Update on requirement for prior authorisation to process data

By Maryke Sher-Lun & Shona Nicoll on 5 November 2021

Professionals from our data privacy team recently attended an informational session hosted by the information regulator established in terms of the Protection of Personal Information Act ("POPIA").

The session dealt with section 57 of POPIA which requires responsible parties to apply for prior authorisation from the regulator in certain cases, as more fully set out below. Where an application for prior authorisation has been made, section 58(2) states that if such authorisation has not been obtained by 1 February 2022, responsible parties are required to stop processing the personal information while they seek authorisation or await approval in terms of submitted applications.

Extension of deadline

The regulator has advised that the 1 February 2022 deadline will not be extended further and warned responsible parties to submit applications for prior approval as soon as possible but no later than the end of November 2021 to avoid them having to comply with the suspension obligation in section 58(2).

Unnecessary applications for prior authorisation

During the session the regulator mentioned that many of the applications it has received to date did not in fact require prior authorisation.

Moreover, the regulator also stated that some corrections would need to be made to the current guidance note on prior authorisations.

Unfortunately, it is unclear whether these corrections will be made in time for responsible parties to avoid unnecessary applications for prior authorisation as responsible parties cannot afford to risk not applying before the deadline.

We summarise a few salient points of the regulator's presentation below.

Clarifying remarks pertaining to section 57

The regulator restated that prior authorisation is only required once and not each time the personal information is processed. Therefore, where authorisation is granted, the responsible party can rely on such authorisation for the continued processing of personal information in the manner approved by the regulator.

Prior authorisation is required when a responsible party conducts one or more of the types of processing identified in section 57. The regulator clarified the following issues as it pertains to the grounds of processing that require prior approval:

Prior approval to process information on criminal behaviour or on unlawful or objectionable conduct is only required when the processing is conducted on behalf of third parties. Although the third party receiving the background check is not required to obtain prior authorisation the regulator held that it would be prudent to ensure that the party conducting the checks is in possession of the necessary approvals.
The regulator stated that when an application relates to the processing of personal information for purposes of credit reporting, only the party who generates a credit report is required to obtain prior authorisation, and further that where a code of conduct has been approved by the regulator, such approval is not required. Credit providers or resellers of credit reports are not required to obtain prior authorisation unless they themselves generate credit reports.
In regard to the transfer of special personal information or the personal information of children to countries without adequate levels of protection, the regulator indicated its intention of at some point releasing a list of countries it deems to have adequate data protection laws, however until then the responsible party will be making this determination themselves. It is worth noting that POPIA is currently the only data protection law that provides protection for juristic personal information therefore technically no other country's laws provide adequate protection as it pertains to juristic personal information. The regulator stated, albeit in passing and only verbally, that the fact that a country's data protection laws does not protect juristic personal information, this alone would not make that country's laws inadequate.

A duty arises to notify the regulator when processing information identified in section 57. The regulator held that the prior approval application satisfies such requirement.

Further clarification in the form of updated guidance notes will be published in due course as it pertains to prior authorisation. In the meantime, responsible parties are advised to fill out the prior authorisation forms with sufficient detail to avoid having to supplement their application.

Should you require any assistance or further guidance on this issue please feel free to contact us.

Please note that our blog posts are informal commentaries on developments in the law as at the time of publication and not legal advice. You should place no reliance on our blog posts; we look forward to discussing your particular matter with you.