Prior authorisation under POPIA from the regulator in South Africa is a very important issue. Where the processing of personal information poses a high risk to data subject’s legitimate interests it demands careful consideration of the measures necessary to mitigate the risk. For this reason, POPIA stipulates four categories of processing that require prior authorisation by the regulator.
If you answer yes to any of the questions below, you need prior authorisation from the regulator.
- Does your organisation profile people?
- Does your organisation process information on criminal behaviour, or unlawful or objectionable conduct on behalf of third parties?
- Do you process information for the purposes of credit reporting?
- Do you transfer special personal information or the personal information of children to a third party in another country that does not have an adequate level of protection for the processing of personal information as referred to in section 72?
The regulator may also require prior authorisation for processing that carries a particular risk to the legitimate interests of data subjects. Most responsible parties (known as controllers in the rest of the world) don’t need prior authorisation to process personal information. They can process as long as they comply with the conditions for lawful processing.
This is a significant issue and timing is important
When do I need to apply for POPIA prior authorisation for new processing activities?
As soon as you realise that you need prior authorisation. The information officer should try to make everyone in your organisation aware that if your organisation whats to start a new processing activity that involves personal information, the information officer should do an assessment as early as possible to determine whether you need prior authorisation. The regulator must process your application within four weeks (Chapter 6 of POPIA). It can decide to conduct a more detailed investigation, which can take up to 13 weeks.
The last thing you want is to have to delay a new processing activity (like a new product or service) while you wait for the regulator to give you prior authorisation.
Why this is important
The regulator could be fined up to R1million.
What happens if you don’t? It is very important to get this right because failure could be a fine of up to a R1million (possible) or imprisonment for a period not exceeding 12 months (unlikely). Probably the most serious sanction is that your organisation might have to stop processing certain personal information.
If you require prior authorisation but have not received it, your processing will be unlawful, which is a criminal offence. In reality, you’re not going to stop processing and cease business. Carrying on, however, comes with risk. So getting prior authorisation where required is a high priority for your business. South Africa is one of the few countries that has made it a crime not to register with the regulator, when necessary.
If you can show that you had no intention to commit the offence of failing to get prior authoritarian and that you were not negligent, you probably won’t be convicted of the offence. So, to mitigate this risk you want to be able to prove that you assessed whether you needed authorisation and decided that you didn’t, which is likely the case.
Action you can take
- Know whether to apply or not and prove that you were not negligent by doing a self-assessment. You can do so by joining our data protection programme and working through the module called “getting prior authorisation from the information regulator”. We include a self-assessment that details each question and helps you answer yes or no. We have run live webinars in the past.
- Know whether to apply or not, and prove that you were not negligent by asking Michalsons to conduct a prior authorisation assessment (PAA) on your whole organisation (can be tricky) or a specific processing activity, product or service. We can give you a quote for the service. Michalsons will ask you various questions and for information, do the assessment and provide you with a PAA report with recommendations. The prior authorisation assessment will also help you to prepare to apply (if our recommendation is to apply).
- Know whether a country to which you transfer special personal information or children’s personal information to a third party has an adequate level of protection by asking Michalsons to conduct a transfer impact assessment.
- Apply for prior authorisation by asking Michalsons to prepare (or check) your application. We charge hourly rates for this service.
- Respond to questions asked by the regulator as part of their detailed investigation by asking for advice from Michalsons. The regulator sometimes asks you to prove how you will comply with all the conditions regards the activity for which you have applied for prior authorisation. We charge hourly rates for this service.
- Demonstrate that you can process personal data based on your legitimate interests by asking Michalsons to do a legitimate interest assessment (LIA).
Authorisation for a class of responsible parties?
Will the information regulator consider issuing authorisation for a class of responsible parties (such as non-profits) if they apply to process large scale children’s personal information? What happens when several responsible parties share common information systems even though they process personal information for their own purposes. We are not sure and we’ll have to see how the regulator approaches this.
Conditional prior authorisation under POPIA from the information regulator
Will the information regulator impose “reasonable conditions” on authorisations from sector to sector or will it be the same for all responsible parties who apply for prior authorisations? We’re not sure. We think it is unlikely that the information regulator will regulate all sectors on the same level. The purpose of codes of conduct is to provide specific requirements for particular sectors. While the information regulator must issue codes of conduct, it should be for the industry bodies that represent a specific sector to formulate them. These codes of conduct must however still meet the POPIA requirements of the “Conditions for lawful processing of personal information”.
A short video explaining the issue
Watch this short 3 minute video by John Giles to find out why, who, when and how about this very important issue. Note that this video was recorded on 14 April 2021 and the deadline for prior authorisation was extended afterwards.