South Africa POPIA: Various deadline extensions and Guidance Note published by Information Regulator
23 June 2021
South Africa POPIA: Information Regulator issues two new Guidance Notes on Authorisations for Special Personal Information and Children’s Personal Information
-
Legal Development 29 June 2021 29 June 2021
-
Africa
-
Data Protection & Privacy
With only two days to go until the year-long grace period lapses on 1 July 2021 and most of the provisions of the Protection of Personal Information Act, 4 of 2013 ("POPIA") come into force, on 28 June 2021 the Information Regulator has released two new guidance notes aimed at providing direction on how responsible parties can apply to the Information Regulator for authorisation to process (i) Special Personal Information (“SPI”); and (ii) Personal Information of Children, being specific categories of personal information POPIA.
Guidance Note on Processing of Special Personal Information
The purpose of the SPI Guidance Note is to provide guidance to responsible parties who must apply for authorisation in terms of section 27(2) of POPIA to process SPI (e.g. information regarding data subjects’ religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health information or criminal behaviour).
In terms of section 27(2) of POPIA, the Information Regulator is empowered to grant authorisation to a responsible party to process SPI, if that processing is (i) in the public interest; and (ii) appropriate safeguards have been implemented by the applicant to protect the SPI being processed, notwithstanding the general prohibition on processing SPI in terms of section 26 of POPIA.
Of import, the SPI Guidance Note provides that:
- The concept of “public interest” as used in section 27(2) is wide and will be dealt with on a case-by-case basis;
- In respect of “appropriate safeguards”:
- the responsible party must appropriately secure the integrity and confidentiality of SPI in its possession or under its control by taking appropriate, reasonable technical and organisational measures as contemplated in section 19(1) of POPIA. The SPI Guidance Note states that these measures should be based on generally accepted standards of information security; and
- In developing the appropriate safeguards for SPI, the Information Regulator requires responsible parties to comply with section 19(2) of POPIA and inter alia, take steps to identify foreseeable risks to the SPI and establish (and regulatory monitor and update) appropriate safeguards put in place in response to any risks;
- The Information Regulator may impose reasonable conditions in respect of any authorisation granted in terms of section 27(2) of POPIA.
The requisite application form for authorisation in terms of section 27(2) of POPIA is annexed to the SPI Guidance Note.
Guidance Note on Processing of Children’s Information
The Information Regulator also published the Guidance Note on Processing of Children’s Information (“Children’s Guidance Note”).
The purpose of the Children’s Guidance Note is to provide guidance to responsible parties who are required to obtain authorisation from the Information Regulator to process personal information of children, as contemplated in section 35(2) of POPIA.
Section 35(2) of POPIA empowers the Information Regulator to authorise a responsible party upon application to process the personal information of children if the processing is in the public interest and appropriate safeguards have been put in place to protect the personal information of the child, notwithstanding the general prohibition regarding the processing of personal information as it relates to children in terms of section 34(1) of POPIA.
Key aspects to be aware of:
- The Children’s Guidance Note, in relation to appropriate safeguards, provides that (amongst other things), the responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations; and
- The Information Regulator may impose reasonable conditions in respect of any authorisation granted in terms of section 35(2) of POPIA, including, inter alia, the manner in which the responsible party (i) must provide notice regarding the nature of the personal information of children that is processed; and/or (ii) must refrain from any action that is intended to encourage or persuade a child to disclose more personal information about himself or herself than is reasonably necessary given the purpose for which it is intended.
If you require any further assistance in understanding the implications of these Guidance Notes and the rest of the provisions of POPIA, please reach out to Ernie van der Vyver, Nicole Britton and Kate Swart.
End