The POPIA prior authorisation conundrum – What is prior authorisation, and do you need it for your business?
11 Aug 2021
Now that the Protection of Personal Information Act, 2013 (“POPIA”) has come into effect there has been a scramble by individuals and businesses to ensure their compliance with its various requirements. In many instances, businesses are required to comply with obligations imposed by POPIA without any assistance being provided by South Africa’s Information Regulator.
One of the obligations imposed on a responsible party in terms of POPIA is the requirement to obtain prior authorisation from the Information Regulator before undertaking certain types of processing.
POPIA requires that where a responsible party processes personal information, this must be done lawfully and in a reasonable manner that does not infringe on a data subject’s privacy, especially where the personal information constitutes special personal information (e.g. religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject, or the criminal behaviour of a data subject). One of the facets for lawful processing of special personal information is that the responsible party must have a legal basis for processing any personal information which it obtains. A common basis for lawful processing of special personal information is on the grounds of having obtained the data subject’s consent.
However, in some instances, even where the consent of a data subject has been obtained a responsible party is still required to obtain prior authorisation from the Information Regulator before it may process that personal information regardless of whether such information is considered special personal information.
A responsible party is required to obtain prior authorisation from the Information Regulator to process personal information where it plans to:
(i) process any personal information which contains unique identifiers of a data subject:
- for a purpose other than the one for which the identifier was specifically intended at collection; and
- with the aim of linking the information together with information processed by other responsible parties;
(ii) process any personal information which relates to a data subject’s criminal behaviour;
(iii) process any personal information for purposes of credit reporting; or
(iv) transfer personal information relating to special personal information (as referred to in section 26 of POPIA), or personal information of children (as referred to in section 34 of POPIA) to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as required by POPIA.
In certain instances such as medical research or emergencies, a responsible party may also be required, as part of its business, to process the special personal information of a data subject but it is not possible to obtain that data subject’s consent to do so, or the responsible party is unable to rely on any of the other lawful grounds listed in POPIA. In such instances, if the responsible party believes that the processing of that special personal information will be in the public interest they may apply to the Information Regulator for prior authorisation to process that special personal information.
Until a responsible party has obtained prior approval from the Information Regulator, they may not carry out any form of this type of processing.
Thankfully, a responsible party is only required to obtain prior authorisation once, and not each time that special personal information is received or processed, except to the extent where such processing departs from the scope of the prior authorisation.
Once a business understands what prior authorisation is and when it will be required they will need to determine whether they will be required to approach the Information Regulator to obtain prior approval.
If you believe that your business may require prior authorisation and have not yet applied to the Information Regulator for authorisation there is no need to panic just yet. Due to the uncertainty around certain provisions of POPIA and the resulting influx of applications that have been made to the Information Regulator for prior authorisation, the Information Regulator has implemented a grace period for prior authorisation until 01 February 2022, during which time a responsible party may continue processing personal information.
Eversheds Sutherland can assist you before the end of the grace period in preparing your application or with any of your other POPIA requirements.
See also:(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)