POPIA – Prior Authorisation for the Processing of Personal Information
We’re living in the digital age and that means a lot of our problems will be digital ones. One such problem is the increasing cases of theft and misuse of people’s personal information.
The Protection of Personal Information Act 4 of 2013, commonly referred to as POPIA or the POPI Act, outlines the standards for accessing and ‘processing’ of any personal information belonging to individuals. The Act defines ‘processing’ as collecting, receiving, recording, organising, retrieving, or the use, distribution or sharing of any that information.
South African organisations of all sizes as well as individuals (hereafter referred to responsible party/parties) that are able to obtain, handle and store the personal information of another individual, whether as a result of employment or as suppliers or service providers, must comply with all the requirements of the Act and ensure that the correct processes are in place to safeguard this information.
It is important that responsible parties that process personal information ensure that they submit an application for prior authorisation to the Information Regulator to enable them to process such information and to suspend any such processing until they receive a response to their application from the Information Regulator.
Authorisation prior to processing is required if the purpose and means for processing personal information is intended to:
- process any unique identifiers of data subjects –
- for a purpose other than the one for which the identifier was specifically intended at collection; and
- with the aim of linking the information together with information processed by other responsible parties (i.e. sharing information with a third party for “official” administrational purposes);
- process information on behalf of third parties about the criminal behaviour or unlawful or objectionable conduct of individuals;
- process information for the purposes of credit reporting; or
- sharing of special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information
Section 57(4) of POPIA states that a responsible party is required to obtain prior authorisation only once for a particular set of personal information to be processed. In the event that the responsible party will embark on a different type of processing, additional authorisation will need to be applied for.
Prior authorisation is obtained by making an application to the Information Regulator by completing an application form and submitting it along with the relevant supporting documents.
Prior authorisation application and/or notification for processing or intention to process personal information, as referred to in section 57(1) and 58(1) of POPIA must be submitted to the Information Regulator through the following channels:
priorauthorisationIR@justice.gov.za
- Postal
P.O Box 31533
Braamfontein
Johannesburg
2017
- Delivery
JD House
27 Stiemens Street
Braamfontein
Johannesburg
2001
The only instance in which this would not be required of a responsible party is if a code of conduct has been issued by the Information Regulator and has come into effect in which the responsible party operates. However, no such codes of conduct have yet been issued. Therefore parties must still apply for authorisation prior to processing personal information.
Next steps once the application has been submitted
Once the Information Regulator has received the application they will conduct an investigation, after which authorisation is either issued or rejected.
The Information Regulator has a period of four weeks within which it must approve the application for prior authorisation where the following eight conditions for the lawful processing of information have been met:
- 'Accountability', as referred to in section 8;
- 'Processing limitation', as referred to in sections 9 to 12;
- 'Purpose specification', as referred to in sections 13 and 14;
- 'Further processing limitation', as referred to in section 15;
- 'Information quality', as referred to in section 16;
- 'Openness', as referred to in sections 17 and 18;
- 'Security safeguards', as referred to in sections 19 to 22; and
- 'Data subject participation', as referred to in sections 23 to 25.
In some instances the Information Regulator will need to conduct a more detailed investigation. Where the Information Regulator elects to conduct a more detailed investigation, it must notify the responsible party of this within the four-week period and the detailed investigation must be concluded within thirteen weeks after the initial four weeks.
Pause the Processing
Before the application of sections 57 and 58 of the POPI Act came into effect on 01 February 2022, prior authorisation was not required to process personal information, nor was it necessary for responsible parties to suspend their processing pending the outcome of their application to the Information Regulator.
It was initially intended to commence on 1 July 2021, but was extended to allow for the subsequent thousands of applications that were submitted to be reasonably considered.
Mere notification to the Information Regulator does not permit a responsible party to carry out the processing of such personal information. A responsible party must await the Information Regulator’s response to its notification before proceeding.
A responsible party that has suspended its processing, and has not received the Information Regulator’s decision within the aforementioned four weeks, may presume a decision in its favour and continue with its processing.
Penalties for failure to obtain authorisation
The failure by a responsible party to:
- notify the Information Regulator of information processing, or
- suspend its information processing until the Information Regulator has completed its investigation or notified the responsible party that it will not be conducting a more detailed investigation, as the case may be,
constitutes an offence for which the responsible party becomes liable for a fine of up to R10 000 000,00 or a prison sentence of up to twelve months.
All responsible parties that process information which is subject to prior authorisation as set out above must ensure that they have obtained the necessary prior authorisation from the Information Regulator.
MBA Incorporated provides advice on the privacy of data in relation to POPIA and related international laws, codes and practices. Contact us for a consultation.
About the author
Yonela Diko
Associate Attorney
Bachelor of Laws at the University of Pretoria