On 18 March 2021, the Information Regulator announced on Twitter that:

  • the registration of information officers will commence on 1 May 2021;
  • the Draft Guidelines will be finalised once all public comments are taken into consideration; and
  • registration will be an on-going process to enable new entities to register and for existing one to update their details.

In our recent engagement with the Information Regulator, its office indicated that a notice inviting responsible parties to submit their applications for registration of information officer and deputy information officer will be published on the Information Regulator’s website and social media as soon as possible. It is expected that the precise mechanism and form of registration will be communicated through those notices.

What happens from 1 May 2021?

Under the Protection of Personal Information Act, 2013 (POPIA) and the Promotion of Access to Information Act, 2000 (PAIA), an information officer must perform duties and responsibilities as prescribed under POPIA and PAIA.

POPIA Regulation 4, which prescribes some of these duties and responsibilities, will take effect on 1 May 2021 but only be enforced from 1 July 2021. These duties include ensuring that:

  • a compliance framework is developed, implemented, monitored and maintained;
  • personal information impact assessments are done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of PAIA;
  • internal measures are developed together with adequate systems to process requests for information or access thereto; and
  • internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Information Regulator.

Given that compliance with POPIA will only be enforceable from 1 July 2021, some of these duties and responsibilities practically cannot be performed, for example monitoring a compliance framework. As these duties and responsibilities involve a number of measures being implemented to ensure compliance with POPIA, it is recommended that companies start now getting ready for POPIA compliance by 1 July 2021.