POPIA: Information Regulator publishes Guidance Note on applications for prior authorisation
Authors: Zaakira Haffejee – Associate & Natasha Jansen – Consultant
As the 1 July 2021 deadline for compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) approaches, the Information Regulator has ramped up its efforts to provide organisations with guidance in interpreting and applying certain provisions of the Act. As part of this programme, a Guidance Note on Applications for Prior Authorisation was published on 11 March 2021.
The Guidance Note seeks to guide responsible parties on the notification process to be followed if they are currently processing or intend to process personal information which requires prior authorisation in terms of sections 57 and 58 of POPIA. (A “responsible party” in terms of section 1 of POPIA is a public or private body or any person that determines the purpose and means of processing of personal information.)
In accordance with section 58(1) of POPIA, and subject to section 57(3), a responsible party must obtain prior authorisation and is obliged to notify the Information Regulator that it is processing or intends to:
process any unique identifiers (for example, account or policy numbers; identity numbers; employee numbers; student numbers; telephone or cell phone numbers; or reference numbers) of data subjects for a purpose other than what was specifically intended at the time of collection and with the aim of linking the information together with information processed by other responsible parties;
process information on criminal behaviour or on unlawful or objectionable conduct of data subjects on behalf of third parties;
process information for the purpose of credit reporting;
transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of such personal information (this does not apply to such information transferred outside South Africa before 1 July 2021); and
conduct other types of information processing that the Information Regulator may, from time to time, by law or regulation, regard as carrying a particular risk to the legitimate interests of the data subject.
Responsible parties who are currently conducting or intend to conduct any processing activity which is subject to prior authorisation must notify the Information Regulator in terms of section 58 of POPIA prior to processing (or continuing to process) such information, unless a Code of Conduct has been issued and has come into force in the responsible party’s specific sector or industry.
The Guidance Note provides a step-by-step breakdown of the information that must be provided in the prescribed application form for prior authorisation, which serves as the notification referred to in section 58(1) of POPIA, the manner of submission and the applicable penalties for failure to comply with the requirements for prior authorisation.
It is important to note that where an organisation has, prior to 1 July 2021, processed personal information that is subject to prior authorisation, an application for prior authorisation need not be submitted for the pre-1 July 2021 processing activities. However, any further or continued processing of such personal information will be subject to the prior authorisation requirements set out in sections 57 and 58 of POPIA. The result of this provision is that all processing activities in relation to personal information that require prior authorisation must be suspended as from 1 July 2021, until such time as prior authorisation has been obtained from the Information Regulator.
"...processing of the application can take between 4 and 13 weeks depending on whether or not the Information Regulator elects to conduct a more detailed investigation."
In terms of the Guidance Note, once the prior authorisation notification has been submitted to the Information Regulator, processing of the application can take between 4 and 13 weeks depending on whether or not the Information Regulator elects to conduct a more detailed investigation. Responsible parties are prohibited from carrying out information processing that has been notified to the Information Regulator until the Regulator has completed its investigation and approved or rejected the application, or issued a notice to the responsible party that a more detailed investigation will not be conducted.
The Guidance Note further highlights the penalties for failing to notify the Information Regulator of processing activities that require prior authorisation, or for carrying out processing activities after notification but before the investigation is completed. These may include an administrative fine of up to R10 million, or where formally charged with and convicted of committing an offence in terms of the Act, a fine or imprisonment for a period not exceeding 12 months, or both a fine and imprisonment. A fine, or imprisonment not exceeding 10 years, or both, may also be handed down on conviction for failure to comply with the Information Regulator’s statement that the information processing is not lawful. Such a statement, issued after a detailed investigation, constitutes an enforcement notice in terms of section 95 of the Act.
It is important to note that in instances where a responsible party has been charged with an offence in terms of the Act, the Information Regulator may not impose an administrative fine in respect of the same set of facts. In turn, no criminal proceedings may be instituted against a responsible party if the responsible party concerned has already paid an administrative fine in respect of the same set of facts.
All organisations are encouraged to check what personal information they process and whether any of this processing activity requires prior authorisation. Organisations that have identified that they engage in processing activities that require prior authorisation are advised and encouraged to act swiftly in submitting an application to the Information Regulator as these businesses will not be allowed to carry out such processing activities without prior authorisation after 1 July 2021.
Contact the Lawtons Africa Data Privacy and POPIA team to assist you in navigating the complexities around identifying whether your organisation processes any personal information requiring prior authorisation, or should you require assistance with preparing and submitting your notification for prior authorisation to the Information Regulator.
The Lawtons Africa Data Privacy and POPIA team is well placed to take clients through their entire data privacy compliance journey, providing training and awareness, data privacy gap assessments, legal advice around POPIA compliance measures, and drafting privacy-related documents, policies and agreements. Contact us for more information on how we can guide and assist you with effectively incorporating and implementing POPIA into your business.
Lawtons Africa is a South African law firm. With roots that grew out of seeds sown in down-town Johannesburg in 1892, our history features various changes and different names. Our team of lawyers, including directors, consultants, associates and candidate attorneys is highly qualified, market-recognised and skilled. For further information, visit www.lawtonsafrica.com