On 1 February 2022, section 58 (2) of the Protection of Personal Information Act, 4 of 2013 (POPIA) came into full operation. This section relates to application for prior authorisation.
What is prior authorisation and when should a Responsible Party apply for one?
In instances where a Responsible Party is involved in processing certain types of information, they may need to obtain prior authorization from the Information Regulator. POPIA provides a list of 4 types of processing which requires prior authorization. First, when a Responsible Party processes unique identifiers for a purpose different from the purpose at the time of collection of the identifiers and the identifiers are going to be used together with other information processed by other responsible parties. A good example would be using a person’s bank account number or policy number for a different purpose. Secondly, when processing information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties. The Information Regulator published a Guidance Note on Prior Authorisation. This Guidance Note defines criminal behavior as criminal record enquiry. It also defines unlawful or objectionable conduct to include any reference check pertaining to past conduct or disciplinary action taken against the data subject. Companies which offer criminal background checks or criminal record enquiries may need to obtain prior authorization from the Information Regulator.
Thirdly, when processing information for purposes of credit reporting. For example, a credit bureau may need to obtain prior authorizations. Fourthly, if a responsible party wants to transfer special personal information or personal information of children to a third party in a foreign country, they need to obtain prior authorization unless if the third party can provide adequate level of protection for the processing of personal information.
What are the consequences for failure to obtain prior authorisation?
If a Responsible Party is processing any personal information which requires prior authorisation, they should notify the Information Regulator and suspend operations until they have received feedback from the Regulator. If the Responsible Party continues to carry out its activities after notifying the Regulator, they will be committing an offence and can face sanctions such as fine, imprisonment of up to 12 months or both fine and imprisonment. There are instances where the Information Regulator may conduct an investigation following the prior authorisation application by the Responsible Party. In such situations, the Information Regulator may issue a statement or Enforcement Notice which sets out what the Responsible Party needs to do. If the Responsible Party fails to comply with this statement, they will be committing a serious offence. The penalties for this offence are jail term up to 10 years, fine or both fine and imprisonment.
Conclusion
Obtaining prior authorisation for certain processing of personal information is very important. Responsible Parties should check whether they are required by law to apply for prior authorisation. One of the concerns raised by the chairperson of the Information Regulator was that a lot of Responsible Parties were submitting prior authorisation applications despite not conducting any of the listed activities. Such unnecessary applications has the negative impact on the Information Regulator’s functions in that they waste time and resources going through the submitted applications.
Contact us for more good, clear, precise advice.