HOW TO APPLY FOR PRIOR AUTHORISATION IN TERMS OF THE POPI ACT
The Regulator has extended the applications for Prior Authorisation in terms section 57 (1) subject to section 58 (2) to 01 February 2022.
Section 57 of the Protection of Personal Information Act 4 of 2013 requires responsible parties to seek prior authorisation from the Information Regulator, where the responsible party intends to process:
- any unique identifiers of a data subject,
- information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties,
- information for purposes of credit reporting,or
- the transfer of special personal information or personal information of children to foreign countries that do not provide an adequate level of protection for processing of personal information.
The provisions of s57 can be applied by the Regulator to other types of processing of information by law or regulation if that processing carries a particular risk for the legitimate interests of the data subject. A responsible party need only obtain this authorisation once, and not each time that personal information is received or processed, except if processing departs from the initial authorised purpose.
Once the Information Regulator has been notified, responsible parties may not process the personal information until an investigation has been conducted or until they receive a notification that a detailed investigation will not be conducted. This notification must be given by the Information regulator within 4 weeks. If the information regulator decides to conduct a more detailed investigation, such investigation must not exceed 13 weeks. On conclusion of the investigation the Information Regulator will give a notice as to the lawfulness of the processing.
If a Responsible party contravenes the above provisions they can suffer imprisonment of up to 12 months, a fine or both a fine and imprisonment.
Click the links below to view:
Guidance Note on Applications for Prior Authorisation
Application Form for Prior Authorisation