Member News
27 May 2021

Insert #3 Prior Authorisation

E9E0-capture.png E9E0-capture.png

READWITH:

https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PriorAuthorisation-20210311.pdf

The Information Regulator published March 11 2021 the above Guidance Notes (‘the Notes’) advising Responsible Parties (‘RP’), why, how and when to apply for prior authorization (‘PA’) to process certain information.

Such PA is required for processing one or more of the following

  • Unique identifiers of persons (the Data Subject: ‘DS’) to be processed for reasons other than originally intended AND with the intention of linking it with information processed by other RP – examples there are bank account numbers; identity numbers & telephone numbers 
  • Criminal behavior, objectionable or unlawful conduct – examples are criminal records and disciplinary steps. This applies not only to the employer (RP) doing background checks on employees (current or potential) but third parties going it in behalf of the RP   
  • Credit reporting – as above and entities such as credit bureaus
  • Transferring personal information (‘PI’) or special personal information (‘SPI’) of children to a foreign country which incidentally includes storing it on/in ‘the cloud’ if such country or party does not ‘provide an adequate level of protection’ (‘by law; binding corporate rules or binding agreement’). Interesting for the tourism industry is that this action does not require PA if it has been carried out before July 01 2021 but it would appear to apply to ongoing processing!   

Here are a few of the details that have to be disclosed by the applicant:

  • Details of the RP similar to the manual
  • PI categories to be addressed
  • Reason for the processing
  • Whether the processing relates to a function/activity of the IR
  • Security measures
  • Staff: number employed & training
  • Has RP suffered any security breaches in last 3 months?  

However there are certain aspects of the PA that can create problems, hence it being referred to as a ‘conundrum’ (ENs March 16 2021) i.e. 

  • The form must signed by an Information Officer approved by the IR – what if has not been done?
  • How is business (RP) expected to ascertain which countries offer the required levels of PI compliance?

Further guidance from the IR is required in this regard.

By Louis -The-Lawyer - Resigned 14.12.2023
Return to listing