POPIA: The long wait is over

Authors: Monique Jefferson and Justine Katz

The Protection of Personal Information Act, 2013 (POPIA) came into effect on 1 July 2020 but was subject to a 12-month grace period, which ended yesterday (30 June 2021). Therefore, from today (1 July 2021) POPIA is fully in effect, save for certain provisions. In this regard, we point out that the provisions in POPIA regarding prior authorization have been extended until 1 February 2022. This means that if a responsible party is engaged in processing activities that require prior authorization from the Information Regulator then the responsible party must ensure that it has approached the Information Regulator for prior authorization by 1 February 2022. It is therefore important that organisations use this opportunity to properly assess their processing activities to determine whether they are engaged in any processing activities that require prior authorization as it will be an offence under POPIA from 1 February 2022 to process such personal information in the absence of having approached the Information Regulator for prior authorization. In terms of POPIA, the responsible party must obtain prior authorisation from the Regulator prior to any processing if that responsible party plans to:

  • process any unique identifiers of data subjects-
    • for a purpose other than the one for which the identifier was specifically intended at collection; and
    • with the aim of linking the information together with information processed by other responsible parties;
  • process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
  • process information for the purposes of credit reporting; or
  • transfer special personal information, or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

There have been some recent developments from the Information Regulator which are as follows:

  • The Information Regulator has stated that the deadline of 30 June 2021 does not apply in respect of registering information officers as the Information Regulator’s online portal has been experiencing technical difficulties;
  • A Guidance Note on Information Officers and Deputy Information Officers sets out the responsibilities of information officers and who should be appointed as an information officer and deputy information officers;
  • A Guidance Note on Applications for Prior Authorisation sets out the prescribed form that needs to be completed when making an application for prior authorization;
  • A Guidance Note on Processing of Special Personal Information sets out the process and form that needs to be completed should a responsible party wish to approach the Information Regulator for authorization to process special personal information when there is no justification for processing such personal information under POPIA to rely on. The Information Regulator would need to be satisfied that the processing is in public interest and appropriate security measures are in place;
  • A Guidance Note on Processing of Personal Information of Children sets out the process and form that needs to be completed should a responsible party wish to approach the Information Regulator for authorization to process personal information of children when there is no justification for processing such personal information under POPIA to rely on. The Information Regulator would need to be satisfied that the processing is in public interest and appropriate security measures are in place;
  • A Guidance Note on Exemptions from the Conditions for Lawful Processing sets out the process to be followed and the form to be submitted should a responsible party seek an exemption from one or more of the conditions for lawful processing under POPIA;
  • The Banking Association of South Africa has approached the Information Regulator with a Code of Conduct which was open for public comment until 30 June 2021. The Credit Bureau Association has also approached the Information Regulator with a Code of Conduct. There have been Guidelines to develop a Code of Conduct issued.

Compliance with POPIA is a journey and companies will need to constantly review their processing activities to determine whether any updates need to be made to their policies, PAIA Manual and notifications to data subjects. Furthermore, security measures need to be periodically reviewed to determine whether they are adequate and need to be improved in the event that any risks to personal information are identified or in the event of a data breach. Companies must also continue to ensure that agreements with appropriate data protection undertakings are concluded whenever engaging an operator.

On 29 June 2021 a notice was issued in terms of which private companies are exempt from having a PAIA Manual until 31 December 2021 unless that private company has more than 50 employees or has an annual turnover in excess of the prescribed threshold for the particular sector in which it operates.

For access to the Guidance Notes referred to above please refer to the Information Regulator’s website here.