The regulator published a guidance note on processing of personal information of children on 28 June 2021 to help responsible parties process the personal information of children lawfully. It mainly deals with an application for authorisation by the Regulator to process the personal information of children. It is unlikely that many people will require authorisation from the Regulator because, in most instances, the law authorises you to do so.

The guidance note does not add much to what is currently in the law but below we have given you a breakdown of the position. You can get authorisation to process the personal information of children in two ways:

  1. Authorisation by law
  2. Authorisation from the Regulator

It is very important not to confuse the guidance note with an application for prior authorisation from the Regulator. You only need prior authorisation from the Regulator if you plan to transfer the personal information of children to a third party in another country that does not have an adequate level of protection for the processing of personal information.

You must check that the law authorises you to process children’s personal information

Authorisation by law to process the personal information of children

A responsible party may not process personal information of children unless the law authorises them to do so (section 34). A responsible party may rely on certain grounds to process the personal information of children (section 35).

  • If it occurs with the prior consent of a competent person.
  • Where it is necessary for the establishment, exercise or defence of a right or obligation in law
  • It is necessary to comply with international public law
  • For historical, statistical, or research purposes where:
    • it is in the public interest and is necessary for a specific purpose
    • processing does not adversely affect the individual privacy of the child
    • the child deliberately publicised their personal information with a competent person’s consent

Authorisation by the Regulator to process the personal information of children

The Regulator may authorise a responsible party to process personal information of children if: (section 35(2))

  • it is in the public interest, and
  • appropriate safeguards are in place to protect the child’s Personal Information.

What is the public interest?

The guidance note says that “Public interest is a wide and diverse concept that cannot and should not be limited in its scope and application. The definition of what constitutes public interest varies across jurisdictions and should be assessed on a case-by-case basis. In its very basic formulation, the public interest is the notion that an action or process or outcome widely and generally benefits the public at large (as opposed to a few or a single entity or person) and should be accepted, imposed, or pursued in the spirit of equality and justice.”

POPIA also gives us examples:

  1. the interests of national security
  2. the prevention, detection and prosecution of offences
  3. important economic and financial interests of a public body
  4. compliance with legal provisions established in the interests referred to under points 2 and 3 above
  5. historical, statistical, or research activity
  6. the special importance of the interest in freedom of expression.

What are appropriate safeguards?

A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent: (section 19(1))

  • loss, damage, or unauthorised destruction of personal information, and
  • unlawful access to or processing of personal information.

The responsible party must take reasonable measures to:

  • identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control,
  • establish and maintain appropriate safeguards against the risks identified,
  • effectively verify and implement the safeguards, and
  • continually monitor and update the safeguards in response to new risks or deficiencies.

The responsible party must also consider generally accepted information security practices required in terms of regulations, and specific industry or professional rules.

The Regulator may impose conditions with authorisations

The Regulator’s conditions may require a responsible party:

  • to provide reasonable means for a competent person to review or refuse the processing of a child’s personal information.
  • to provide notice:
    • regarding the nature of a child’s personal information
    • about the method of processing
    • regarding any further processing practices.
  • avoid any action that may encourage or persuade a child to disclose more personal information about themselves than is necessary
  • to establish and maintain reasonable procedures to protect the integrity and confidentiality of the personal information collected from children.

How to submit an application for authorisation

Download the application form from the Regulator’s website and complete the information required.

  • There are four parts to the application form:
    1. Part A requires detailed information about the responsible party.
    2. Part B requires detailed information about the child’s personal information you intend to process if authorised by the Regulator.
    3. Part C is a declaration.
    4. Part D requires you to choose which sector you are from, for example, government, public or private.
  • Submit the application by:
    • Email: [email protected]
    • Post: P.O Box 31533, Braamfontein, Johannesburg, 2017
    • Hand: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Due to COVID-19, the Regulator recommends submitting applications electronically but will accept applications submitted in hard copy.

What happens next?

  • The Regulator will record the application on their system.
  • The responsible party will then receive an acknowledgment email or letter with a reference number for the application.
  • If you are providing additional information to your application, include the application reference number to enable the Regulator to link the additional information to your existing application.

Actions you can take regards the guidance note on processing of personal information of children

  • You can find out more about the application process by contacting the Regulator. If you need help preparing your application or if you need legal advice relating to it, you can contact Michalsons.
  • Find out more by reading the guidance note on processing of personal information of children itself.
  • You can find out more about processing personal information of children by referring to the Protecting our children module.
  • Keep abreast of all data protection developments by joining a Michalsons programme.
  • Gain more insight about the Information Regulator by reading our post.