Expertise required by Information Officers
The ability of information officers to be effective is conditional upon having appropriate training in at least:
- business administration and organisational knowledge
- business processes and practices
- information management and processing technologies
- data protection law.
Irrespective of the industry and size of the company or public body, information officers will require a minimum of expert knowledge and its practical application (competence). In addition, depending on the specific tasks in the company or public body, further individual expert knowledge may become necessary.
Basic data protection law competence
Information officers require a basic competence in data protection law. They should be familiar with the provisions of their professional field or industry pertaining to data protection. Data protection officers should be able to bring applicable legal provisions to bear on the task area or to acquire these. Basic competence includes the following fields:
- Constitutional rights and Bill of Rights with reference to privacy
- Basic provisions of South African law applicable to the processing of personal information
- Requirements to lawfulness of processing personal information
- Data protection-related requirements when using information and technology.
Basic information and technology competence
Information officers require a technical understanding and comprehension of issues concerning information technologies:
- Organisation of information and technology
- Structures of IT systems, IT applications and IT processes
- Information security management, based on the protection objectives of confidentiality, integrity, availability and resilience
- Identifying risks for data subjects which result from IT systems, IT applications and IT processes.
Furthermore, information officers should be able to recognise and evaluate basic risks to the rights of data subjects through the processing of personal information. Information officers are in a position to propose basic improvements using privacy enhancing technologies and take information security standards into account.
Basic business administration and organisational competence
Information officers must have the following basic business administration and organisational knowledge to enable them to evaluate issues in a company and/or public administration context:
- Business processes and/or public administration processes
- Management systems
- Methods of risk assessment
- Audit and monitoring procedures
Information officers must be able to integrate data protection requirements into business and IT processes in order to counter the identified risks.
Extended expert knowledge
In addition to the basic competence, special business areas or fields of use may require further specialisation of the information officer in the areas of law, technology and organisation, depending on the branch or industry concerned. This may also include codes of conduct for the respective sector.