All private and public bodies must appoint an Information Officer (IO). In the case of private companies, the head of the organisation (usually the CEO) is automatically the IO unless he or she delegates this role to someone else. There are forms available on the Information Regulator’s website that must be completed for both the appointment of the IO and the delegation of the IO’s duties.
The IO has specific duties including the creation and implementation of a compliance framework within the company, the publication of a Promotion of Access to Information Act Manual (also known as a PAIA manual), receiving and dealing with requests for access to personal information, and training. The PAIA manual is a document that takes a standard form, which can be downloaded at Understanding PAIA (sahrc.org.za). However, the information that is included in the manual is specific to each organisation. Every company must have a PAIA manual that is published to their website and available at their offices. This manual deals with the rules for accessing information needed by a person to protect or enforce a right.
The IO must, in order to properly deal with personal information and processing, ensure that every kind of risk to personal information is addressed by implementing various rules and safeguards within the company.
In addition to the manual, the IO must establish the processes for obtaining consent from existing data subjects i.e. those people whose personal information the company already has, and future data subjects. The processes for collecting, storing, using, accessing and destroying that information must all be documented and enforced.
To find out more, contact us. This is not legal advice.