South Africa: POPIA and prior authorisation to process personal information

The Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') requires a responsible party to apply for and obtain authorisation prior to processing certain identified categories of personal information. With POPIA compliance deadlines fast approaching PR de Wet and Hayley Levey, from VDT Attorneys Inc, analyse the POPIA prior authorisation regime.

When is prior authorisation to process personal information applicable?

POPIA requires a responsible party to obtain authorisation from the Information Regulator before they process the following categories of personal information (Section 57 and read with Section 58):

  • unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection; and with the aim of linking the information together with information processed by other responsible parties (e.g. bank account numbers, policy numbers, identity numbers, employee numbers; student numbers, telephone or cell phone numbers, or reference numbers such as a tax / VAT numbers);
  • information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties (this may be applicable to any person contracted to conduct a criminal record enquiry or reference check pertaining to the past conduct or disciplinary action which may have been taken against a certain data subject);
  • information for the purposes of credit reporting (e.g. credit bureaus registered with the National Credit Regulator (‘NCR’) or any person processing personal information for credit reporting purposes); or
  • transfer special personal information or the personal information of children (In South Africa a child is a person under the age of 18 years), to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in Section 72 of POPIA (‘adequate level of protection’ would be determined in the circumstances and may take the form of binding corporate rules, a law providing equivalent protection in that foreign country or a binding agreement which encompasses a level of protection, equivalent to that offered under POPIA and being substantially similar to the 8 conditions for the lawful processing of personal information set-out in POPIA, and upholding principles for reasonable processing.

Guidance Note on Prior Authorisation

The Information Regulator published a Guidance Note on Application for Prior Authorisation1 which seeks to provide clarity on when prior authorisation is triggered.

The Guidance Note also provides for the application procedure for acquiring authorisation to process the above-mentioned categories of personal information. The application form requires the responsible party to, amongst other things, answer questions, whereby responses given by the responsible party will then be factored in and considered by the Information Regulator to determine whether authorisation to process should be granted or not. Some of the questions posed in the application form include:

  • Which of the responsible party’s processing is subject to a prior authorisation requirement?
  • Why such information needs to be processed?
  • Whether the processing in the instance is for a specific, explicitly defined and lawful purpose which is related to the functions/activity of the responsible party?
  • Whether the function or activity of the responsible party is regulated by another regulatory body, if so, which body?
  • Specify which categories of data subjects’ information will be processed or is being processed.
  • Provide an estimation of the number of data subjects whose personal information is subject to prior authorisation.
  • What security measures will be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information which is to be processed?
  • Whether staff have received personal information protection training in the last two years?
  • Whether the responsible party has suffered any security breaches in the past three months
  • The date on which the business activities of the responsible party commenced.
  • The number of employees who are employed by the responsible party.
  • The number of branches in South Africa and outside South Africa.
  • The number of deputy information officers designated or delegated.

A completed application form is required to be signed by the Information Officer of the responsible party and submitted by post or email as prescribed in the Guidance Note.

Prior authorisation prior to the effective date of POPIA

The processing of personal information which falls within the prior authorisation requirements and which takes place prior to the effective date of POPIA (1 July 2021), does not need approval (subject to any Information Regulator Notice advising otherwise).  However, from 1 July 2021, the processing of personal information which is subject to prior authorisation will require that authorisation is first obtained from the Information Regulator before processing may continue or commence.

It follows, therefore, that if a responsible party currently processes or intends processing categories of personal information that fall within the domains of Sections 57 to 58 of POPIA, where prior authorisation to process such personal information is required, it is recommended that an application be prepared and submitted as soon as possible to ensure that processing may lawfully take place come the end of POPIA’s grace period.

Timelines for consideration of application

Upon an application being received by the Information Regulator the Guidance Note provides that:

  • the Information Regulator will inform the responsible party who applied for prior authorisation, in writing, within 4 weeks as to whether it intends conducting a more detailed investigation. What this means is that within 4 weeks of receipt of a prior authorisation application, the Information Regulator can either approve or reject an application or notify the responsible party that a more detailed investigation will ensue (Section 58(3) of POPIA); and
  • if the Information Regulator intends to conduct a detailed investigation the responsible party will be notified by the Information Regulator in writing of same and the reasonable period within which the Regulator intends completing the investigation which must not exceed 13 weeks (Section 58(4) of POPIA).

Prior authorisation application subject to a detailed investigation

Where a detailed investigation is undertaken by the Information Regulator, the result thereof will be issued in the form of a statement concerning the lawfulness of the information processing and if the Information Regulator  concludes that the processing is unlawful such statement will be in the form of an enforcement notice, which means that the responsible party will, subject to a right to appeal and other possible options, need to cease such processing entirely or bring the processing in line with POPIA’s requirements.

Processing on hold until such time application outcome issued

Once an application has been submitted to the Information Regulator, the responsible party may not process the personal information that has been notified for prior authorisation, until such time that the Information Regulator has completed its investigation or until the responsible party has received a notice from the Regulator that a more detailed investigation will not be conducted.

Prior authorisation not applicable if code of conduct issued under Chapter 7 of POPIA

A responsible party will not need to apply for prior authorisation if the processing is covered under an issued and enforceable Code of Conduct(Section 57(3) of POPIA).

Possible penalties and offences for failing to obtain prior authorisation

A failure by a responsible party to obtain the necessary prior authorisation to process certain categories of personal information constitutes an offence punishable by way of a fine (up to ZAR 10 million) or imprisonment for a period not exceeding 12 months, or both.

Conclusion

If you are a responsible party that is processing personal information which falls with the identified prior authorisation categories, it is recommended that an application be submitted to the Information Regulator as soon as possible to ensure your processing activities are lawful come the effective date.

PR de Wet Director
prdw@vdt.co.za
Hayley Levey Associate
hayleyl@vdt.co.za
VDT Attorneys Inc., Pretoria


1. https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PriorAuthorisation-20210311.pdf
2. See South Africa: The development of codes of conduct under POPIA

May 20, 2024
International: Privacy by Design – prioritizing security in business

International: Privacy by Design – prioritizing security in business

In today’s current digital space, safeguarding privacy and ensuring that your business is compliant with the various cyber laws and data privacy regulations is crucial to ensure that business operations are well protected. In this article, PR de Wet and Mishka Cassim, from VDT Attorneys Inc., seek to address some of the most important issues companies face and need to consider on a global scale when addressing privacy concerns.

Sign up to our newsletter

Pin It on Pinterest