Section 57 and 58 of the Protection of Personal Information Act, 2013 (“POPIA”)
On the implementation of POPIA, there was some confusion as to when prior authorisation applies in the processing of personal information. To err on the side of caution, one may have been tempted to apply in order not to end up on the wrong side of the law regardless of whether or not section 57(1)(a)-(d) applied to the processing.
This then led to the Information Regulator receiving a large number of applications for prior authorisation some of which may have been unnecessary.
Accordingly, the Information Regulator held a webinar to assist responsible parties in interpreting provisions pertaining to prior authorisation.
It was expressed in the webinar, that most parties who applied were not processing personal information which is subject to the prior authorisation requirement.
Four Categories in terms of which prior authorisation is required
The Information Regulator addressed the four categories set out in subsection 57(1)(a)-(d) and provided a useful breakdown of key concepts and practical examples. Additionally, as per subsection 57(2) of POPIA “the provisions of subsection (1) may be applied by the Regulator to other types of information processing by law or regulation if such processing carries a particular risk for the legitimate interests of the data subject.”
Section 57(1) provides:
“Processing subject to prior authorisation
57(1) The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to –
- Process any unique identifiers of data subjects –
- For a purpose other than the one for which the identifier was specifically intended at collection; and
- With the aim of linking the information together with information processed by other responsible parties;
- Process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
- Process information for the purposes of credit reporting; or
- Transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.”
The Responsible party must obtain prior authorisation only once unless the processing departs from that approved by the Information Regulator. Further prior authorisation is not necessary if a code of conduct has come into force in respect of the industry in concern as the code of conduct then regulates the processing. This has been the case in respect of the code of conduct in force in respect of the credit industry as an example.
It is important to note that the eight conditions within POPIA must also be applied to the processing of personal information which is subject to prior authorisation. The Information regulator will likely request further information to this end, in any application for prior authorisation.
In addressing the four categories the following useful information was provided by the Information Regulator:
Examples of unique identifiers included bank accounts numbers or any account number, policy number, identity number, employee number, student number, telephone & cell numbers. These unique identifiers are often utilised to call up / access the profile of a data subject which may contain additional personal information.
Most responsible parties will process personal information of this nature, however the importance in respect of section 57(1)(a) to apply is where the personal information is processed for a purpose other than for which it was collected and linked to personal information held by another responsible party.
An example furnished in the webinar was where a credit provider has collected personal information for purposes of granting a data subject credit and then links this information with personal information held by a credit bureau for purposes of checking affordability or credit worthiness. Such processing is then subject to prior authorisation.
Examples furnished in respect of this category were if a company attends to a background check on a prospective employee or to determine the fit and proper status of a person who is to serve as a director. The entity which attends to the check is responsible for applying for prior authorisation and the employer in this example should ascertain that it has done so.
The example provided in respect of the processing of personal information of credit reporting was that of credit bureaus which process personal information for purposes of creating a credit report with that information. Section 57(1)(c) applies in respect of credit report generation and not utilisation in itself. For example, a credit provider does not need to apply for prior authorisation under this section as they are relying on the report, not creating it.
In addition to complying with section 72 of POPIA addressing cross border transfer of personal information a company which transfers the category of personal information set out in section 57(1)(d) across borders to a country which does not have adequate level of protection of personal information, must apply for prior authorisation.
At the time of the webinar the Information Regulator had not conducted its own assessment as to the adequacy or not of other countries and their level of protection of personal information and each responsible party would be required to conduct this assessment pending such direction from the Information Regulator.
Suspension of Processing
As from 1 February 2022 once you have notified the Information Regulator In terms of subsection 58(2) the responsible party will have to suspend processing until the regulator has completed the investigation or the regulator has notified the responsible party that it will not conduct a detailed investigation
Manner of submission
The prior authorisation application and/or notification for processing or intention to process personal information as referred to in subsections 57(1) and 58(1) can be submitted to POPIACompliance@inforegulator.org.za
There is also a postal and physical address provided by the information regulator for this purpose however email transmission is preferred.
