Who is the Information Officer?

POPI designates the head of the business as the Information Officer 1. Depending on the type of business, the Information Officer will therefore be the sole trader, a partner in a partnership or CEO (or equivalent) in a company or CC 2.

The head of the business can delegate his or her responsibilities as Information Officer to any other duly authorised person 3. However, it is important to note that whoever “determines the purpose of and means for processing personal information” remains ultimately responsible for ensuring that the processing of personal information is done in a lawful manner 4.

The Information Officer must appoint (in writing) as many Deputy Information Officers as necessary 5. For example, the appointment of Deputy Information Officers may become necessary to make the organisations records as accessible as reasonably possible for requesters.

Duties and Responsibilities

So, what are the duties and responsibilities of the Information Officer? 6

  1. to encourage compliance with POPI
  2. dealing with requests made to the organisation in relation to POPI (for instance, requests from Data Subjects to update or view their personal information)
  3. working with the Regulator in relation to investigations
  4. otherwise ensuring compliance with POPI
  5. as may be prescribed

Information Officers further need to be registered with the Regulator before taking up their duties 7.

On a day to day basis the Information Officer may find themselves 8:

  • making recommendations and raising concerns where appropriate
  • documenting information processing procedures
  • evaluating and further developing data protection and security policies
  • suggesting, selecting and implementing technical security measures
  • drafting forms and contracts appropriate for data protection
  • selecting employees, service providers and others to be involved in the processing of personal information
  • monitoring data privacy and security measures as well as the proper use of data processing programs
  • handling
    [requests and] complaints relating to personal information
  • employee training
  • preparing, submitting and maintaining notifications to [the Regulator]

Internal or External?

Once the decision is made to delegate the Information Officer role, the question may arise whether to appoint an internal or external person. There are pros and cons to each.

Appointing an internal resource means that company sensitive information doesn’t leave the company. An internal Information Officer may also be able to leverage existing working relationships to more efficiently fulfill their role.

On the other hand, a professional external resource will have more compliance knowledge and experience and find it easier to keep up with developments in the field.

Suitable Candidates

While POPI does not set out specific skills and qualifications for an Information Officer, realistically the role requires the following 9:

  1. A good understanding of information technology
  2. Basic legal training is advantageous
  3. An broad understanding of the company operations (arguably easier to acquire than 1 & 2)
  4. No conflicts of interest, “which typically rules out the appointment of business owners, senior managers and employees with a strong interest in data collection and usage, such as marketing and HR managers” 9
  5. Enough spare time
  6. Buy-in from top management


This post deals with the Information Officer role in a ‘private body’ which includes sole traders, partnerships, CCs and companies but excludes government & constitutional bodies.

The role of Information Officer in SA law is not directly related to the CIO role found in companies.


  1. Protection of Personal Information Act 4 of 2013, s1
  2. Promotion of Access to Information Act 2 of 2000, s1
  3. Promotion of Access to Information Act 2 of 2000, s1
  4. Protection of Personal Information Act 4 of 2013, s4(1)
  5. Protection of Personal Information Act 4 of 2013, s56
  6. Protection of Personal Information Act 4 of 2013, s55(1)
  7. Protection of Personal Information Act 4 of 2013, s55(2)
  8. Determann’s Field Guide to International Data Privacy Law Compliance, p7, s1.16
  9. Determann’s Field Guide to International Data Privacy Law Compliance, p9, s1.20