Contact

POPIA UPDATE: Addressing POPIA prior authorisation – the Information Regulator issues a Guidance Note for applications for prior authorisation

Back to top

POPIA UPDATE: Addressing POPIA prior authorisation – the Information Regulator issues a Guidance Note for applications for prior authorisation

Closely following its statement on WhatsApp’s proposed changes to its privacy policy, the Information Regulator (IR) has published a Guidance Note (on 11 March 2021) for the application for prior authorisation, which elaborates on the process to be followed by businesses who are currently processing or intend to process personal information which is subject to prior authorisation. If any processing activities require prior authorisation, businesses are advised to ensure that they act quickly in submitting an application to the IR as post-1 July 2021, these businesses will not be allowed to carry out such processing activities without such authorisation.

19 Mar 2021 4 min read Technology, Media & Telecommunications Article

At a glance

  • The Information Regulator has published a Guidance Note detailing the process for applying for prior authorization for processing personal information. Businesses must act quickly to submit their applications to the Information Regulator before 1 July 2021 to continue processing activities requiring prior authorization.
  • The specified categories requiring prior authorization include processing unique identifiers for purposes other than intended, processing information on criminal behavior or credit reporting, and transferring special personal information or children's personal information to a foreign country without adequate protection.
  • The Guidance Note clarifies the definition of unique identifiers and outlines the application process. Failure to comply with the prior authorization requirement can result in penalties, including fines up to R10 million or imprisonment for up to 12 months. Businesses should ensure compliance with POPIA to avoid non-compliance consequences.

Prior Authorisation requirement explained

A business has to apply for prior authorisation to the IR if they process or intend to process any personal information specifically falling within the specified categories, as per sections 57 and 58 of the Protection of Personal Information Act 4 of 2013 (POPIA). These categories are:

  • processing of unique identifiers, (examples of ‘unique identifiers’ included in the Guidance Note are “Bank Account Numbers or any account number; Policy Number; Identity Number; Employee Number; Student Number; Telephone or cell phone number; or Reference Number”), where these are used for a purpose other than the one for which the unique identifier was specifically intended (at collection) and is linked with information processed by another or other responsible parties.
  • processing information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties (e.g. any person contracted to conduct a criminal record enquiry or reference check pertaining to past conduct or disciplinary action).
  • information processed for the purposes of credit reporting (e.g. Including the processing activities of credit bureaus).
  • any transfer of special personal information or the personal information of children from South Africa to a third party in a foreign country, where that country does not provide an adequate level of protection for the processing of personal information (i.e. an adequate level of protection requires the recipient of the information to be subject to a law, binding corporate rules or binding agreement which provides a level of protection that effectively upholds principles for reasonable processing of personal information that is substantially similar to the conditions for the lawful processing as mentioned under POPIA).

The Guidance Note provides much needed clarification on what could be considered a unique identifier for the purposes of POPIA. Under POPIA, the definition of a ‘unique identifier’ is “any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party”. Only section 105(5) of POPIA gives a more specific indication of what would be considered a unique identifier in its mentioning of an account number issued by a bank or financial institution or similar which allows a data subject to access funds or credit facilities.

Section 40(1)(b)(vii) of POPIA places the monitoring of the use of unique identifiers of data subjects within the purview of the IR’s powers, duties and functions to monitor and enforce compliance with POPIA. The IR may report to Parliament from time to time on the results of that monitoring, including any recommendation relating to the need of, or desirability of taking legislative, administrative, or other action to give protection, or better protection, to the personal information of a data subject.

Applications by Responsible Parties

The Guidance Note prescribes the form to be used to make an application for prior authorisation and sets out the questions that will need to be answered by the responsible party in the submission of an application, indicating that the questions must be answered with sufficient detail and clarity as to ensure a full understanding of the responsible party’s processing activities.

POPIA prescribes the timelines applicable to the IR’s consideration of an application. The IR will approve or reject an application within four (4) weeks of receipt, unless the IR decides to conduct a detailed investigation, in which case the IR has a maximum of thirteen (13) weeks to conclude its investigation and furnish a decision on the application.

