South Africa POPIA: Latest developments with regards to the Codes of Conduct and the POPIA Regulations
Data Protection & Privacy
The Information Regulator has continued its efforts to provide necessary guidance relating to key aspects of the Protection of Personal Information Act 4 of 2013 ("POPIA") ahead of 1 July 2021 deadline. On 11 March 2021, the Information Regulator published a Guidance Note on Applications for Prior Authorisation ("Prior Authorisation Guidance Note")
The Prior Authorisation Guidance Note provides clarification regarding the types of processing activities that require prior authorisation from the Information Regulator in terms of section 57 of POPIA, sets out the notification process in terms of section 58 of POPIA and prescribes an application form for the notification required in terms of section 58 of POPIA.
According to the Prior Authorisation Guidance Note, read together with section 57(1) and 58(1) of POPIA, a responsible party will be required to notify the Information Regulator, when he/she/it is or intends to conduct any of the following types of processing activities in respect of the following types of personal information:
The Prior Authorisation Guidance Note states that, unless a Code of Conduct has been issued by the Information Regulator and has come into force in a specific sector or industry in which the responsible party operates, any responsible parties who are currently conducting or intend to conduct any processing activity which is subject to prior authorisation must submit a notification in terms of section 58 of POPIA prior to processing such information, or carrying out any further processing if they have already been doing so.
It is important to note that the requirements of prior authorisation are not applicable to the processing of personal information which took place prior to 1 July 2021, however any further or continued processing of such personal information (which was initially processed before 1 July 2021) will be subject to prior authorisation requirements in terms of section 57 and 58 of POPIA.
It is important to note that a responsible party who processes personal information for which prior authorisation is required before an authorisation being granted by the Information Regulator in terms of sections 57 and 58 of POPIA, will be guilty of an offence and liable for a fine of up R10 million and/or imprisonment for a period not exceeding 12 months. In addition, a responsible party is also guilty of an offence for any failure to comply with a statement issued in terms of section 58(5) of POPIA pertaining to an investigation in respect of the lawfulness of processing which is subject to prior authorisation.
The Information Regulator has provided a prescribed application form, which is to be completed and submitted by responsible parties, prior to the responsible party conducting any activity which is subject to prior authorisation in terms of section 57 of POPIA ("Application Form"). The Application Form provides for the disclosure of information such as: the relevant details of the responsible party and the registered information officer of the responsible party, the relevant category of personal information processed; a description of the processing activity; the reasons why the processing of information is necessary; the number of data subjects the information relates to; and the security measures and other operational measures to be implemented. The Application Form must be signed by the registered information officer of the organisation.
Prior to conducting any processing activity which is subject to prior authorisation of the Information Regulator, responsible parties should submit the completed Application Forms to the Information Regulator.
Any activity that has been notified to the Information Regulator in terms of section 58 of POPIA, must not be carried out, pending the outcome of the initial investigation by the Information Regulator or on notification of a more detailed investigation being conducted. The Information Regulator will inform the responsible party within 4 weeks from receipt of an application, whether the application is approved, rejected or is subject to a more detailed investigation (which period of detailed investigation cannot exceed 13 weeks).
If any processing is determined to be unlawful upon the conclusion of a detailed investigation or the initial application is rejected, then the statement issued thereafter will be deemed to be an enforcement notice that is to be complied with by the responsible party.
Any approval or rejection of any application by the Information Regulator is final. However, the decision can be taken on review in the High Court having jurisdiction.
The Information Regulator encourages responsible parties who are currently processing personal information or plan to process personal information which is subject to prior authorisation, to submit their applications for prior authorisation as soon as possible, to enable the Information Regulator to have sufficient time to process the requested applications on or before 30 June 2021.
If you require any further guidance in relation to how to identify processing activities that require prior authorisation or the impact of POPIA to business in general, please reach out to Ernie van der Vyver and Savanna Stephens.