The Information Regulator has extended the commencement date of the Protection of Personal Information Act (POPIA) provision that requires organisations to obtain prior authorisation if they process certain categories of personal information.
The commencement date of that provision is now 1 February 2022.
In a notice, the Information Regulator says: “The Information Regulator hereby amends the commencement date of section 58(2) of the Protection of Personal Information Act, 2013 (No.4 of 2013), as contained in the Government Notice No.44383 published in Government Gazette No. 297 of 1 April 2021.
“The Information Regulator has, in terms of section 114(3) of the Protection of Personal Information Act, 2013 (No.4 of 2013), determined the 1 February 2022 as the date on which section 58(2) of the Protection of Personal Information Act, 2013 (No.4 of 2013) shall become applicable to processing referred to in section 57 of the said Act.”
The announcement comes as the Information Regulator is in the process of making final preparations for SA’s data privacy law that is set to kick in on 1 July.
Organisations were given a one-year grace period to comply with POPIA, and Information Regulator chairperson advocate Pansy Tlakula recently told ITWeb this will not be extended.
According to legal experts at law firm Webber Wenzel, this amendment means an organisation that is required to obtain prior authorisation from the Information Regulator does not need to suspend its processing of personal information during such time that the Information Regulator is processing its application for prior authorisation.
“Such organisations will not incur any penalties under POPIA for processing personal information after 1 July 2021,” say Peter Grealy and Dario Milo from Webber Wentzel.
“However, it is imperative that if your organisation does need prior authorisation, you must submit your application for prior authorisation to the Information Regulator before 1 February 2022 and comply with the remainder of POPIA – failure to do so will attract penalties.”
Grealy and Milo note organisations that perform the following activities are required to obtain prior authorisation from the Information Regulator:
- Processing unique identifiers (for example, bank account details, identity numbers or telephone numbers) of data subjects for a purpose other than that for which the identifier was specifically intended at collection, with the aim of linking the information with information processed by other responsible parties.
- Processing criminal behaviour or illegal, objectionable conduct on behalf of third-parties. An example of this includes service providers that are contracted to perform criminal record checks for employers prior to offering employment to a prospective candidate.
- Processing information for credit reporting (for example, credit bureaus).
- Transferring special personal information or personal information of children to a third-party in a foreign country that does not have adequate data protection laws.
“If you use cloud service providers to store your organisation's data, find out which country their servers are based in – you may unintentionally contravene the requirement to obtain prior authorisation if their servers are based in a country without sufficient data protection laws,” the legal experts say.
Since 2013, SA’s data protection law has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.
On 1 July 2020, the Act as a whole came into effect. However, local companies were given a one-year grace period to comply.
The purpose of the legislation is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information, by holding them accountable should they abuse or compromise personal information in any way.
Businesses that don't comply with POPIA, regardless of whether it’s intentional or accidental, can face severe penalties.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
Share