In order to process certain categories of data, South African organisations require ‘prior authorisation’ from the national Information Regulator (‘the Regulator’) in terms of the Protection of Personal Information Act, 2013 (Act 4 of 2013) (‘POPIA’). This regulatory restriction is established by Section 57(1) of POPIA and applies to a list of data categories which is detailed further within that Section. While some organisations are exempted from applying for prior authorisation, many are not1. In this insight, the second on the topic of prior authorisations2 in accordance with POPIA, PR de Wet and Davin Olën, from VDT Attorneys Inc, provide an overview of the applicable process which South African companies must follow to receive prior authorisation approval.
A significant portion of this article references the Guidance Note on Applications for Prior Authorisation, published by the Information Regulator on 11 March 2021 and readers are suggested to utilise this resource for further detail regarding their application for prior authorisation with the Information Regulator.
When is prior authorisation necessary?
Firstly, prior authorisation approval is required for specific datasets. The datasets applicable are discussed in a separate article3 but are briefly unpacked for context in what follows. While Section 57 of POPIA provides the categories of the data which require prior authorisation approval, the Guidance Note provides details regarding the categories of information applicable to prior authorisations. The Guidance Note states that the following categories of data qualify for prior authorisation:
- Unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection, and with the aim of linking the information together with information processed by other responsible parties. Examples of unique identifiers are, amongst others:
- bank account numbers or any account number;
- policy number;
- identity number;
- employee number;
- student number;
- telephone or cell phone number; or
- reference number.
- Criminal behaviour or on unlawful or objectionable conduct of data subject on behalf of third parties. This section may be applicable to any person contracted to conduct a criminal record enquiry, reference check pertaining to the past conduct, or disciplinary action taken against a data subject.
- Credit reporting. Subject to Section 57(3) of POPIA, any credit bureaus registered with the National Credit Regulator or any person processing personal information for credit reporting purposes may apply for prior authorisation from the Regulator.
- Transfer of the special personal information or personal information of children (in South Africa, a child is a person under the age of 18 years), to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in Section 72 of POPIA (‘adequate level of protection’ would be determined in the circumstances and may take the form of Binding Corporate Rules, a law providing equivalent protection in that foreign country, or a binding agreement which encompasses a level of protection, equivalent to that offered under POPIA and being substantially similar to the eight conditions for the lawful processing of personal information set-out in POPIA, and upholding principles for reasonable processing.
- Any other types of information processing by law or regulation which the Regulator may, from time to time, consider carries a particular risk for the legitimate interests of the data subject. The Regulator will, if necessary, publish categories or types of information processing that it considers to carry a particular risk for the legitimate interests of the data subject.
Should an organisation intend to process data which falls within the abovementioned criteria, the organisation would be required to notify the Regulator of its intention to process said data in terms of Section 58(1) of POPIA and apply for prior authorisation in terms of Section 57 of POPIA. Non-compliance carries a significant risk which may amount to a criminal offence which is punishable through the payment of a fine of up to ZAR 10 million (approx. €594,320), 12 months’ imprisonment, or both. Considering this significant impact, organisations have been provided an initial three-month deadline for prior authorisation applications, which was published on 31 March 2021. The initial deadline was on 30 June 2021, however, the deadline was later extended to 1 February 2022. As this deadline has now been reached, companies that process data which falls within the ambit of Section 57, and who have missed the deadline, must suspend processing until the necessary feedback is received from the Regulator. Failure to do so could lead to the payment of a penalty or imprisonment for a period of up to 12 months in terms of Sections 59 and 107 of POPIA.
The process to apply for prior authorisation
Should an organisation intend to process data as described above, it would need to complete the prior authorisation approval process and receive approval from the Regulator prior to processing the applicable data. Organisations which intend to apply for prior authorisation can access the necessary form from the website of the Regulator4. The application letter will also serve as the notice required in terms of Section 58(1) of POPIA and should be completed and sent, alongside the necessary supporting documentation, via email to POPIACompliance@inforegulator.org.za or via post to JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001.
