Prior authorisation under POPIA from regulator in South Africa

Home/Focus Areas/Data Privacy or Data Protection Solutions/Prior authorisation under POPIA from regulator in South Africa
Prior authorisation under POPIA from regulator in South Africa2024-05-31T15:48:41+02:00
  • prior authorisation POPIA section 57 information regulator

Prior authorisation under POPIA from the regulator in South Africa is a very important issue. Where the processing of personal information poses a high risk to data subject’s legitimate interests it demands careful consideration of the measures necessary to mitigate the risk. For this reason, POPIA stipulates four categories of processing that require prior authorisation by the regulator.

If you answer yes to any of the questions below, you need prior authorisation from the regulator.

  1. Does your organisation profile people?
  2. Does your organisation process information on criminal behaviour, or unlawful or objectionable conduct on behalf of third parties?
  3. Do you process information for the purposes of credit reporting?
  4. Do you transfer special personal information or the personal information of children to a third party in another country that does not have an adequate level of protection for the processing of personal information as referred to in section 72?

The regulator may also require prior authorisation for processing that carries a particular risk to the legitimate interests of data subjects. Most responsible parties (known as controllers in the rest of the world) don’t need prior authorisation to process personal information. They can process as long as they comply with the conditions for lawful processing.

This is a significant issue and timing is important

When do I need to apply for POPIA prior authorisation for new processing activities?

As soon as you realise that you need prior authorisation. The information officer should try to make everyone in your organisation aware that if your organisation whats to start a new processing activity that involves personal information, the information officer should do an assessment as early as possible to determine whether you need prior authorisation. The regulator must process your application within four weeks (Chapter 6 of POPIA). It can decide to conduct a more detailed investigation, which can take up to 13 weeks.

The last thing you want is to have to delay a new processing activity (like a new product or service) while you wait for the regulator to give you prior authorisation.

Why this is important

The regulator could be fined up to R1million.

What happens if you don’t? It is very important to get this right because failure could be a fine of up to a R1million (possible) or imprisonment for a period not exceeding 12 months (unlikely). Probably the most serious sanction is that your organisation might have to stop processing certain personal information.

If you require prior authorisation but have not received it, your processing will be unlawful, which is a criminal offence. In reality, you’re not going to stop processing and cease business. Carrying on, however, comes with risk. So getting prior authorisation where required is a high priority for your business. South Africa is one of the few countries that has made it a crime not to register with the regulator, when necessary.

If you can show that you had no intention to commit the offence of failing to get prior authoritarian and that you were not negligent, you probably won’t be convicted of the offence. So, to mitigate this risk you want to be able to prove that you assessed whether you needed authorisation and decided that you didn’t, which is likely the case.

Action you can take

  • Know whether to apply or not and prove that you were not negligent by doing a self-assessment. You can do so by joining our data protection programme and working through the module called “getting prior authorisation from the information regulator”. We include a self-assessment that details each question and helps you answer yes or no. We have run live webinars in the past.
  • Know whether to apply or not, and prove that you were not negligent by asking Michalsons to conduct a prior authorisation assessment (PAA) on your whole organisation (can be tricky) or a specific processing activity, product or service. We can give you a quote for the service. Michalsons will ask you various questions and for information, do the assessment and provide you with a PAA report with recommendations. The prior authorisation assessment will also help you to prepare to apply (if our recommendation is to apply).
  • Know whether a country to which you transfer special personal information or children’s personal information to a third party has an adequate level of protection by asking Michalsons to conduct a transfer impact assessment.
  • Apply for prior authorisation by asking Michalsons to prepare (or check) your application. We charge hourly rates for this service.
  • Respond to questions asked by the regulator as part of their detailed investigation by asking for advice from Michalsons. The regulator sometimes asks you to prove how you will comply with all the conditions regards the activity for which you have applied for prior authorisation. We charge hourly rates for this service.
  • Demonstrate that you can process personal data based on your legitimate interests by asking Michalsons to do a legitimate interest assessment (LIA).
Has the regulator issued guidance on the third party countries with an adequate level of protection?2025-02-05T11:28:36+02:00

The Information Regulator confirmed in the webinar on prior authorisation on 27 October 2021, that it will not release a list of countries with an adequate level of protection. They further said that it is for the Responsible Party to determine and decide on if the country the special personal information or personal information of children is being transferred to, has an adequate level of data protection.

