SOUTH AFRICA: 100 DAYS LEFT TO BECOME POPIA COMPLIANT: INFORMATION OFFICERS AND GUIDELINES ON APPLICATIONS FOR PRIOR AUTHORISATION
Today (24 March 2021) marks 100 days until 1 July 2021 by which time all organisations need to ensure compliance with the provisions of the Protection of Personal Information Act (POPIA). The Information Regulator has recently confirmed that the 12-month grace period afforded to organisations to comply with POPIA will not be extended.
The Information Regulator is accordingly in the process of making final preparations to ensure enforcement of the provisions of POPIA from 1 July 2021. As part of these preparations, the Information Regulator has issued a communication relating to the registration of Information Officers and published a Guidance Note on Applications for Prior Authorisation.
Registration of Information Officers
POPIA requires every responsible party to appoint an information officer (and potentially deputy information officers) and to register the individual/s with the Information Regulator.
To facilitate this process, the Information Regulator published draft Guidelines on the Registration of Information Officers for public comment during the course of last year (Guidelines). When published, the draft Guidelines required information officers to be registered with the Information Regulator by 31 March 2021. The Guidelines also contained a template form to be used in order to register the information officer with the Information Regulator.
The draft Guidelines have not, however, been finalised and the Information Regulator issued a communication last week stating that the registration of information officers ‘commences on 1 May 2021’ and that the Guidelines ‘will be published once all public comments are taken into consideration’.
It appears that the Information Regulator has aligned the registration of information officers with the commencement of the duties of information officers contained in Regulation 4 of the POPIA Regulations, which Regulation will come into effect on 1 May 2021.
We accordingly anticipate that the Information Regulator will publish the Guidelines shortly which should assist organisations with taking steps to register their information officers (and potentially deputy information officers) with the Information Regulator.
In terms of sections 57 and 58 of POPIA, responsible parties are required to apply for prior authorisation from the Information Regulator if they plan to:
- process unique identifiers of data subjects for a purpose other than the one for which the unique identifier was specifically intended at collection and with the aim of linking the information together with information processed by other responsible parties. Examples of unique identifiers include account numbers, identity numbers, employee numbers or phone numbers;
- process personal information relating to criminal behaviour or on unlawful or objectionable conduct of a data subject on behalf of third parties. This would be applicable to any person contracted to conduct a criminal record check or reference check pertaining to the past conduct or disciplinary action taken against the data subject;
- process personal information for purposes of credit reporting. This includes the processing activities of credit bureaus registered with the National Credit Regulator;
- transfer special personal information or personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information. The responsible party is required to assess whether the third party is subject to a law, binding corporate rules or a binding agreement which provides an adequate level of protection; or
- process any types of information by law or regulation which the Information Regulator may, from time to time, consider carries a particular risk for the legitimate interests of the data subject.
The Guidance Note on Applications for Prior Authorisation (Guidance Note) has been issued by the Information Regulator to guide organisations that are currently processing, or intend to process, personal information which is subject to prior authorisation.
In addition to providing clarification on the processing activities subject to prior authorisation, in particular what could be considered as a unique identifier for purposes of POPIA, the Guidance Note contains a template application form to be used by responsible parties to obtain prior authorisation. The form is required to be completed in sufficient detail to allow the Information Regulator to obtain a comprehensive understanding of the responsible party’s processing activities.
Importantly, a responsible party may not carry out the information processing activities which are subject to prior authorisation until the Information Regulator has confirmed that the processing is lawful (with the exception of processing that takes place prior to 1 July 2021).
In this regard, the Information Regulator is required to indicate in writing within four weeks of receipt of an application whether it approves the application, rejects the application, or intends to conduct a detailed investigation.
In the event that the Information Regulator decides to conduct a more detailed investigation, it is required to notify the responsible party in writing of the period within which it plans to conduct the investigation, which period may not exceed 13 weeks.
The decision of the Information Regulator is final and any responsible party aggrieved by such a decision may review it in the High Court having jurisdiction. In addition, should the Information Regulator find that the processing is unlawful, the Information Regulator’s statement in this regard is deemed to be an enforcement notice under POPIA.
A responsible party that fails to notify the Information Regulator of any processing that is subject to prior authorisation or carries out the processing before obtaining approval will be guilty of an offence and may be liable to a fine not exceeding ZAR 10 million or to imprisonment for a period not exceeding 12 months, or to both a fine and imprisonment.
Accordingly, organisations that are currently processing personal information, or intend to process personal information, which is subject to prior authorisation are encouraged to act swiftly in submitting an application to the Information Regulator.
Submitting the application as soon as possible will enable the Information Regulator sufficient time to process the application before 30 June 2021. Applications must be submitted to the Information Regulator at priorauthorisationIR@justice.gov.za.
With 100 days left for organisations to ensure compliance with POPIA, it is crucial for organisations to ensure that their data privacy affairs are in order as soon as possible. Employers may find the Bowmans POPIA Toolkit for Employers of great assistance in getting POPIA-ready.