When is prior authorisation needed? Image credit: AdobeStock
The Protection of Personal Information Act 4 of 2013 (“POPIA“) requires that a responsible party obtain prior authorisation for certain processing of personal information where the specific processing of certain personal information is likely to cause a higher risk to the data subject.
When is prior authorisation needed? Image credit: AdobeStock
The Protection of Personal Information Act 4 of 2013 (“POPIA“) requires that a responsible party obtain prior authorisation for certain processing of personal information where the specific processing of certain personal information is likely to cause a higher risk to the data subject.
Unless exempt, a responsible party must apply for prior authorisation in the following instances:
Unique identifiers include for example any account numbers; policy number; identity number; employee number; student number; or unique reference number.
For example, where the responsible party is a company that carries out background check services on behalf of their clients.
For example, credit bureaus and other persons processing information for credit reporting purposes.
Unless a code of conduct has been published by the Information Regulator in respect of specific processing that is subject to prior authorisation, a responsible party will need to apply for prior authorisation to continue processing personal information that falls within the above categories of information / processing. To date, the Credit Bureau Association has applied for a code of conduct for the processing by credit bureaus of personal information for credit reporting purposes.
ALSO READ: Service agreement essentials
For most clients, the categories of processing that may be particularly applicable is the processing of unique identifiers, processing for credit reporting purposes and the transfer of special and children’s personal information cross border (for example, where medical information is processed for insurance purposes and transferred to countries without adequate data protection laws, most notably, the USA).
Where a responsible party is required to apply for prior authorisation in terms of section 58(1), the Act requires that the responsible party must suspend its processing of the personal information subject to the prior authorisation application once the application has been submitted and until the Information Regulator has approved the application or found that prior authorisation is not necessary. Section 58(1) will however only become effective from 1 February 2022, so responsible parties will not need to suspend their processing for applications submitted before 1 February 2022, but if the Regulator has not finalised its consideration of the application, the position in law is that the responsible party will be required to suspend processing from 1 February 2022.
Written by Jessica Paterson
This article was originally published by Dommisse Attorney’s Inc