Timelines for Consideration of the Application
The Information Regulator may firstly approve or decline the application within four weeks of the notification by the responsible party in terms of section 58(1) unless a detailed investigation is to take place within a period not exceeding thirteen weeks.
Subsections 58(3)-(5) & (7) provide:
“(3) In the case of the notification of information processing to which section 57(1) is applicable, the Regulator must inform the responsible party in writing, within four weeks of the notification as to whether or not it will conduct a more detailed investigation.
(4) in the event that the Regulator decides to conduct a more detailed investigation, it must indicate the period within which it plans to conduct this investigation, which period must not exceed 13 weeks.
(5) On conclusion of the more detailed investigation referred to in subjection (4) the Regulator must issue a statement concerning the lawfulness of the information processing.”
“(7) A responsible party that has suspended its processing as required by subsection (2), and which has received the Regulator’s decision within the time limits specified in subsection (5) and (4), may presume a decision in its favour and continue with its processing.”
Assessment of the Application by the Information Regulator:
Stage One – the Information Regulator will firstly determine whether or not one of the exemptions in section 6 or 7 of POPIA applies. If not, then the Information Regulator moves on to stage two.
Stage Two – the Information Regulator will determine whether or not the processing falls under one of the categories provided in section 57(1)(a)-(d). If it does the Information Regulator then moves on to stage three.
Stage Three – the Information Regulator will then consider if there is compliance with the eight conditions for lawful processing of personal information as addressed in POPIA. Failure to comply with one or more condition could form the basis of the authorisation being declined.
Penalties & Offences
Section 59 of POPIA provides “If section 58(1) or (2) is contravened, the responsible party is guilty of an offence and liable to a penalty as set out in section 107.”
Section 58 of POPIA *Offences and Penalties
“Responsible party to notify Regulator if processing is subject to prior authorisation
58(1) Information processing as contemplated in section 57(1) must be notified as such by the responsible party to the Regulator.
(2) Responsible parties may not carry out information processing that has been notified to the Regulator in terms of subsection (1) until the Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted.”
The penalty for transgressing section 58(1) and 58(2) in terms of POPIA is a fine or imprisonment for a period not exceeding 12 months or both.
Section 58(6) of POPIA provides “A statement by the Regulator in terms of subsection (5), to the extent that the information processing is not lawful, is deemed to be an enforcement notice served in terms of section 95 of this Act.”
Accordingly, the Information Regulator may issue a compliance notice in terms of POPIA if after its investigation it finds the processing of personal information does not comply with any or some of the eight conditions for lawful processing of personal information. This can also lead to fines and or imprisonment for failure to comply with the enforcement notice.
In conclusion, the following useful insights were provided by the Information Regulator in respect of the submission of the notice in terms of section 58(1):
- Complete the prescribed form as comprehensively as possible and refer to the types of personal information and the reasons it is necessary to process same.
- Set out the if the processing is for a specific, explicitly defined and lawful purpose related to the functions and activities of the responsible party. Additionally set out what the function and activity is.
- Identify which subsection of 57(1) applies i.e., which one or more of the four categories applies to the processing of personal information
- Submit supporting information to establish compliance with the seven conditions of POPIA. The form already addresses the condition pertaining to security of personal information however additional information could be submitted by the responsible party and or requested by the Information Regulator.
Should you require assistance in these and other matters addressing Protection of Personal Information Act, 2013, Boogaard Attorneys can service Clients in various areas in Johannesburg including Bryanston, Dainfern, Fourways, Midrand and Sandton to name a few and we also can facilitate online meetings for all Client’s including those elsewhere in South Africa.
By L Boogaard
9 March 2022
https://inforegulator.org.za/videos/ – Information Regulator SA – Webinar on Prior Authorisation 27 October 2021