LIGHT SHED ON
by Luthando Nondaba
The Information Regulator, on 27 October 2021, hosted a webinar in which it attempted to assist responsible parties with the interpretation of the Protection of Personal Information Act’s (POPIA) sections dealing with prior authorisation, and the processing activities subject thereto. This comes after the Regulator noticed that most applications received for prior authorisation, in terms of the Act, were submitted by responsible parties who were actually not processing personal information that requires prior authorisation.
Section 57 of POPIA requires responsible parties, who intend to process certain categories of personal information classified as high risk, to obtain authorisation from the Regulator prior to such processing.
The following four categories are identified where a responsible party is required to obtain prior authorisation from the Information Regulator to process personal information:
1. Processing of unique identifiers:
Processing of unique identifiers of data subjects, for a purpose other than the one for which the identifier was specifically intended at collection, and with the aim of linking the information together with information processed by other responsible parties.
• Examples of unique identifiers are, amongst others: bank account numbers or any account number, policy number, identity number, employee number, student number, telephone or cell phone number, or reference number.
2. Criminal Behaviour:
Processing of criminal behaviour and unlawful or objectionable conduct of data subjects on behalf of third parties.
• May be applicable to any person contracted to conduct a criminal record enquiry, reference check pertaining to the past conduct or disciplinary action taken against a data subject.
3. Credit reporting:
Subject to section 57(3) of POPIA, any credit bureaus registered with the National Credit Regulator (NCR) or any person processing personal information for credit reporting purposes must apply for prior authorisation from the Regulator.
4. Transfer of the special personal information:
Transfer of special personal information (section 26) or personal information of children (section 34) to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
• Note: The Regulator has not conducted an assessment of countries that do not provide an adequate level of protection for the processing of personal information in this regard.
5. Any other types of information processing by law or regulation which the Regulator may, from time to time, consider as carrying a particular risk for the legitimate interests of the data subject.
The webinar also covered topics on the notification and suspension of processing of personal information subject to prior authorisation; the manner for submitting applications, criteria and timelines for the processing of applications for prior authorisations, and offences and penalties. According to the Regulator, over 200 applications have been assessed and responsible parties should expect outcomes between now and the end of January 2022.
The Information Regulator implemented a grace period for prior authorisation until 01 February 2022, during which time a responsible party may continue processing personal information but thereafter, will be forbidden without authorisation. This cut-off date will not be further extended.
Take note that if a Code of Conduct has been issued by the Regulator and has come into force in a specific sector/industry or sectors of society in which the responsible party operates, the responsible party, who is currently processing or intends to process personal information which is subject to prior authorisation in that sector, does not need to apply for prior authorisation.
The Regulator also presented a few challenges and recommendations that have been summarised (click here to view) which also includes FAQs regarding prior authorisations. Questions and answers which emanated from the webinar are also included.
Employers and businesses who are still unclear as to whether they are required to apply for prior authorisation are encouraged to contact their NEASA regional office for further assistance.
Luthando Nondaba is a Policy Advisor at the National Employers’ Association of South Africa (NEASA).
For more information:
NEASA Media Department