Prior Authorisation in terms of South Africa’s POPIA
The Information Regulator recently hosted a webinar to clarify the requirements regarding prior authorisation for certain processing activities under the Protection of Personal Information Act, 2013 (POPIA).
This has important implications for organisations that transfer special personal information (i.e. religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour) or personal information of children to third parties in foreign countries that do not have adequate data protection laws similar to POPIA. This is because with effect from 1 February 2022 prior authorisation from the Information Regulator will be required for such transfers and the organisation will need to suspend those transfers until such time as prior authorisation is obtained.
All organisations therefore need to prioritise determining whether they transfer any special personal information or personal information of children outside South Africa. If so, an assessment must be conducted to determine whether the information is being transferred to countries that have adequate data protection laws with provisions similar to those contained in POPIA. If the countries to which the information is transferred do not have adequate data protection laws then the organisation must either cease transferring the information or apply for prior authorisation by 1 February 2022. The Information Regulator has encouraged responsible parties to already submit the applications for prior authorisation now so that there is sufficient time to consider the applications before 1 February 2022.
When is prior authorisation required?
POPIA provides that a responsible party must obtain prior authorisation from the Information Regulator prior to any processing if that responsible party plans to:
- process any unique identifiers of data subjects (i.e. identity number, passport number, employee number, account number, policy number, student number, membership number, social media account handles, account log-in ID)
- for a purpose other than the one for which the identifier was specifically intended at collection
- with the aim of linking the information together with information processed by other responsible parties
In order for the prior authorisation requirements to be triggered the unique identifier would need to be used for another purpose and it would need to be linked with personal information processed by other responsible parties. For example, when a financial service provider collects an ID number to provide credit but links this with information from a credit bureau for the purpose of conducting credit checks and affordability assessments.
- process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties
The prior authorisation requirements would be triggered when an employer engages a third party to conduct criminal background checks on job applicants. The employer does not require the prior authorisation but it must verify that this third party is duly authorised by the Information Regulator to conduct such checks.
- process information for the purposes of credit reporting
This applies to a credit bureau that processes personal information to create credit reports. It does not apply to credit providers or reseller credit bureaux as they do not create credit reports.
- transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
This may apply when a multi-national company operates in many jurisdictions and transfers special personal information or personal information of children to multiple countries or the information is on a platform or cloud that can be accessed from multiple countries.
If the recipient country does not have adequate data protection laws the responsible party cannot rely on consent of the data subject or a data transfer agreement to transfer the special personal information or personal information of children in the absence of prior authrorisation. It will accordingly still need to obtain the prior authorisation of the Information Regulator in addition to having an appropriate transfer mechanism in place as contemplated in section 72 of POPIA.
The Information Regulator has not done any assessment as to which countries are regarded as adequate and therefore the responsible party has to do the assessment itself. Our view is that the United States of America would not be regarded as having adequate data protection laws; and that countries that fall within the ambit of the GDPR would probably be adequate insofar as the personal information of natural persons is concerned but would not be adequate in respect of the personal information of juristic persons.
Timelines for Processing Applications for Prior Authorisation
The Information Regulator may approve or reject an application for prior authorisation within four weeks of receipt of a responsible party’s application for prior authorisation, unless the Information Regulator decides to conduct an investigation. In the event of an investigation the Information Regulator will inform the responsible party in writing of the reasonable period within which it plans to conduct an investigation, which period will not exceed 13 weeks. The Information Regulator will therefore have a total of about three months in which to complete an investigation. These timelines will only start to run from 1 February 2022 but the Information Regulator is nevertheless considering applications that are submitted prior to 1 February 2022.
Criteria for Processing Applications for Prior Authorisation
Applications for prior authorisation will be processed in terms of the following three stages of assessment:
- Stage One – an assessment is conducted as to whether the processing falls under any of the exclusions in sections 6 and 7 of POPIA, in which case prior authorisation is not required.
- Stage Two – A determination is then made as to whether the processing falls into one of the categories that requires prior authorisation under POPIA.
- Stage Three – The Information Regulator conducts an assessment to determine whether the processing complies with all the eight conditions for lawful processing under POPIA and the party making the application for prior authorisation therefore needs to set out in the application what it has done to ensure that it complies with all the eight conditions for lawful processing. We understand that the current prior authorisation form will be updated to refer to this important requirement as it will not be enough to simply refer to the security measures in place to safeguard the personal information.
If a responsible party processes personal information in the absence of prior authorisation in circumstances where prior authorisation is required then a penalty may be imposed for a first offence. The penalty may be up to 12 months’ imprisonment and/or a fine equal to up to ZAR10 million. For certain other offences the imprisonment may be up to 10 years.
Please feel free to reach out to us should you have any queries in relation to the above.