The Protection of Personal Information Act, Act #4 of 2013 (POPIA) came into effect in its entirety almost a year ago on 1 July 2021 and the Information Regulator (IR) indicated that applications for the appointment of the Information Officer (IO) needed to be submitted from 1 May 2021. Submissions need to be done using the form prescribed by the IR.

POPIA defines the IO as “head of private body as contemplated in section 1 of Promotion of Access to Information Act”, Act #2 of 2000   (PAIA) – the latter states that it is “the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer”. 

As we all (should) know PAIA has been with us for a long time and, equally long ago, all entities were required to draft and submit manuals  and appoint information officers in terms thereof.  PAIA is aimed at allowing access to any information held by the State and any information held by private bodies that is required for the exercise and protection of any right.

The manual underpins many aspects of POPIA and if you do not have such a document, it should be drafted and submitted to the SA Human Rights Commission.

Whilst PAIA determines that ‘the head’ is deemed to be the IO, POPIA allows for such a party to appoint any natural person who is an employee of the entity as IO and the IO may in turn appoint deputies.

The IO and deputies (DIO) are required to meet the following requirements i.e. they must:

  • Be natural persons
  • Be employees of the entity
  • Be trained (not by the IR)
  • Fall into ‘management level’ category
  • Understand POPIA, PAIA and have ‘institutional knowledge’ of the entity’s ‘operations & processes’
  • The IO may appoint more than one DIO as required based on ‘the size and structure’ of the entity
  • Report to ‘the highest management office

Duties of IO and DIO (POPIA & PAIA)

  • Create POPIA compliance framework
  • Apply and ensure POPIA & PAIA compliance
  • Carry out privacy impact assessment/audit/SWOT analysis
  • Deal with requests from the IR
  • Prepare/update/make available PAIA manual
  • Deal with requests for information in terms of POPIA and/or PAIA
  • Work closely with IR
  • Create internal awareness

Please be aware of the possible criminal liability of the IO and DIO – this is determined by the Enforcement Committee for transgressions detailed in PAIA (such as destruction & alteration of records) but bear in mind that these require inter alia wilfulness and/or gross negligence and excludes acts done in good faith (See POPIA sections 50, 90 & 93 & PAIA section 77).


You can register your IO here:

You can download the Guidance Note here:




April 25 2021

 DISCLAIMER – Each case depends on its own facts & merits – the above does not constitute advice – independent advice should be obtained in all instances