Information Regulator on deadline for registration of Information officers and Deputy Information Officers

Developments ahead of enforcement powers coming into effect

The Information Regulator has confirmed that there will be no deadline for registration of Information officers (IO) and Deputy Information Officers (DIO); this means that no responsible party will be held liable for not registering by 30 June 2021. This decision follows technical glitches with the registration portal and numerous concerns raised by responsible parties regarding the registration process.

“The Regulator is currently looking into alternative registration processes and will communicate this in due course. We understand that our portal malfunctioning has caused a lot of anxiety and panic and for that we really do apologise,” said Chairperson of the Information Regulator, Advocate Pansy Tlakula.

The registration of a Chief Executive Officer (CEO) as an Information Officer for multiple legal entities has been taken into consideration and it will be permissible. The registration portal is currently being configured to accommodate these changes. When the registration portal has been updated it will be announced.

The Protection of Personal Information Act (POPIA) enforcement powers as promulgated by the President of South Africa in June 2020 will still be coming into effect as of the 1 July 2021. The Information Regulator had thus afforded responsible parties a one-year grace period to be compliant with POPIA. For responsible parties to be compliant with POPIA they are required amongst many actions to appoint and register their Information Officers (IO) with the Information Regulator and apply for Prior Authorisation before processing personal information. There has been an exponential increase for engagement from responsible parties with the Regulator as the POPIA enforcement powers draw closer and are less than ten (10) days away.

Furthermore, the Regulator has extended the applications for Prior Authorisation in terms section 57 (1) subject to section 58 (2) to 01 February 2022. Responsible Parties must obtain prior authorisation from the Regulator prior to any processing of personal information where that responsible party plans to:

• Process any unique identifiers of a data subject.

• Process information on criminal Behaviour or on unlawful or objectionable conduct on behalf of third parties.

• Process information for purposes of credit reporting.

• Transfer special personal information or personal information of children to foreign countries that do not provide an adequate level of protection for processing of personal information.

The Information Regulator as of 30 June will also be taking over the function of the Promotion of Access to Information Act (PAIA) from the South African Human Rights Commission (SAHRC). Should the public require lodging a complaint, they may approach the Regulator to adjudicate, or they may approach the court directly.

Source: Government of South Africa

Recent Posts