POPIA: The Role of the Information Officer – where does a Managing Agent fit in?
14 June 2021 | Leigh-Anne Harrison
The countdown to compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) is underway and organisations now only have 15 days to come into compliance. POPIA was enacted to promote and protect an individual’s right to privacy, and it introduces:
minimum conditions for the lawful processing of personal information;
the appointment of an Information Officer to guide an organisation’s compliance, and
compulsory requirements for the registration of Information Officers with the Information Regulator.
Information Officers can only take up their duties as such once registered with the Information Regulator and on 1 April 2021 the Information Regulator published guidelines for Information Officers and their subsequent registration.
The published guidelines highlighted and answered a lot of questions on the duties and responsibilities placed on an Information Officer including their criminal liability for a data breach in terms of the POPIA.
Who must be registered as an Information Officer?
Certain people, by virtue of their position, will automatically take up the role of Information Officer including CEOs, Managing Directors (or equivalent officers) or any persons appointed as the head of an organisation.
What are the duties of an Information Officer?
The Information Officer of an organisation is responsible for the following:
developing and implementing a compliance framework;
ensuring that the compliance framework is monitored and maintained over time;
ensuring that an organisation has a POPIA manual that highlights how the organisation processes personal information and their compliance with the conditions for lawful processing, and
conducting awareness training with members of the organisation.
Training of Information Officers
While the POPIA does not set out specific skills and qualifications for an Information Officer, it does require that they be suitably qualified and have a reasonable understanding of the POPIA and an organisation’s business operations and processes in order to perform their duties.
The Information Officer vs The Managing Agent within a Community Scheme
As we know, Trustees and Directors (Scheme Executives) in a community scheme appoint a Managing Agent for the day to day running of the Scheme which includes financial, administrative and compliance functions. Even though they do this and it is an important role, a scheme is ultimately still the one responsible to its members. In the context of the POPIA, the scheme will always be the one that processes personal information, even though the managing agent safely and securely stores the scheme’s information. If we look at the definition of an agent it is someone that empowers another to act on their behalf or to represent them. The community scheme empowers a managing agent to represent and act on their behalf, however the duties and responsibilities of a community scheme still rests on that scheme. The Managing Agent is not the scheme, they are just delegated the functions thereof.
With the above being said, the question has been raised, why can’t the Managing Agent be appointed as the Information Officer? The answer ultimately lies in the above, despite argument that the managing Agent should be appointed as the Information Officer.
Another consideration is the criminal liability attached to an Information Officer should a data breach occur in terms of the POPIA. These include a fine of up to R10 Million or 12 months imprisonment. Would a Managing Agent want to expose themselves to this risk?
Next steps
At the beginning of June 2021, the Community Schemes Ombud Service (“CSOS”) addressed correspondence to the Information Regulator requesting engagement to include managing agents (Agents) to be appointed as an Information Officer to lessen the burden on scheme executives, taking into consideration the duties of an Information Officer and the limited resources and infrastructure of many community schemes. They highlighted that scheme executives will still be responsible for the safe keeping of all the personal information however given the extensive nature of the duties imposed on an Information Officer, the CSOS are of the opinion that managing agents be included in the definition.
If agreed to by the Regulator, the guidelines issued would have to be amended, putting pressure on those schemes, already compliant, to reconsider their approach to the role of the Information Officer. With so little time until the commencement date for POPIA compliance rears its ugly head, it is going to be an interesting next couple of weeks.
Click here to download the guidance note on information and deputy information officers.
Contact us on info@tvdmconsultants.com or 061 536 3138 should your scheme require assistance with becoming compliant.
About the Author: Leigh-Anne Harrison (LLB Stellenbosch) is a Portfolio Manager at RPA Property Administrators.