How do I get prior authorisation from the regulator?2024-08-21T15:48:01+02:00

If you have determined that your organisation needs to get prior authorisation, the next question is how do you apply?

Who do you send the application form for prior authorisation to?

It is like applying for your license – you have to apply to the regulator, who will assess you and within about 4 weeks, they’ll tell you whether you have been given a license or not.

Applying is the easy part. You just have to email the application form to the regulator. Email it, don’t post it. Make sure you get an acknowledgement from the regulator that they have received it and file it safely in more than one place.

How do you complete the application form?

The hard part is completing the application form. The information regulator has released an editable pdf but it is still quite hard to know how to complete it correctly. We’ve created an editable version to make your life easier and this is included in our data protection programme. You will want multiple people to review it and you’ll want each person to be able to track their changes.

Who should sign the application form?

In our view, the default information officer (not the designated or delegated one) should sign the form. The default officer is accountable to the regulator and is the one that the law specifies as being the information officer by default. Applying for prior authorisation is an important task and should be done by the highest level information officer.

The application form for prior authorisation requires the information officer’s registration number. But what if you don’t have it? This might be because you are waiting for the regulator to fix their electronic platform. You should apply without it and just state – “Waiting for electronic platform”.

Action you can take

  1. Complete the application form yourself by joining our data protection programme and working through the module called getting prior authorisation from the information regulator.
  2. Check that you have correctly completed the application form by asking Michalsons to check it.
  3. Have Michalsons complete the application form for you by asking for a quote.
Who needs to get prior authorisation from the information regulator?2021-09-24T10:13:39+02:00

You need prior authorisation from the information regulator if your organisations is a responsible party that plans to do certain specified things. Note that operators don’t need get prior authorisation, only responsible parties. Do you know what role you play for your different activities? This is another great example of why you should have mapped your activities probably by using privacy management software.

Few organisations need to get authorisation. You probably don’t need to.

If you answer yes to any of the following four questions, your organisation needs prior authorisation. There’s an ‘or’ there again after section 57(1)(c), so if you plan to do any one of these, you need to get prior authorisation. Unfortunately, the law and the guidance note issued by the regulator isn’t very clear and is still open to interpretation. Hopefully, the regulator will in future give us more guidance on who needs to get prior authorisation.

If you answer yes, you need prior authorisation from the information regulator

  1. Does your organisation profile people?
  2. Does your organisation process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties?
  3. Do you process information for the purposes of credit reporting?
  4. Do you transfer special personal information or the personal information of children to a third party in another country that does not have an adequate level of protection for the processing of personal information as referred to in section 72?

 

Authorisation for a class of responsible parties?

Will the information regulator consider issuing authorisation for a class of responsible parties (such as non-profits) if they apply to process large scale children’s personal information? What happens when several responsible parties share common information systems even though they process personal information for their own purposes. We are not sure and we’ll have to see how the regulator approaches this.

Conditional prior authorisation under POPIA from the information regulator

Will the information regulator impose “reasonable conditions” on authorisations from sector to sector or will it be the same for all responsible parties who apply for prior authorisations? We’re not sure. We think it is unlikely that the information regulator will regulate all sectors on the same level. The purpose of codes of conduct is to provide specific requirements for particular sectors. While the information regulator must issue codes of conduct, it should be for the industry bodies that represent a specific sector to formulate them. These codes of conduct must however still meet the POPIA requirements of the “Conditions for lawful processing of personal information”.

A short video explaining the issue

Watch this short 3 minute video by John Giles to find out why, who, when and how about this very important issue. Note that this video was recorded on 14 April 2021 and the deadline for prior authorisation was extended afterwards.