Every organisation that processes personal information in South Africa is legally required to appoint an Information Officer under the Protection of Personal Information Act (POPIA). Yet in a significant number of organisations — including large enterprises — that appointment either hasn't happened, has been made informally without proper registration, or has been assigned to someone who doesn't understand what the role actually requires.

This is not a paperwork oversight. The Information Officer carries personal liability under POPIA. Getting this wrong has consequences for both the individual and the organisation.

What POPIA Requires

Section 55(1) of POPIA states that the head of a private body is the Information Officer by default. For a company, that is the CEO or Managing Director. For a close corporation, it is the managing member. For a partnership, it is the managing partner.

In practice, most organisations delegate the role to a senior employee — a Chief Information Officer, Chief Compliance Officer, Legal Counsel, or Head of IT — but the default remains the head of the organisation until a formal delegation is registered with the Information Regulator.

The key word is registered. Informal delegation or internal appointment letters are not sufficient. The Information Regulator must be notified.

The Eight Core Duties

POPIA Section 55(2) sets out the Information Officer's responsibilities. They are not administrative — they require active governance:

1. Encourage compliance. The Information Officer must actively drive the organisation's compliance with POPIA across all departments that process personal information. This is an ongoing operational responsibility, not a once-off project.

2. Deal with requests made to the body. All data subject access requests, requests for correction, and requests for deletion must be managed through the Information Officer's office within the POPIA-prescribed timeframes.

3. Work with the Information Regulator. If the Regulator initiates an investigation or requests information, the Information Officer is the organisation's primary point of contact and must cooperate.

4. Develop, implement, monitor and maintain a POPIA compliance framework. This includes internal policies, processing records, consent management mechanisms, and data retention schedules.

5. Ensure data subject rights are protected. The Information Officer must ensure that marketing opt-outs are respected, that data minimisation is practised, and that individuals can exercise their rights under Sections 23–25.

6. Conduct impact assessments. Before implementing new processing activities that present high privacy risks — new marketing systems, third-party data sharing arrangements, employee monitoring tools — the Information Officer should conduct or oversee a Privacy Impact Assessment.

7. Manage data breach response. In the event of a breach, the Information Officer is responsible for the Section 22 notification obligations: notifying the Information Regulator and affected data subjects as soon as reasonably possible.

8. Maintain the PAIA Manual. Section 51 of the Promotion of Access to Information Act requires private bodies to compile and maintain an information manual. The Information Officer is responsible for this document.

Deputy Information Officers

Where an organisation processes large volumes of personal information, or operates across multiple business units or geographies, Section 55(3) allows the appointment of Deputy Information Officers. Deputies operate under the authority of the Information Officer and can be delegated specific duties — for example, one Deputy handling data subject requests while another manages vendor data processing agreements.

Deputies must also be registered with the Information Regulator.

For groups of companies, each legal entity that processes personal information should have its own registered Information Officer. The holding company's officer cannot cover subsidiaries.

Personal Liability

This is the point most organisations underestimate. Under POPIA Section 107 and the associated Criminal Offences provisions, an Information Officer who wilfully or negligently obstructs the Information Regulator, fails to comply with an enforcement notice, or makes a false statement in proceedings can face criminal prosecution — not just organisational fines.

Administrative fines under POPIA can reach R10 million. These are levied against the organisation, not the individual. But criminal liability under Section 107 can result in imprisonment of up to 10 years.

The distinction matters: if the organisation has failed to comply with POPIA and an enforcement action follows, the Information Regulator will want to engage the registered Information Officer directly. An officer who cannot demonstrate that they actively discharged their duties — who treated the role as a title rather than a function — is in a difficult position.

How to Register Correctly

Step 1: Internal appointment

The head of the organisation (or board, for a company) formally appoints an employee as Information Officer by written resolution or board resolution. The appointment letter should specify:

The individual's name and title
The scope of the delegation
The effective date
Any Deputy Information Officers being appointed

Step 2: Registration with the Information Regulator

Registration is completed via the Information Regulator's online portal at inforegulator.org.za. The process requires:

The organisation's registration details (company number, registered address)
The Information Officer's full name, contact details, and role
Deputy Information Officer details (if applicable)

There is currently no registration fee for private bodies.

Step 3: Internal notification

The Information Officer's details should be published in the organisation's PAIA Manual (Section 51 Manual) and made available to data subjects on request. Many organisations also publish this on their privacy notice page.

Step 4: Equip the role

Registration is the beginning, not the end. The Information Officer should:

Conduct a personal information audit to understand what data the organisation holds and why
Review and update the organisation's privacy notice and consent mechanisms
Establish a process for handling data subject requests within the 30-day POPIA deadline
Ensure staff training on POPIA obligations is delivered and documented
Build a data breach response plan before it is needed

What Happens Without a Registered Officer

Operating without a registered Information Officer does not exempt an organisation from POPIA obligations — it simply means there is no individual accountable for ensuring they are met. When the Regulator receives a complaint from a data subject, or initiates an investigation, the absence of a registered officer is itself a compliance failure and typically escalates scrutiny rather than reducing it.

For organisations that handle the personal information of employees, customers, or third parties — which includes virtually every business in South Africa — POPIA registration is not optional.

Montana Data Company's POPIA Consulting service assists organisations with the full appointment and compliance framework process, from internal governance through to Information Regulator registration and ongoing compliance monitoring.

POPIA Information Officer: Duties, Liability, and How to Appoint One