The regulator published a guidance note on processing of Special Personal Information on 28 June 2021 to help responsible parties process Special Personal Information lawfully. The guidance note does not add much to what is currently in the law but below we have given you a breakdown of the position regarding Special Personal Information.
You can get authorisation to process Special Personal Information in two ways:
- Authorisation by law
- Authorisation from the Regulator
It is very important not to confuse the guidance note with an application for prior authorisation from the Regulator. You don’t need prior authorisation from the Regulator to process Special Personal Information because you can get it from the law. It is only under certain circumstances that you may need prior authorisation from the Regulator.
You must check that the law authorises you to process Special Personal Information
Authorisation by law to process Special Personal Information
Special Personal Information is: (section 26 of POPIA)
- religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, or
- criminal behaviour concerning the commission of an alleged offence, or proceedings relating to an alleged offence, or disposal of proceedings.
You may process Special Personal Information under certain conditions (section 27).
- If the data subject consents to the processing.
- Where it is necessary for the responsible party to establish, exercise, or defend a right or obligation in law.
- It is necessary to comply with an international public law.
- The processing is for historical, statistical, or research purposes in the public interest.
- The data subject made the information public.
You may not process Special Personal Information unless the law authorises you to do so. If the law doesn’t authorise you to process Special Personal Information, then the Regulator may authorise you. (See sections 28 to 33 of POPIA)
Authorisation by the Regulator to process Special Personal Information
In terms of section 27(2) the Regulator must authorise a responsible party to process Special Personal Information if:
- it is in the public interest, and
- appropriate safeguards are in place to protect the data subject’s Special Personal Information.
What is the public interest?
The guidance note says that “Public interest is a wide and diverse concept that cannot and should not be limited in its scope and application. The definition of what constitutes public interest varies across jurisdictions and should be assessed on a case-by-case basis. In its very basic formulation, public interest is the notion that an action or process or outcome widely and generally benefits the public at large (as opposed to a few or a single entity or person) and should be accepted, imposed or pursued in the spirit of equality and justice.”
POPIA also gives us examples:
- the interests of national security
- the prevention, detection and prosecution of offences
- important economic and financial interests of a public body
- compliance with legal provisions established in the interests referred to under points 2 and 3 above
- historical, statistical or research activity
- the special importance of the interest in freedom of expression.
What are appropriate safeguards?
In terms of section 19(1) of POPIA, a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent:
- loss, damage or unauthorised destruction of personal information, and
- unlawful access to or processing of personal information.
The responsible party must take reasonable measures to:
- identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control,
- establish and maintain appropriate safeguards against the risks identified,
- effectively verify and implement the safeguards, and
- continually monitor and update the safeguards in response to new risks or deficiencies.
The responsible party must also consider generally accepted information security practices required in terms of regulations, and specific industry or professional rules.
How to submit an application for authorisation
Download the application form from the Regulator’s website and complete the information required.
- There are four parts to the application form:
- Part A requires detailed information about the responsible party.
- Part B requires you to select which category of Special Personal Information you intend to process if authorised by the Regulator.
- Part C is a declaration.
- Part D requires you to choose which sector you are from, for example, government, public or private.
- Submit the application by:
- Email: [email protected]
- Post: P.O Box 31533, Braamfontein, Johannesburg, 2017
- Hand: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Due to COVID-19, the Regulator recommends submitting applications electronically but will accept applications submitted in hard copy.
What happens next?
- The Regulator will record the application on their system.
- The responsible party will then receive an acknowledgment email or letter with a reference number for the application.
- If you are providing additional information to your application, include the application reference number to enable the Regulator to link the additional information to your existing application.
Actions you can take regarding the guidance note on processing of Special Personal Information
- You can find out more about the application process by contacting the Regulator. If you need help preparing your application or if you need legal advice relating to it, you can contact Michalsons.
- Find out more by reading the guidance note itself.
- You can find out more about processing Special Personal Information by referring to the Relevant facts module in our programme.
- Keep abreast of all data protection developments by joining a Michalsons programme.
- Gain more insight about the Information Regulator by reading our post.
