POPIA Update: Prior Authorisation applications

What is Prior Authorisation?

The Protection of Personal Information Act 4 of 2013 (“POPIA”) establishes the requirement of Prior Authorisation in terms of section 57 of POPIA.

Section 57 identifies certain types of personal information and processing activities that will require Prior Authorisation from the Information Regulator (“Regulator”).  If your company processes one of the 4 (Four) types of personal information in the manner described, your company would need to apply to the Regulator for permission to continue processing such information in that manner. The deadline to obtain Prior Authorisation is 1 February 2022.

Do I need to apply for Prior Authorisation?

If your company performs any one of the following activities, you likely need to apply for Prior Authorisation:

Category 1

Type: Processing of unique identifiers (such as ID numbers, account or policy numbers, or reference numbers):

Manner:

  • for a purpose other than that initially intended at collection; AND
  • with the aim of linking the information together with other information processed by other responsible parties.

 

Example: you collect your employees’ ID numbers when hiring them for purposes of registering UIF and PAYE. At this stage, your company’s privacy notice does not refer to the conducting of background checks. Six months after hiring your employees you decide you want to run background checks on your employees using their ID numbers already in your possession. In doing so, you are using their ID numbers for a purpose other than that intended at collection (i.e., a new purpose). This is because your privacy notice did not disclose background checks and (for purposes of this example) it is not compatible with any other disclosed purposes in your privacy notice. You would also be linking their ID numbers with criminal or other background information processed by other responsible parties such as the South African Police Services. As a result, you may need to apply for Prior Authorisation to perform the background checks.

Category 2

Type: processing of criminal behaviour or unlawful/objectionable behaviour:

Manner: on behalf of a 3rd party.

Example: You appoint company ABC to conduct criminal background checks on all shortlisted candidates for an advertised job position. Company ABC is a 3rd party that carries out background checks on your behalf as well as on behalf of ABC’s other clients. Company ABC must then apply for Prior Authorisation. However, because you have collected the applicants’ personal information and supplied it to Company ABC to run the checks, you must then verify that Company ABC has indeed obtained Prior Authorisation from the Regulator before instructing them to perform the background checks.

Category 3

Type: processing any personal information

Manner: for purpose of credit reporting.

Example: The Regulator has since clarified that this refers to the act of creating a credit report and not merely consuming a credit report. Entity’s such as TransUnion have been identified as needing to apply for Prior Authorisation.

Category 4

Type: any person’s Special Personal Information (defined in Sec 26) OR any child’s personal information (under 18).

Manner: Transferring such information a foreign country with inadequate data protection laws.

Example 1 : You store all your employee’s next of kin information which includes their children’s names and addresses in an excel sheet. This sheet is stored on your Dropbox cloud storage account. Dropbox’s servers are in the USA which has been treated as having inadequate data protection laws by a number of leading jurisdictions. You may be transferring children’s personal information to a foreign country with inadequate laws and would require Prior Authorisation. The Regulator has not yet made any adequacy decisions and has indicated that you are expected to perform your own assessment as to whether the particular foreign country is inadequate. We strongly advise that you seek professional legal advice in doing so.

Example 2: you are a travel agent and need to email details concerning a passengers health condition (Special Personal Information) to a hotel in Egypt. Egypt has no data protection laws. You may then need to obtain Prior Authorisation. Please also note the requirements in section 72 of POPIA for international transfers.

What happens until you successfully obtain Prior Authorisation?
  • The Regulator extended the effective date of Section 58(2) of POPIA to 1 February 2022.
  • Section 58(2) states that you may not carry out any processing activity listed in (1) to (4) above until the Regulator has completed its investigation and granted you with its approval for Prior Authorisation.
  • At this stage, you may continue with a processing activity in (1) to (4) above pending the Regulator’s approval. BUT, from 1 February 2022 you will need to suspend your processing activity until a decision is received from the Regulator in response to your application for prior approval. This will severely disrupt some businesses if not properly planned for and acted upon.
How long will it take to receive a decision on my application Prior Authorisation?

According to the Regulator and the recently issued draft guidelines, the Regulator will approve or reject your application within 4 (Four) weeks from receipt, unless the Regulator chooses to investigate your operations further.

If a further investigation is needed, the Regulator will need to complete this within 13 (Thirteen) weeks of receiving your application. These timelines are critical as you will need to suspend the processing activity until a decision is received. The Regulator has recommended that applications be submitted by end November 2021 to allow for these timelines and minimal disruption to your business.

If the Regulator finds your processing to be unlawful (i.e. not in compliance with POPIA’s 8 conditions) then the Regulator’s decision will be considered as an enforcement notice. This means that you will need to comply with the contents of the enforcement notice. Failing which, you would be guilty of an offence. After 1 February 2022, it will also be an offence to continue processing before the Regulator has responded to your application for Prior Authorisation.

What happens if I do not apply Prior Authorisation and I process an activity listed in (1) to (4)?

A failure to notify the Regulator and apply for Prior Authorisation for the processing activity subject to section 57 of POPIA constitutes an offence and could potentially result in a fine of up to R10 million or imprisonment.

How do I submit my application for Prior Authorisation?

The guidelines to submitting your application are available here. Please note an updated version is expected to be published soon on the Regulator’s website. Applications can be made electronically to popiacompliance@inforegulator.org.za.

We are here to help

If you are uncertain as to whether you carry out an activity subject to Prior Authorisation, or require our expertise in preparing your application to the Regulator, please email info@brooksandcompany.co.za. 

You may also watch the Regulator’s recent webinar on Prior Authorisation here.

Disclaimer

**The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this article without seeking legal or other professional advice