The application form is divided into four segments which each require completion for a valid application. The first segment requires the provisioning of the specific details of the organisation applying for prior authorisation and the second segment directs the disclosure of the specific information which the organisation is applying for prior authorisation approval. The third segment is a declaration to be signed by the information officer (‘IO’) of the organisation and the final segment is a business sector identification table which is included for statistical purposes.
While completing the first segment of the application form for prior authorisation, the following organisational information will be required and should therefore be kept at hand by an organisation when completing the application:
- the type of organisation, as defined in POPIA; and
- the full name and registration number of the organisation as registered with the Companies and Intellectual Property Commission (‘CIPC’) or the full trading name if not registered with the CIPC; and
- the registered address of the organisation; and
- the name of the organisation’s IO; and
- the IO’s registration number in terms of Section 55(2) of POPIA; and
- the organisation’s trading address(es); and
- the organisation’s contact details and the contact details of the deputy IO (if any).
The second segment of the application form deals with the information for which prior authorisation is required. The following information regarding the applicable data is required:
- the category of information for which authorisation is required (more than one field may be selected); and
- the organisation’s reasoning regarding why the processing of the personal information is necessary; and
- the categories of the data subjects whose information will be processed; and
- the estimated number of data subjects whose personal information is subject to prior authorisation; and
- the security measures which will be implemented by the organisation to ensure confidentiality, integrity, and availability of the information which is to be processed; and
- the number of employees who are employed by the responsible party; and
- the number of branches of the organisation, within and outside of South Africa.
The third segment of the application form requires the IO of an organisation to declare that they have provided information which is true, correct, and accurate while completing the form and the final segment of the application should be completed for statistical purposes.
Following completion of the application, the supporting documentation for the application should be collected alongside the application for submission. Supporting documentation include policies and further proof that the relevant security measures have been undertaken by the organisation to ensure that data which the organisation is requesting prior authorisation approval for is processed in terms of POPIA. Further supporting documents may include proof that the relevant staff members who will be processing the data for which prior authorisation approval is requested have undergone personal information protection training in the two years prior to the application.
The process following the submission of the application for prior authorisation
Following submission, the Regulator will acknowledge receipt of the organisation’s application and provide a reference number for the application. Please note that any correspondence which the Regulator may issue will be provided to the registered IO of the organisation. It is therefore crucial that the IO’s information be kept accurate.
Within four weeks of the application, the Regulator must inform the organisation whether or not it will conduct a more detailed investigation of the application, or whether the application is approved or rejected. Should the Regulator elect to undertake a detailed investigation, it would be required to complete the investigation within 13 weeks. The decision of the Regulator is considered final, and aggrieved parties may have the matter reviewed by the relevant South African High Court with the appropriate jurisdiction.
Organisations which process data within the scope of the criteria detailed in Section 57 without obtaining the necessary feedback from the Regulator may be found to be in breach of the POPIA and, accordingly, may be found liable for the payment of a penalty, or for up to 12 months’ imprisonment. Such entities process data at their own risk and must complete the application process for prior approval as soon as possible. At present, no indication of the Regulator’s approach to address non-compliance exists but the impacts detailed hereabove suggest that non-compliance may have a severe business impact.
PR de Wet Director
prdw@vdt.co.za
Davin Olën Candidate Attorney
davin@vdt.co.za
VDT Attorneys Inc., Pretoria
1. See: https://www.dataguidance.com/opinion/south-africa-development-codes-conduct-under-popia
2. For an introduction to prior authorisations please see: https://www.dataguidance.com/opinion/south-africa-popia-and-prior-authorisation-process
4. See: https://www.justice.gov.za/inforeg/docs/forms/InfoRegSA-eForm-PriorAuthorisation-20210311.pdf