The Information Regulator has issued helpful guidelines for applicants who require prior authorisation to process certain categories of information under POPIA
The Information Regulator has been very busy preparing itself for the important date of 1 July 2021, when the transitional period for organisations to get their POPIA house in order ends. Last week, the Regulator invited organisations to apply for "prior authorisation" and issued guidance notes on this process.
POPIA specifies certain categories of personal information which require prior authorisation from the Regulator before responsible parties are permitted to process or continue to process such information. This means that after 1 July 2021, without prior authorisation, processing these specific categories of information will be unlawful (unless a code of conduct for that sector has been issued by the Regulator).
In this note, we set out the categories of personal information which require prior authorisation; the process involved in applying for prior authorisation from the Regulator; the prescribed time periods for application and determination by the Regulator; and finally, the consequences of a failure to comply with the Act and guidelines.
In terms of section 57 of POPIA, a responsible party "must obtain prior authorisation from the Information Regulator … prior to any processing"if that responsible party plans to process certain categories of information.
The first category is any unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection; and with the aim of linking the information with information processed by other responsible parties. The guidance note gives examples of unique identifiers as bank account numbers, identity numbers and telephone numbers.
The second category is information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties. The guidance note says that this would apply to any person contracted to conduct a criminal record enquiry or reference check pertaining to past conduct or disciplinary action.
The third category is where an organisation processes information for the purposes of credit reporting (for instance credit bureaus).
The final category is where a responsible party transfers special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for processing personal information.
This is a broad category. If your organisation processes this kind of information, the Regulator encourages an immediate application for prior authorisation, so it can be considered before the end of June 2021.
In this regard, a responsible party is only required to apply for a prior authorisation once and not each time that personal information is received or processes within a particular category. Of course, where processing departs from that which has been authorised, a separate application for prior authorisation will have to be made to the Regulator.
Prescribed timelines for processing the application for prior authorisations
A responsible party may not carry out information processing that has been notified to the Information Regulator in terms of section 58(1) of POPIA until the Regulator has completed its investigation or the responsible party has received notice that a more detailed investigation will not be conducted.
Once the relevant notification has been given to the Regulator as part of the application for prior authorisation, the Regulator will have four weeks after receipt in which to inform the responsible party who applied for prior authorisation whether or not it will conduct a more detailed investigation.
The Information Regulator may approve or reject an application for prior authorisation within four (4) weeks of receipt of prior authorisation application, unless the Regulator decides to conduct a detailed investigation. In that event, it must do so within 13 weeks. Thirteen (13) weeks is the maximum period within which the detailed investigation and the decisions on the application must be finalised.
The decision of the Regulator following a detailed investigation will be issued in the form of a statement on the lawfulness of the information processing. If the Regulator finds that the information processing is unlawful, that statement by the Regulator is deemed to be an enforcement notice under POPIA.
Penalties and offences
A responsible party will be guilty of an offence if:
- the responsible party fails to notify the Regulator of any processing that is subject to prior authorisation in terms of section 58(1) of POPIA; or
- the responsible party has notified the Regulator in terms of section 58 (1) of POPIA and carries out personal information processing before the investigation by the Regulator is completed or before receiving notice that a more detailed investigation will not be conducted.
Any person convicted of an offence as stipulated above is liable to a fine or imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.
In addition, the Regulator may impose an administrative fine not exceeding ZAR 10 million payable by the responsible party who is alleged to have committed any of the offences above.
Review of the decision of the Information Regulator
The decision of the Regulator on the approval or rejection of an application for prior authorisation is final. An aggrieved person may review it in the High Court having jurisdiction and in accordance with general principles of public law and the exercise of public power.
The guidelines issued by the Regulator provide assistance to responsible parties who find themselves in a situation where they are processing personal information which requires prior authorisation.
What is particularly useful is that the guidelines provide a step-by-step "how to" guide on the application process, including in what form and to whom an application should be delivered.
It is important for responsible parties to be aware of the hefty penalties which apply in the context of prior authorisations and to take the time before July 2021 to ensure that, if they are processing or intend to process personal information which falls into one of the categories listed above, they comply with the Act and guidelines in this regard.
Webber Wentzel is able to assist in making applications for prior authorisation.