The Regulator recent guidance note issued on 11 March 2021 requires all businesses which process certain personal information to submit their applications for prior authorisation on or before 30 June 2021. In this article, we will look at the requirements as stipulated by the Regulator in submitting the applications.
Section 57 of the Protection of Personal Information Act (POPIA) states that the business must obtain prior authorisation from the Regulator if the business “plans to—
- process any unique identifiers of data subjects—
- for a purpose other than the one for which the identifier was specifically intended at the collection; and
- with the aim of linking the information together with information processed by other responsible parties;
- process information on criminal behaviour or unlawful or objectionable conduct on behalf of third parties;
- process information for the purposes of credit reporting; or
- transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.”
One of the questions on the application is whether “the staff member involved in the intended processing of personal information has received Personal Information Protection training in the last two years?” Therefore, businesses are urged to have staff trained on the POPIA as this obviously forms part of the criteria when the regulator decides whether to approve or reject a business’ application.
Another question under the application is “Security measures to be implemented to ensure the confidentiality, integrity and availability of the information which is to be processed.” This would imply that apart from ensuring that the provisions of POPIA are being complied with, it is also crucial for businesses to ensure that they have also implemented adequate policies and procedures with regards to the safeguarding of personal information and appropriate safeguards to minimise any potential security threats.
The aforementioned are just some questions which businesses need to answer when completing their application. Businesses must process any information as stipulated under section 57 of POPIA to ensure that their application forms are submitted on or before 30 June 2021. Failure to do so may result in penalties being imposed on the respective businesses, which include a fine or imprisonment not exceeding 12 months or both. In addition, the regulator may impose an administrative fine not exceeding R10 million as a result of a business’ failure to submit their prior authorisation application.
Should you require any assistance with your business’ prior authorisation application process, be interested in a General POPIA overview training and/or assistance with policies and procedures in terms of POPIA, you can contact your nearest SEESA office for assistance, alternatively, you can leave your contact details on our website.
About The Author:
Remolla Naidoo is a Legal Advisor for SEESA Consumer Protection & POPI at our Durban office. She obtained her B.Soc.Sci (Law), LLB and LLM (Business Law) degrees from the University of the KwaZulu-Natal.
References:
- Section 57 of the Protection of Personal Information Act