It is important to note that POPIA provides that a responsible party may not carry out the information processing activities that have been notified to the IR until the IR has formally confirmed that the processing is lawful (with the exception that this would not apply to processing that was already taking place as at 1 July 2020 subject to the IR issuing a notice to the contrary). If the IR rejects the application and declines approval, the IR’s statement is deemed to be an enforcement notice under POPIA (which means that the responsible party would have to among other options and subject to a right to appeal, cease such processing activities or change the processing such that it is compliant).

Consequences of non-compliance

A responsible party who continues information processing activities that are subject to prior authorisation without the IR’s approval will be committing an offence and may be liable to a penalty under POPIA. This would include a fine (of up to R10 million) or imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.

Conclusion

If you engage in any of these processing activities, you are advised to ensure that your application is submitted as soon as possible so that it can be considered and authorised. As the grace period under POPIA is drawing to an end, it is now more important than ever to ensure that your processing of personal information complies with the provisions of POPIA.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

5 Mar 2024

by Belinda Scriba and Serisha Hariram

When does the proverbial clock begin to tick under section 7(1) of PAJA?

A ruling was made by the Constitutional Court at the end of last year in Sasol Chevron Holdings Limited v Commissioner for the South African Revenue Services ZACC30, confirming that the 180-day period afforded by section 7(1) of the Promotion of Administrative Justice Act 3 of 2000 (PAJA) starts running from the date that reasons for the decision are provided with sufficient detail to allow the offended party to file an objection against the decision. A party’s request for more detailed reasons does not afford that party room to argue that the 180-day period only starts running once those more detailed reasons are provided.

Dispute Resolution

3 min read

6 Jun 2023

The discretion of a commissioner to dismiss a matter and the amended CCMA rules

Section 138(5)(a) of the Labour Relations Act 66 of 1995 (LRA) provides a commissioner with the power and discretion to dismiss a matter in instances where the referring party fails to appear for the arbitration. In 2021, the Labour Court in Solomons v Food Lovers Market, Kempton Park (JR99/2021) diluted a commissioner’s power to dismiss a matter in these circumstances.

Employment Law

2 min read

13 Feb 2024

by Jaco Meyer

2024 Investing in African Mining Indaba provided a platform for opportunity and engagement

Director Jaco Meyer from our Corporate and Commercial practice joined Simon Brown on Moneyweb Now to discuss 30 years of the Mining Indaba and the hopes for this year’s event.

Mining & Minerals

05:22 Minutes

19 Jul 2023

by Tendai Jangara, Tiffany Gray, Belinda Scriba, Lucinde Rhoodie, Brigitta Mangale and Elgene Roos

CDH Women Empowerment podcasts

10 April 2023 marked 100 years since the Woman Legal Practitioners Act 7 of 1923 was promulgated. The Act contained a single section, which reads: “ Women shall be entitled to be admitted to practice and to be enrolled as advocates, attorneys, notaries public or conveyancers in any province of the Union, subject to the same terms and conditions as apply to men… ”. As we commemorate 100 years of women in law, we bring you insightful episodes of the CDH Women Empowerment podcast series. This is where several members of our firm discuss the importance of women empowerment in the legal profession.      

Firm News

4 min read

22 Feb 2024

by Alex Kanyi and Judith Jepkorir

Kenya’s tax outlook for 2024

Since coming into office in September 2022, the incumbent Kenyan Government has implemented policy measures aimed at steering economic recovery. As per the 2023 Budget Policy Statement and the Fourth Medium-Term Plan, it is currently targeting five key priority sectors. These sectors include agricultural transformation; the micro-, small- and medium-size enterprise economy; housing and settlement; healthcare; digital superhighway; and the creative industry. The Government is also redesigning taxation instruments to make them supportive of economic activity while boosting revenue collection. All these interventions have yielded progress, as the economy indicated an average growth rate of 5,6% in the first three quarters of 2023, up from 4,8% in 2022.

Tax & Exchange Control

8 min read

8 Dec 2023

by Alex Kanyi and Billy Oloo

An overview of the High Court's decision on the Finance Act, 2023: Was it just about the housing levy?

The Finance Bill, 2023 (Finance Bill) was passed by the National Assembly on 23 June 2023 and subsequently assented to by the President on 26 June 2023 thereby making it law, as the Finance Act, 2023 (Finance Act).

Tax & Exchange Control

9 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline