Conducting credit checks on customers? You may require prior authorisation
19 Feb 2021
For those who aren’t aware, the Protection of Personal Information Act 4 of 2013 (“POPIA”) came into force on 1 July 2020, and has allowed organisations a twelve month grace period to become fully compliant with its provisions. With the grace period coming to an end on 1 July 2021, it is imperative that South African businesses perform personal information audits and prepare a comprehensive gap analysis to address any compliance issues.
Whilst conducting these internal investigations, organisations should ask themselves whether they fall into the category of responsible parties that require prior authorisation from the Information Regulator (“Regulator”) to continue with their current processing activities.
Section 58 of POPIA provides that a responsible party must notify and obtain prior authorisation from the Regulator if the responsible party plans to, amongst other things, process personal information for the purposes of credit reporting. To this end, a distinction must be made between:
- a responsible party that engages, for payment, in the business of credit reporting, receiving, or investigating credit applications, credit agreements or issuing and maintaining credit data etc. (hereafter referred to as a “Credit Bureau”); and
- a responsible party who processes personal information for the purposes of credit reporting in circumstances where credit reporting is not the main business of the responsible party (hereafter referred to as “Ancillary Credit Reporting”).
By way of an example, if an organisation intends to conduct a credit check into potential customers prior to the conclusion of a contract, such organisation is processing personal information of the customer for the purposes of Ancillary Credit Reporting. In these circumstances, the organisation is required to notify the Regulator thereof and, importantly, obtain authorisation prior to the processing of such information.
On the other hand, in the case of a Credit Bureau, as defined in the National Credit Act 34 of 2005, it is somewhat unclear whether prior authorisation will be required. We say so because, POPIA provides that prior authorisation from the Regulator will not be a required for a Credit Bureau if an industry or specific sector code of conduct has been issued and has come into force in terms of chapter 7 of POPIA.
In 2018, the Credit Bureau Association applied for the issuing of an industry code of conduct governing the conditions for the lawful processing of personal information by members of the Credit Bureau Association (the “CBA Code of Conduct”). Once the CBA Code of Conduct has been approved by the Regulator, members of the Credit Bureau Association will be exempt from the requirement to obtain prior authorisation from the Regulator. The Regulator has, however, advised that it will not review any industry codes until such time as the Guidelines on Industry Codes have been finalised and issued. It remains to be seen whether these guidelines will be published before 1 July 2021, and if they aren’t, it is likely that Credit Bureaus will find themselves in a situation where prior authorisation from the Regulator is required to ensure compliance with POPIA as at 1 July 2021.
As can be seen form the above, any organisations undertaking Ancillary Credit Reporting will be required to obtain prior approval from the Regulator prior to processing any personal information. It is important to note that it is necessary for the responsible party to obtain prior authorisation once only, and not each time that personal information is received and processed, provided that the processing does not depart from what has been authorised by the Regulator.
For further information or assistance with such applications, please don’t hesitate to contact us.
See also:(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)