Security, breaches & governance

Information officers: who, what, and the registration duty

Every responsible party has one by operation of law — and section 55(2) says duties begin only after registration with the Regulator.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Every responsible party has an information officer by operation of law — for a company, the CEO or equivalent, who may authorise another employee at management level in writing, and should. Duties include encouraging compliance, dealing with data subject requests and cooperating with the Regulator; regulation 4 adds a compliance framework and a personal information impact assessment. Registration with the Regulator is compulsory before duties begin, and each subsidiary in a group registers its own.

On this page

Who is the information officer?

You do not appoint an information officer into existence — the Act designates one: for a private body, the head of the body (the CEO or equivalent; for a sole proprietorship or partnership, the proprietor or a partner). The head may authorise another person in writing — and should, because the role is operational. The Regulator’s Guidance Note sets the bar for that delegation: “only an employee of a private body at a level of management and above should be considered for authorisation as an Information Officer”, with deputy information officers below for the day-to-day. The role is POPIA’s answer to the GDPR’s DPO — but unlike a DPO, it exists in every organisation automatically.

The registration duty

Source — the actual words

“Officers must take up their duties in terms of this Act only after the responsible party has registered them with the Regulator.”

Protection of Personal Information Act 4 of 2013, s 55(2)Read it on Dept of JusticePDF

The Guidance Note calls registration “a compulsory requirement”, requires each subsidiary in a group to register its own officer, and registration now runs through the Regulator’s eServices portal — the same portal that handles breach reporting, which is a second reason to have credentials before an incident. And the Regulator checks: the Central Johannesburg TVET College enforcement notice (22 May 2026) included, among the findings, a straightforward failure “to register the Information Officer with the Regulator” — see the enforcement tracker.

The duties

Section 55(1) lists the statutory core: encouraging and ensuring compliance with the Act, dealing with requests made under it, cooperating with the Regulator in investigations, and otherwise ensuring compliance. Regulation 4 turns that into a programme: develop, implement and maintain a compliance framework; conduct a personal information impact assessment to ensure adequate measures and standards; develop and maintain the PAIA manual; build internal awareness; and ensure data subject requests are handled. In practice the officer owns the compliance shortlist end to end.

Setting the role up properly

  • Decide who actually does the work; if not the CEO, authorise a management-level employee in writing
  • Appoint deputies where size or structure needs them — in writing, with defined portfolios
  • Register the officer (and each subsidiary’s officer) on the eServices portal before duties begin
  • Stand up the regulation 4 deliverables: compliance framework, impact assessment, PAIA manual, awareness training
  • Wire the officer into incident response — they file the breach reports and answer the Regulator
  • Revisit on every leadership change: the designation follows the office, not the person who left

Frequently asked questions

Does a small business need an information officer?

It already has one — the head of the business is the information officer by operation of law. The choice is not whether to have one, but whether to delegate the role formally and register correctly.

Can the information officer role be outsourced?

The Regulator’s guidance points inward: "only an employee of a private body at a level of management and above should be considered for authorisation as an Information Officer". External advisers can support the officer; the accountability stays in-house.

Must every company in a group register its own officer?

Yes — the Guidance Note requires each subsidiary in a group to register its own information officer. One registration for the holding company does not cover the group.

What happens if the officer is not registered?

Registration is "a compulsory requirement", and failures surface in enforcement: the Central Johannesburg TVET College enforcement notice (22 May 2026) included a straightforward failure to register the Information Officer with the Regulator.

What are deputy information officers for?

Delegation that works: deputies (management-level employees) carry the operational load — requests, breach reporting, the compliance framework — under the information officer’s authorisation, which should be in writing.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Security, breaches & governance

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub