The Protection of Personal Information Act 4 of 2013 (“POPIA“) requires that a responsible party obtain prior authorisation for certain processing of personal information where the specific processing of certain personal information is likely to cause a higher risk to the data subject.
Unless exempt, a responsible party must apply for prior authorisation in the following instances:
- Processing of unique identifiers. Where the responsible party processes a unique identifier for a purpose other than the purpose specifically intended at collection of the identifier AND with the aim of linking the information with information processed by other responsible parties.
Unique identifiers include for example any account numbers; policy number; identity number; employee number; student number; or unique reference number.
- Criminal, unlawful or objectionable behaviour. Where the responsible party processes information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties.
For example, where the responsible party is a company that carries out background check services on behalf of their clients.
- Credit reporting. Where the responsible party processes personal information for credit reporting purposes.
For example, credit bureaus and other persons processing information for credit reporting purposes.
- Cross border transfers of special and children’s personal information. Where special or children’s personal information is transferred to a third party in a country that does not have adequate data protection laws. The current position is that the Information Regulator requires responsible parties to make a determination as to whether the country in which the third party is located has adequate laws and apply for authorisation to transfer the personal information to those countries (which transfers must be subject to contractual safeguards) who do not have adequate laws.
- As further determined by the Regulator. The Information Regulator may determine that certain categories or types of information processing carries a particular risk for the legitimate interests of the data subject, in which case, a responsible party will need to apply for prior authorisation in respect of such information processing.
Unless a code of conduct has been published by the Information Regulator in respect of specific processing that is subject to prior authorisation, a responsible party will need to apply for prior authorisation to continue processing personal information that falls within the above categories of information / processing. To date, the Credit Bureau Association has applied for a code of conduct for the processing by credit bureaus of personal information for credit reporting purposes.
ALSO READ: Service agreement essentials
For most clients, the categories of processing that may be particularly applicable is the processing of unique identifiers, processing for credit reporting purposes and the transfer of special and children’s personal information cross border (for example, where medical information is processed for insurance purposes and transferred to countries without adequate data protection laws, most notably, the USA).
Where a responsible party is required to apply for prior authorisation in terms of section 58(1), the Act requires that the responsible party must suspend its processing of the personal information subject to the prior authorisation application once the application has been submitted and until the Information Regulator has approved the application or found that prior authorisation is not necessary. Section 58(1) will however only become effective from 1 February 2022, so responsible parties will not need to suspend their processing for applications submitted before 1 February 2022, but if the Regulator has not finalised its consideration of the application, the position in law is that the responsible party will be required to suspend processing from 1 February 2022.
Written by Jessica Paterson
This article was originally published by Dommisse Attorney’s Inc