POPI ACT – REGISTRATION OF DENTIST AS INFORMATION OFFICER
POPI ACT – REGISTRATION OF DENTISTS AS INFORMATION OFFICERS AND WHAT ARE THE DUTIES OF INFORMATION OFFICERS
All Dentists are reminded that the provisions of The Protection of Personal Information Act 4 of 2013 (POPIA) will come into force on 1 July 2021. SADA Members are referred to many previous bulletins explaining the provisions of the POPIA. In this bulletin, we are informing members to register as Information Officers with the Information Regulator. The Information Regulator has opened up the online registration process for Information Officers. The Information Officer in respect of a private body like dental practices “means the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act. This would be the owner of the dental practice. In the case of a solo practitioner, it would be the practitioner carrying on that practice. In the case of a partnership, it would be any authorized by the partnership, or in the case of an incorporated company it would be CEO or Managing Director or equivalent. What are the duties of the Information Officer?They would encourage compliance by the practice with the conditions of lawful processing of personal information. For example, the practitioner owner may develop a policy on how employees in the practice should implement the 8-processing condition of personal information. The Information Officer is also responsible for dealing with requests made to the practice. For example, an Information Officer will be expected to render such reasonable assistance, free of charge, as is necessary to enable the requester or data subject to comply with the prescribed process for submitting a request in terms of section 18 of PAIA and section 24 of POPIA If the requester or data subject’s request does not comply with the requirements of PAIA or POPIA, the Information Officer concerned may not refuse the request because of that non-compliance, unless the Information Officer has-
The Information Officer must also work with the working with the Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA in relation to the body. For example The practitioner as the responsible party must obtain prior authorization from the Regulator pertaining to the following a) processing of any unique identifiers of data subjects i for a purpose other than the one for which the identifier was specifically intended at the collection; and ii. with the aim of linking the information together with information processed by other responsible parties; b) processing of information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties; c) processing of information for the purposes of credit reporting; and d) transfer of special personal information or the personal information of children to the third party in a foreign country that does not provide an adequate level of protection for the processing of personal information. Until authorization by Regulator, the practitioner may not carry out information processing and will have to be suspended. Some additional duties and responsibilities of the Information Officers, to compile, implement and monitor compliance framework, impact assessment is done to ensure adequate measures and standards are in place, develop a manual as provided for in s 14 and 51 of the PAIAct, systems to process information or access, hold internal awareness sessions. The Regulator may, annually, request an Information Officer of a private body, in terms of section 83 (4) of PAIA, to furnish to the Regulator with information about requests for access to records of that body. In the case of health records, if the Information Officer is of the opinion that the disclosure of the record to the relevant person would be likely to cause serious harm to their physical or mental health, or well-being, the Information Officer may only give access to the record if the requester proves to the satisfaction of the information officer that adequate provision is made for such counseling or arrangements as are reasonably practicable before, during or after the disclosure of the record to limit, alleviate or avoid such harm to the relevant person. Registration of Information Officers with the Regulator is not only the prerequisite for an Information Officer to take up their duties in terms of POPIA, but is compulsory. Deputy Information OfficersThe Act also allows for the appointment of a Deputy Information Officer. Only employee(s) of a body can be designated as a Deputy Information Officer. The appointment of one or more Deputy Information Officer/s will depend on the structure and size of such bodies. REGISTRATION OF PRACTITIONERS AS INFORMATION OFFICERSThe Information Regulator website has opened the online registration of Information Regulator. As stated above in the case of dental practices, the information officer would be the practitioner owner. The website of the Information Regulator (South Africa) can be accessed at https://www.justice.gov.za/inforeg/portal.html. If necessary, click on the recent notice of 17 May 2021 appearing on the opening page as copied below and follow the link to open the Online Registration Form The Information Regulator’s contact details are Email: inforeg@justice.gov.za and attach the eForm for those members struggling with online registration.
Brought to you by Better Practice Management |