On the 1st of July 2020, some further sections of the POPI Act (Protection of Personal Information Act No. 4 of 2013) came into operation. The practical implication for businesses is that they should be compliant with these further sections by 30June 2021.
Some of these sections include sections 57, 58, and 59 of the Act which relates to Prior Authorisation. Section 57(1) of the Act, which relates to processing subject to prior authorisation, state the following:
“The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to –
- Process any unique identifiers of data subjects –
- For a purpose other than one for which the identifier was specifically intended at the collection; and
- With the aim of linking the information together with information processed by other responsible parties;”
For a business (a responsible party) to get a handle on prior authorisation, it needs to be aware of “What is a unique identifier?” The POPI Act defines it as any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.
How would a business distinguish unique identifiers? A person’s name and surname might not be enough to uniquely identify that person, but when you combine that person’s telephone number or home address with their name and surname they may become uniquely identifiable.
Further examples of what a unique identifier could be:
- Identity number;
- Location data;
- An online identifier;
- Personal tax number; etc
The list is non-exhaustive and in a post-COVID world where we are moving more towards an online everyday way of life, the list of “online identifiers” is way more than we can even get into here. It is therefore imperative that businesses are aware of what a “unique identifier” is, what that information is being used for and when its’ use falls under the ambit of Section 57(1) of the Act.
Section 57(1) of the Act further states that a business must also obtain the prior authorisation of the Information Regulator if it:
- Processes information on criminal behavior or on unlawful or objectionable conduct on behalf of third parties;
- Process information for the purposes of credit reporting; or
- Transfer special personal information or the personal information of children, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
Section 58 of the POPI Act then proceeds to set out the terms on which a business would notify the Regulator if processing was subject to prior authorisation, including investigation proceedings and timeframes. In terms of Section 57(4), a business must obtain prior authorisation from the Regulator only once and not each time that personal information is received or processed, except where the processing departs from that which has been authorised.
The business should further be aware that non-compliance with these sections of the Act could lead to a conviction of an offense in terms of the Act, where the business of its representative could be liable for a fine or imprisonment for a period not exceeding 12 months or both. It is therefore important for the business to ensure it is aware of whether it processes information that falls within the ambit of Sections 57 of the Act.
About the Author
Marike Brand obtained her LLB from the University of Stellenbosch and is an admitted attorney with 3 years post article commercial litigation experience. She thereafter joined SEESA Cape Town as a Legal Advisor in the Consumer Protection & POPI Department and obtained a Diploma in Corporate Governance from the University of Johannesburg and a Certificate in Compliance Management from the University of Cape Town.