Practicalities of the POPIA Act: The role of the information officer

If you are either a public or private body that processes personal information, there is no way of escaping your duty of having an information officer (IO). This person must either be appointed, or the position will fall on someone by default.

In public bodies, the position of IO is prescribed in section 1 of PAIA.

In the case of a private organisation, the appointment of an IO happens automatically in terms of the Promotion of Access to Information Act (PAIA) – and it bears mentioning that the IOs under POPIA are the same as under PAIA.

If no one is specifically appointed as IO, then that position will go to the chief executive officer or equivalent; any person duly authorised by that person; or whoever acts as IO, or has been authorised by such acting person. No organisation can therefore say it does not have an IO, even if the organisation has not officially appointed one. Furthermore, the IO must come from the executive ranks of the organisation.

Despite the default stipulation, all organisations are required under POPIA to officially appoint an IO and register that officer with the Information Regulator. Such appointment must be done in writing, by completing an information officer’s registration form provided by the Information Regulator of South Africa. In the case of multinational entities based abroad, a South African representative must be appointed. So, too, each subsidiary of a group of companies must appoint and register an IO with the Information Regulator.

The default IO – in other words, the chief executive officer or equivalent – remains accountable for the function, whether they have been delegated such function or not.

Designation of a deputy information officer

Depending on the size of the organisation, it may be necessary to appoint one or more deputy information officers (DIOs) so the organisation can be as accessible as reasonably possible. The legislation stipulates that only employees of a body can be designated as a DIO.

There are a number of guidelines on the role of DIOs:

  • The DIO should report to, and preferably come from, management level and above.
  • The DIO should be accessible, understand the organisation’s inner workings, and be trained on POPIA and PAIA.
  • The DIO should be given enough time and resources to fulfil the function properly.
  • The duties and responsibilities of DIO should form part of their job description.

Once again, the IO ultimately remains responsible for the function.

How to register an IO

There are two options for registering an organisation’s IO:

  • Complete and submit an online registration form; or
  • Complete the registration form manually and deliver it to the Information Regulator’s physical address, or email it to

At this late stage, organisations are encouraged to follow the online route, as the process is quicker than manually delivering or emailing the relevant form.


The final deadline for appointing an IO was 1 May 2021. If your organisation has not yet officially done so, this is a crucial task for the new year.

Leave a Comment