Protection of Personal Information Act - Section 15
"The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of determination of the purpose and means of the processing and during the processing itself".
‘Responsible party’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information."
In law, this is the CEO or the person to whom the CEO has delegated this responsibility in writing.
In reality, accountability for something as important as the protection of personal information and the protection of the organisation’s reputation rightly belongs with the Board. Cultural leadership for a change in attitudes regarding privacy cannot be driven from anywhere other than the Board.