Compliance to the Protection of Personal Information Act (POPI Act / POPIA) will be required from 1 July 2021.
The road to the implementation has been long and is finally here as the POPI Act was signed in 2013, writes Juanita Steenekamp Project Director: Governance and Legislation.
The President proclaimed the commencement of certain sections in 2020. In terms of the Proclamation, sections 2 to 38; 55 to 109; 111 and 114(1), (2) and (3) of POPIA came into effect on 1 July 2020. POPIA granted public and private bodies 1 year to comply with the Act, which therefore requires compliance from 1 July 2021.
The Information Regulator (Regulator) announced on 18 June 2021 that they are granting an extension on the application on processing as set out in Section 58(2) from 1 July 2021 to 1 February 2022. It is important to note that this is not an extension of compliance to the POPIA but only refers to the implementation of Section 58(2).
Section 58 deals with the requirements that a responsible party must notify the Regulator if processing is subject to prior authorisation.
Section 58(2) states the following:
“(2) Responsible parties may not carry out information processing that has been notified to the Regulator in terms of subsection (1) until the Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted.”
Responsible parties must notify the Regulator that they are processing information as contemplated in section 57(1). The Regulator is then required to investigate the request and inform the responsible party on whether they will conduct a further investigation or not. The Act has specific time frames set out on which the Regulator needs to communicate to the responsible party. The Information Regulator published a Guidance Note on applications for Prior Authorisations, dated 11 March 2021, as well as an Application form for Prior Authorisation.
Section 57 requires that the responsible party must obtain prior authorisation from the Regulator if the responsible party plans to process any of the following:
- Any unique identifiers of data subjects that is processed for a purpose other than the one the identifier was specifically intended at collection and with the aim of linking the information together with information processed by other responsible parties. A unique identifier is defined as: “Any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.” The Guidance note provides examples of a unique identifier as a bank account number, student number, policy number, employee number, etc.
- Information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties. The Guidance Note indicates that this may refer to any person contracted to conduct a criminal record enquiry, or a reference check pertaining to past conduct.
- Information for the purposes of credit reporting. The Guidance note sets out that any credit bureaus registered with the National Credit Regulator or any person processing personal information for credit reporting purposes may apply for prior authorisation.
- Transfer of special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.
The extension means that the responsible parties that are currently processing personal information that is subject to prior authorisation will continue to do so for the next 7 months, while submitting their applications and providing the Regulator with additional time to process the applications. These responsible parties must therefore continue to submit their applications to the Regulator.
The Regulator confirmed on 22 June 2021 that there is no deadline for the registration of Information Officers (IOs) and Deputy Information Officers (DIOs). The registration of the IO and DIO were being done via a registration portal. The portal has had numerous technical problems and the Regulator has decided to inform the responsible parties that IOs and DIOs do not need to be registered by 1 July 2021. The Regulator is in the process of dealing with the portal and making changes to accommodate specifically the situation where a person is an IO for multiple entities, at present the portal only allowed an identity number to be used once, which is a problem for some responsible parties.
The Regulator published a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information in terms of sections 37 and 38 of POPIA as well as the application form should responsible parties want to apply.
Personal information can lawfully be processed in terms of the eight conditions by a responsible party. The processing of personal information would however not be in breach of a condition for processing if the Regulator granted an exemption in terms of section 37 or the processing is done in accordance with section 38.
Section 37 states that the Regulator may by notice in the Gazette grant an exemption to a responsible party to process personal information, even if the processing is in breach of a condition if the Regulator is satisfied that the public interest outweigh any interference with the privacy of the data subject or the processing involves a clear benefit to the data subject that outweighs any interference with the privacy of the data subject.
The Regulator is also taking over the regulation of the Promotion of Access to Information Act from 1 July 2021 and more information on PAIA compliance will be provided in the future.
SAICA is in the process of compiling a POPIA guide which will be released to assist SAICA members as soon as completed.
PERSONAL FINANCE