The Information Regulator has extended the commencement date of the POPIA provision that requires organisations to obtain prior authorisation if they process certain categories of personal information. The commencement date of that provision is now
1 February 2022.
This means that an organisation that is required to obtain prior authorisation from the Information Regulator does not need to suspend its processing of personal information during such time that the Information Regulator is processing its application for prior authorisation. Such organisations will not incur any penalties under POPIA for processing personal information after 1 July 2021. However, it is imperative that if your organisation does need prior authorisation, you must:
submit your application for prior authorisation to the Information Regulator before 1 February 2022
comply with the remainder of POPIA – failure to do so will attract penalties
Organisations who perform the following activities are required to obtain prior authorisation from the Information Regulator:
Processing unique identifiers (for example, bank account details, identity numbers or telephone numbers) of data subjects for a purpose other than the purpose for which the identifier was specifically intended at collection, with the aim of linking the information with information processed by other responsible parties.
Processing criminal behaviour or illegal, objectionable conduct on behalf of third parties. An example of this includes service providers who are contracted to perform criminal record checks for employers prior to offering employment to a prospective candidate.
Processing information for credit reporting (for example credit bureaus).
Transferring special personal information or personal information of children to a third party in a foreign country that does not have adequate data protection laws.
Tip: if you use cloud service providers to store your organisation's data, find out which country their servers are based in – you may unintentionally contravene the requirement to obtain prior authorisation if their servers are based in a country without sufficient data protection laws.
We have published an update on the Information Regulator's guidelines for applicants who require prior authorisation to process certain categories of information under POPIA.