South Africa POPIA: Various deadline extensions and Guidance Note published by Information Regulator
Data Protection & Privacy
With only two days to go until the year-long grace period lapses on 1 July 2021 and most of the provisions of the Protection of Personal Information Act, 4 of 2013 ("POPIA") come into force, on 28 June 2021 the Information Regulator has released two new guidance notes aimed at providing direction on how responsible parties can apply to the Information Regulator for authorisation to process (i) Special Personal Information (“SPI”); and (ii) Personal Information of Children, being specific categories of personal information POPIA.
The purpose of the SPI Guidance Note is to provide guidance to responsible parties who must apply for authorisation in terms of section 27(2) of POPIA to process SPI (e.g. information regarding data subjects’ religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health information or criminal behaviour).
In terms of section 27(2) of POPIA, the Information Regulator is empowered to grant authorisation to a responsible party to process SPI, if that processing is (i) in the public interest; and (ii) appropriate safeguards have been implemented by the applicant to protect the SPI being processed, notwithstanding the general prohibition on processing SPI in terms of section 26 of POPIA.
Of import, the SPI Guidance Note provides that:
The requisite application form for authorisation in terms of section 27(2) of POPIA is annexed to the SPI Guidance Note.
The Information Regulator also published the Guidance Note on Processing of Children’s Information (“Children’s Guidance Note”), a copy of which can be accessed here.
The purpose of the Children’s Guidance Note is to provide guidance to responsible parties who are required to obtain authorisation from the Information Regulator to process personal information of children, as contemplated in section 35(2) of POPIA.
Section 35(2) of POPIA empowers the Information Regulator to authorise a responsible party upon application to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the child, notwithstanding the general prohibition regarding the processing of personal information as it relates to children in terms of section 34(1) of POPIA.
Key aspects to be aware of:
If you require any further assistance in understanding the implications of these Guidance Notes and the rest of the provisions of POPIA, please reach out to Ernie van der Vyver, Nicole Britton and Kate Swart.