Addressing POPIA prior authorisation – the Information Regulator issues a Guidance Note for applications for prior authorisation

Closely following its statement on WhatsApp’s proposed changes to its privacy policy, the Information Regulator (IR) has published a Guidance Note (on 11 March 2021) regarding the application for prior authorisation, which elaborates on the process to be followed by businesses who are currently processing or intend to process personal information which is subject to prior authorisation. If any processing activities require prior authorisation, businesses are advised to ensure that they act quickly in submitting an application to the IR as post-1 July 2021, these businesses will not be allowed to carry out such processing activities without such authorisation. Prior Authorisation requirement explained

A business has to apply for prior authorisation to the IR if they process or intend to process any personal information specifically falling within the specified categories, as per sections 57 and 58 of the Protection of Personal Information Act 4 of 2013 (POPIA). These categories are:
• processing of unique identifiers, (examples of ‘unique identifiers’ included in the Guidance Note are “Bank Account Numbers or any account number; Policy Number; Identity Number; Employee Number; Student Number; Telephone or cell phone number; or Reference Number”), where these are used for a purpose other than the one for which the unique identifier was specifically intended (at collection) and is linked with information processed by another or other responsible parties.
• processing information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties (e.g., any person contracted to conduct a criminal record enquiry or reference check pertaining to past conduct or disciplinary action).

• information processed for the purposes of credit reporting (e.g., Including the processing activities of credit bureaus).
• any transfer of special personal information or the personal information of children from South Africa to a third party in a foreign country, where that country does not provide an adequate level of protection for the processing of personal information (i.e. an adequate level of protection requires the recipient of the information to be subject to a law, binding corporate rules or binding agreement which provides a level of protection that effectively upholds principles for reasonable processing of personal information that is substantially similar to the conditions for the lawful processing as mentioned under POPIA).

The Guidance Note provides much needed clarification on what could be considered a unique identifier for the purposes of POPIA. Under POPIA, the definition of a ‘unique identifier’ is “any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party”. Only section 105(5) of POPIA gives a more specific indication of what would be considered a unique identifier in its mentioning of an account number issued by a bank or financial institution or similar which allows a data subject to access funds or credit facilities.

Section 40(1)(b)(vii) of POPIA places the monitoring of the use of unique identifiers of data subjects within the purview of the IR’s powers, duties and functions to monitor and enforce compliance with POPIA. The IR may report to Parliament from time to time on the results of that monitoring, including any recommendation relating to the need of, or desirability of taking legislative, administrative, or other action to give protection, or better protection, to the personal information of a data subject.

Applications by Responsible Parties
The Guidance Note prescribes the form to be used to make an application for prior authorisation and sets out the questions that will need to be answered by the responsible party in the submission of an application, indicating that the questions must be answered with sufficient detail and clarity as to ensure a full understanding of the responsible party’s processing activities.

POPIA prescribes the timelines applicable to the IR’s consideration of an application. The IR will approve or reject an application within four (4) weeks of receipt, unless the IR decides to conduct a detailed investigation, in which case the IR has a maximum of thirteen (13) weeks to conclude its investigation and furnish a decision on the application.
It is important to note that POPIA provides that a responsible party may not carry out the information processing activities that have been notified to the IR until the IR has formally

confirmed that the processing is lawful (with the exception that this would not apply to processing that was already taking place as at 1 July 2020 subject to the IR issuing a notice to the contrary). If the IR rejects the application and declines approval, the IR’s statement is deemed to be an enforcement notice under POPIA (which means that the responsible party would have to among other options and subject to a right to appeal, cease such processing activities or change the processing such that it is compliant).

Consequences of non-compliance
A responsible party who continues information processing activities that are subject to prior authorisation without the IR’s approval will be committing an offence and may be liable to a penalty under POPIA. This would include a fine (of up to R10 million) or imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.

If you engage in any of these processing activities, you are advised to ensure that your application is submitted as soon as possible so that it can be considered and authorised. As the grace period under POPIA is drawing to an end, it is now more important than ever to ensure that your processing of personal information complies with the provisions of POPIA.

K. Cowley
(Chairperson – (CEA – TESD)