Most dental practices know POPIA exists. Fewer know that it requires them to register a specific person, by name, with a government body called the Information Regulator. And most have not done it.
Registration of an Information Officer is not optional, and it is not something you can catch up on after an inspection. It is a standing legal obligation that applied from 1 July 2021, when POPIA's processing conditions came into full effect.
What is an Information Officer?
Section 55 of the Protection of Personal Information Act 4 of 2013 requires every "responsible party" to designate an Information Officer. In plain terms, any private body that processes personal information, which includes every dental practice in South Africa, must have an IO on record with the Information Regulator.
The IO is the person who is accountable for your practice's POPIA compliance. In a sole practice, that is almost always the principal dentist. In a practice with multiple dentists or a senior practice manager, the role can be delegated, but the delegation must be formal and recorded. The principal cannot simply say a staff member "handles privacy" and consider the obligation met.
Is registration actually mandatory?
Yes, with no grey area. Section 55(1) of POPIA states that the head of a private body must register as an Information Officer or designate a deputy. There is no exemption for small practices, sole proprietors, or practices that handle "only a little" patient data. If your practice processes any personal information, the requirement applies.
The Information Regulator can issue an enforcement notice to a practice that has not registered. It can also refer a matter for criminal prosecution under Section 107 of the Act, which carries a fine of up to R10 million or imprisonment of up to 10 years for non-compliance with an enforcement notice.
What does the role actually involve?
Registration is not a once-off tick. Once your Information Officer is registered, they take on ongoing duties under the Act. Those duties include developing and maintaining the practice's data processing policies, ensuring staff understand what they may and may not do with patient information, handling requests from patients who want to access or correct their records, and acting as the primary contact for the Information Regulator in the event of a complaint or investigation.
That last point is worth sitting with. If a patient complains to the Information Regulator that your practice shared their information without consent, accessed their records improperly, or failed to secure their data, the Regulator contacts your Information Officer. The IO is the person who has to respond, explain, and where necessary, demonstrate that your practice has functioning compliance processes.
A practice that has no registered IO is in breach of POPIA before any complaint is even filed. The Regulator can cite the absence of registration as a standalone violation, separate from whatever triggered the investigation.
What happens when a patient complains?
Patients have the right under POPIA to submit complaints to the Information Regulator at no cost. The Regulator can investigate, request documentation, and compel your practice to take corrective steps. If your practice cannot demonstrate that it has a functioning compliance structure, the Regulator's options include issuing an enforcement notice, recommending prosecution, or both.
The enforcement notice process is not a warning shot. Failure to comply with an enforcement notice issued by the Regulator is itself a criminal offence under Section 107. This is the mechanism through which the R10 million fine and imprisonment provisions become relevant.
Most dental practices are not facing imminent POPIA prosecution. But the risk is not hypothetical. Patient data breaches, disgruntled former employees, and complaints about marketing messages are the most common triggers, and all of them trace back to whether your practice can produce evidence that it operates with proper data governance.
Has your dental practice registered an Information Officer with the Information Regulator?
This is a compliance gap that needs to be addressed.
Operating without a registered Information Officer is a breach of Section 55 of POPIA. Registration alone, though, is not sufficient. You also need functioning policies and procedures that your IO can actually produce if asked. A free compliance evaluation will show you where your POPIA obligations currently stand.
Not knowing is itself the problem.
If you are uncertain whether your practice has registered, you almost certainly do not have the broader compliance structure that registration is supposed to anchor. The Information Regulator keeps a register of IOs. If your practice's name is not on it, you are not registered. This needs to be confirmed and, if necessary, corrected.
Good start. Registration is the foundation.
Registration puts a name to the accountability. But your IO's legal duties don't stop there. Make sure your practice has documented data processing policies, staff training records, and a clear process for handling patient access requests. Those are the things the Regulator will ask for if a complaint is ever filed.
So registering is just the beginning?
Registration establishes who is accountable. It does not make your practice compliant. A registered IO sitting in a practice with no privacy policy, no staff training records, and no process for handling patient data requests has the title without the substance. And if the Regulator ever investigates, the substance is what they are looking for.
The full scope of POPIA compliance for a dental practice goes beyond the IO registration. It includes how you collect patient consent, what you do with data after the patient relationship ends, how you handle data access from third parties, and whether you have documented the legal basis for every type of processing your practice does. Registration is the start of that process, not the end of it.
How does your POPIA compliance hold up?
A free compliance evaluation covers your data protection obligations, including IO registration, consent processes, and staff awareness, alongside every other compliance area that matters for your practice.
Get Free Evaluation →