From 1 February next year, organisations that process certain types of information will have to obtain prior authorisation from the Information Regulator (IR). This will affect, among others, organisations that conduct credit or criminal background checks, or transfer special personal information to third parties in foreign countries.
Section 57 of the Protection of Personal Information Act (POPIA) sets out the instances in which a responsible party must obtain authorisation from the IR before processing information:
Where the responsible party plans to process a data subject’s unique identifiers (identity number, passport number, employee number, account number, policy number, student number, membership number, social media account handles, account log-in ID) for a purpose other than the one for which the identifier was specifically intended at collection and with the aim of linking the information with information processed by other responsible parties.
An example is where an FSP collects an identity number to provide credit and links it with information from a credit bureau for the purpose of conducting a credit check and an affordability assessment, say Monique Jefferson, a director, and Justine Katz, an associate, at law firm DLA Piper.
Where the responsible party plans to process information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties.
An example is when an employer engages a third party to conduct checks on whether job applicants have a history of criminal behaviour. The employer does not require prior authorisation, but it must verify that the third party is authorised by the IR to conduct such checks, say Jefferson and Katz.
Where the responsible party plans to process information for the purposes of credit reporting. This applies to a credit bureau that processes personal information to create credit reports. It does not apply to credit providers or reseller credit bureaux, because they do not create credit reports, say Jefferson and Katz.
Transfers to foreign countries
Where the responsible party plans to transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
In terms of section 26 of POPIA, special personal information is a data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour.
An organisation that transfers special personal information or the personal information of children to third parties in foreign countries needs to assess whether these countries have adequate data protection laws with provisions similar to POPIA. If the countries do not, then, from 1 February next year, the organisation will have to obtain prior authorisation from the IR, and the organisation will have to suspend such transfers until prior authorisation is obtained, say Jefferson and Katz.
An example is where a multi-national company transfers special personal information or the personal information of children to multiple countries, or the information is on a platform or cloud that can be accessed from multiple countries.
If the recipient country does not have adequate data protection laws, the responsible party cannot rely on the consent of the data subject or a data transfer agreement to transfer such information without prior authorisation. It will have to obtain the prior authorisation of the IR in addition to having an appropriate transfer mechanism in place, as contemplated in section 72 of POPIA, say Jefferson and Katz.
The IR has not assessed which countries are regarded as adequate, and therefore the responsible party must conduct the assessment itself.
Jefferson and Katz say, in their view, the United States would not be regarded as having adequate data protection laws. Countries that fall within the ambit of the GDPR (General Data Protection Regulation) would probably be adequate insofar as the personal information of natural persons is concerned, but not in respect of the personal information of juristic persons.
Timelines for processing applications for prior authorisation
The IR may approve or reject an application for prior authorisation within four weeks of receiving a responsible party’s application for prior authorisation, unless the IR decides to conduct an investigation, Jefferson and Katz say.
If the IR does conduct an investigation, it will inform the responsible party in writing of the reasonable period within which it plans to conduct an investigation, which will not exceed 13 weeks. The IR will therefore have a total of about three months in which to complete an investigation.
These timelines will start to run from 1 February 2022, but the IR is considering applications that are submitted before then.
A responsible party must obtain prior authorisation only once and not each time that personal information is received or processed, except where the processing departs from what was authorised.
Criteria for processing applications
Jefferson and Katz say applications for prior authorisation will be processed in terms of the following three stages of assessment:
- An assessment is conducted as to whether the processing falls under any of the exclusions in sections 6 and 7 of POPIA, in which case prior authorisation is not required.
- A determination is made as to whether the processing falls into one of the categories that requires prior authorisation under POPIA.
- The IR conducts an assessment to determine whether the processing complies with all eight conditions for lawful processing under POPIA. The party making the application for prior authorisation therefore needs to set out in the application what it has done to ensure that it complies with all the eight conditions for lawful processing.
“We understand that the current prior authorisation form will be updated to refer to this important requirement, as it will not be enough to simply refer to the security measures in place to safeguard the personal information,” say Jefferson and Katz.
A penalty may be imposed for a first offence if a responsible party processes personal information without prior authorisation in circumstances where prior authorisation is required. The penalty may be up to 12 months’ imprisonment and/or a fine up to R10 million. For certain other offences, the imprisonment may be up to 10 years.