Menu Search through site content What are you looking for?
Menu

South Africa POPIA: Information Regulator publishes guidance on the application for Prior Authorisation

  • Legal Development 16 March 2021 16 March 2021
  • Africa

  • Data Protection & Privacy

The Information Regulator has continued its efforts to provide necessary guidance relating to key aspects of the Protection of Personal Information Act 4 of 2013 ("POPIA") ahead of 1 July 2021 deadline. On 11 March 2021, the Information Regulator published a Guidance Note on Applications for Prior Authorisation ("Prior Authorisation Guidance Note")

The Prior Authorisation Guidance Note provides clarification regarding the types of processing activities that require prior authorisation from the Information Regulator in terms of section 57 of POPIA, sets out the notification process in terms of section 58 of POPIA and prescribes an application form for the notification required in terms of section 58 of POPIA.

Activities that require prior authorisation of the Information Regulator

According to the Prior Authorisation Guidance Note, read together with section 57(1) and 58(1) of POPIA, a responsible party will be required to notify the Information Regulator, when he/she/it is or intends to conduct any of the following types of processing activities in respect of the following types of personal information:

  • processing of the unique identifiers of data subjects (i) for a purpose other than the one for which the identifier was specifically intended at collection; and (ii) with the aim of linking information together with information processed by other responsible parties.
    • In terms of POPIA, "a unique identifier is any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party."
    • Importantly the Information Regulator identifies the following examples of unique identifiers: bank account numbers; policy numbers; identity numbers employee or student numbers, telephone or cellphone numbers or reference numbers.
  • processing of criminal behaviour or on unlawful or objectionable conduct on behalf of third parties.
    • The Information Regulator has clarified that unlawful or objectionable conduct may include reference checks pertaining to past conduct or disciplinary action taken against a data subject and that criminal behaviour could also include a criminal record enquiry.
    • This means that all persons contracted to conduct criminal record verification and background checks for third parties, for example service providers conducting background checks for employers relating to any potential employees, will require prior authorisation.
  • processing of information for purposes of credit reporting
    • The activity of credit reporting has been clarified to mean the processing of personal payment history, lending, and credit worthiness of a data subject by creating a credit report based on that information, and lenders or credit providers use credit reports along with other personal information to determine a data subject’s creditworthiness.
    • Additionally, the Information Regulator has indicated that any credit bureaus registered as such in terms of the National Credit Act, 34 of 2005 or any person processing personal information for credit reporting purposes may apply for prior authorisation from the Information Regulator.
  • the transfer of the special personal information or personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
    • Special personal information includes personal information relating to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, the criminal behaviour of a data subject in respect of the alleged commission of any offence, processing in respect of any offence allegedly committed by a data subject, or disposal of such proceedings.
    • Notably the Information Regulator has further clarified the position relating to transborder flows of personal information which is regulated in terms of section 72 of POPIA.  If there is a transborder flow of special personal information or personal information of children to a third party who is subject to:
      • adequate laws in the foreign jurisdiction (adequate jurisdiction, akin to the concept under the EU's GDPR);
      • binding corporate rules; or
      • a binding agreement (data transfer agreement),                                                                                                                    which provide an adequate level of protection that effectively upholds principles for processing of the information that are substantially similar to the conditions for the lawful processing in terms of POPIA, then prior authorisation would not be required.
    • In all other circumstances, prior authorisation will be required for transfers of special personal information or personal information of the children to a third party in a foreign country that does not provide an adequate level of protection, being the level of protection provided for under POPIA.
  • other types of information if such processing carries a particular risk to the legitimate interests of the data subject.
    • The Information Regulator has indicated that where necessary, it will publish additional categories or types of processing activities that it considers carry a particular risk for the legitimate interests of data subjects.

The Prior Authorisation Guidance Note states that, unless a Code of Conduct has been issued by the Information Regulator and has come into force in a specific sector or industry in which the responsible party operates, any responsible parties who are currently conducting or intend to conduct any processing activity which is subject to prior authorisation must submit a notification in terms of section 58 of POPIA prior to processing such information, or carrying out any further processing if they have already been doing so.

It is important to note that the requirements of prior authorisation are not applicable to the processing of personal information which took place prior to 1 July 2021, however any further or continued processing of such personal information (which was initially processed before 1 July 2021) will be subject to prior authorisation requirements in terms of section 57 and 58 of POPIA.

It is important to note that a responsible party who processes personal information for which prior authorisation is required before an authorisation being granted by the Information Regulator in terms of sections 57 and 58 of POPIA, will be guilty of an offence and liable for a fine of up R10 million and/or imprisonment for a period not exceeding 12 months. In addition, a responsible party is also guilty of an offence for any failure to comply with a statement issued in terms of section 58(5) of POPIA pertaining to an investigation in respect of the lawfulness of processing which is subject to prior authorisation.

Application form for prior authorisation

The Information Regulator has provided a prescribed application form, which is to be completed and submitted by responsible parties, prior to the responsible party conducting any activity which is subject to prior authorisation in terms of section 57 of POPIA ("Application Form"). The Application Form provides for the disclosure of information such as: the relevant details of the responsible party and the registered information officer of the responsible party, the relevant category of personal information processed; a description of the processing activity; the reasons why the processing of information is necessary; the number of data subjects the information relates to; and the security measures and other operational measures to be implemented. The Application Form must be signed by the registered information officer of the organisation.

Notification and application process

Prior to conducting any processing activity which is subject to prior authorisation of the Information Regulator, responsible parties should submit the completed Application Forms to the Information Regulator. 

Any activity that has been notified to the Information Regulator in terms of section 58 of POPIA, must not be carried out, pending the outcome of the initial investigation by the Information Regulator or on notification of a more detailed investigation being conducted. The Information Regulator will inform the responsible party within 4 weeks from receipt of an application, whether the application is approved, rejected or is subject to a more detailed investigation (which period of detailed investigation cannot exceed 13 weeks). 

If any processing is determined to be unlawful upon the conclusion of a detailed investigation or the initial application is rejected, then the statement issued thereafter will be deemed to be an enforcement notice that is to be complied with by the responsible party.

Any approval or rejection of any application by the Information Regulator is final. However, the decision can be taken on review in the High Court having jurisdiction.

The Information Regulator encourages responsible parties who are currently processing personal information or plan to process personal information which is subject to prior authorisation, to submit their applications for prior authorisation as soon as possible, to enable the Information Regulator to have sufficient time to process the requested applications on or before 30 June 2021.

If you require any further guidance in relation to how to identify processing activities that require prior authorisation or the impact of POPIA to business in general, please reach out to Ernie van der Vyver and Savanna Stephens.

End

Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!

You might be interested in...