You need prior authorisation from the information regulator if your organisations is a responsible party that plans to do certain specified things. Note that operators don’t need get prior authorisation, only responsible parties. Do you know what role you play for your different activities? This is another great example of why you should have mapped your activities probably by using privacy management software.

Few organisations need to get authorisation. You probably don’t need to.

If you answer yes to any of the following four questions, your organisation needs prior authorisation. There’s an ‘or’ there again after section 57(1)(c), so if you plan to do any one of these, you need to get prior authorisation. Unfortunately, the law and the guidance note issued by the regulator isn’t very clear and is still open to interpretation. Hopefully, the regulator will in future give us more guidance on who needs to get prior authorisation.

If you answer yes, you need prior authorisation from the information regulator

  1. Does your organisation profile people?
  2. Does your organisation process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties?
  3. Do you process information for the purposes of credit reporting?
  4. Do you transfer special personal information or the personal information of children to a third party in another country that does not have an adequate level of protection for the processing of personal information as referred to in section 72?