of the IO.
There are no terms of reference as such but clearly the following would be advisable if not prerequisites:
- An in depth knowledge of POPI, PAIA and the CPA;
- Familiarity with corporate governance, the various reports of the King Commission and international trends;
- Training as a lawyer or accountant;
© ADV LOUIS NEL
NOVEMBER 05 2017