Protection of Personal Information Act 4 of 2013 (“POPIA”)

/ / News, 2021, community Schemes, COVID-19

Article was written by Alisha Naik, Candidate Attorney, checked by Danmari Duguid, Associate at Schindlers Attorneys and released by Paul-Michael Keichel, Senior Partner at Schindlers Attorneys

20 June 2021


With the deadline for compliance with the provisions of the Protection of Personal Information Act 4 of 2013 (“POPIA”) fast-approaching (as the Regulations in will be in effect from 1 July 2021), it is imperative that organisations take steps to ensure that they are already, or are well on their way to complying with POPIA.

This article aims to briefly summarise the role of the Information Regulator (“IR”) as well as the appointment, registration and duties of Information Officers (“IO”) in terms of POPIA.


The IR is an independent body established in terms of Section 39 of POPIA and is empowered to monitor and enforce compliance by public and private bodies with the provisions of the POPIA Act. It is subject to the law and the Constitution of the Republic of South Africa and it is also accountable to the National Assembly.


Who should be registered as an IO?

The guidelines for the registration of an IO (“the Guidelines”) indicate that IO’s are, by virtue of their positions, appointed automatically in terms of POPIA. The following are categories of IO’s per specific Body include as follows –

Public Body or Organ of State
National DepartmentDirector-General or the person who is acting as such
Provincial AdministrationHead of Department or the person who is acting as such
MunicipalityMunicipal Manager or the person who is acting as such
Public Institutions listed in
PFMA Schedule 1, 2, 3A,
3B, 3C and 3D
Chief Executive Officer or the person who is acting as such
Private Body
Natural PersonSole proprietor who carries on any trade, business or profession, but only in such capacity and not in his personal capacity
PartnershipAny partner of the partnership or any person duly authorised by the partnership
Juristic PersonChief Executive Officer or the Managing Director or equivalent officer of the juristic person or any person duly authorised by that officer or any person who is acting as such or any person duly authorised by such acting person.

What are the duties and responsibilities of an IO?

Section 55 of the POPIA requires that every responsible party, regardless of its size or form, appoint an IO and to register the individual with the Information Regulator. Once the appointments have been registered, POPIA read together with Regulation 4 of the POPIA Regulations (“the Regulations”) prescribes certain duties that an IO is required to comply with, which include but are not limited to:

• encourage and ensure compliance with the conditions for the lawful processing of personal information;
• deal with requests made by the IR;
• work with the Regulator in relation to investigations conducted related to prior authorisations;
• create, maintain and update a POPI manual and compliance framework on how employees should implement the 8 conditions for the lawful processing of personal information for the organisation;
• develop internal measures and adequate systems to process requests for access to information;
• provide the necessary training to employees regarding the specifications, impact and implications of POPIA.

Section 56 of POPIA extends the designation of a Deputy IO. In order to render a body as accessible as reasonably possible, the IO of public and private bodies must designate Deputy IO(s) as are necessary, depending on the structure and size of such bodies, such appointment needing to be in writing.


In order to ensure that the IO is correctly registered, you must complete and submit the online registration form on the IR website at, or deliver the completed registration form to the Regulator’s address.

The registration form requires the following key information

  1. Name of the IO and designation;
  2. Name of the Deputy IO(s), if any, as designated in terms of section 56(1) of POPIA or section 17(1) of PAIA;
  3. The official postal and street address, phone, fax number and, electronic mail address of: –
    a. the IO; and
    b. every Deputy IO(s) designated.

The IR has advised that in order to ensure accessibility of a body, the IR may make the contact details of the IO and that of his or her Deputy IO(s) available on its website.


Stay tuned to our website for more informative articles on this exciting topic and feel free to contact us at should you wish to seek our advice on assisting your organisation with POPIA compliance.


The registration and importance of an Information Officer in terms of POPIA

Share Article: