Quick Guide

  1. There was a grace period on Section 58(2) which ended on 1 Feb 2022. This grace period allowed you to continue processing while your application for prior authorisation was in progress. From now on, you will have to suspend processing while you wait for your authorisation decision under threat of penalty (see below for details).REF: Notice in terms of the commencement date of section 58(2), 18 June 2021
  2. Download all 3 documents for Prior Authorisation listed on the Regulator’s website (inforegulator.org.za/docs1-gn.html)
    1. Read this first: Invitation for applications for Prior Authorisation, 11 Mar 2021
    2. Then read the Guidance Note to decide if this applies to you
    3. If Prior Authorisation applies to you submit this form: InfoRegSA-eForm-PriorAuthorisation-20210311.pdf
  3. Prefer to get help? contact us for a 1-hour personalised consultation

What is Prior Authorisation?

You need to get Prior Authorisation from the Regulator for processing certain types of Personal Information. This is not the same as needing consent (or any other form of Justification for processing personal information). It is specific to certain types of processing that the Regulator wants to be informed about (see below).

You are not allowed to start (or continue!) with this type of processing if you do not have authorisation:

What must you do and what is the urgency?

Step 1 – pay attention and figure out whether this applies to you

Use the outline above to determine if this applies to you, and read the Invitation for applications for Prior Authorisation, 11 Mar 2021.

If it does apply to processing that you do, you need to get Prior Authorisation to avoid committing an offence under the Act.

Not applying and continuing with your processing is one of the scenarios that carries penalties, and would be one of the “riskiest” risks in your POPI risk register. Delaying could impact on your ability to continue with processing that data.

Step 2 – read the Guidance Note and invitation for applications

The Regulator has published instructions and guidelines for applying for Prior Authorisation. You will find this on their website under Documents / Guidelines, Guidance Notes and Notices POPIA and PAIA

The Invitation for applications for Prior Authorisation, 11 Mar 2021 explains what you need to do and by when.

The Guidance Note PDF document includes the Form you need to use and where you need to send the form:
inforegulator.org.za/docs/InfoRegSA-GuidanceNote-PriorAuthorisation-20210311.pdf

Step 3 – get your application in and don’t start the processing

The Guidance Note includes a breakdown of the Prescribed Timelines that are detailed in section 58(1) of the POPI Act.

The Regulator can take up to 4 weeks to get back you. If they decide to investigate further, they can take up to 13 weeks.

During that time you have to stop the processing, no exceptions.

If you would like assistance, please do not hesitate to contact us for a 1-hour personal consultation .

Does this apply to you?

The Guidance Note is issued to “responsible parties who are currently processing or intend to process personal information which is subject to prior authorisation” .

It does not apply to you if you are not the Responsible Party for that processing (If you are unsure, then read this article: Responsible Party or Operator?).

The flowchart provided above details the types of information processing that will require prior authorisation. These are further explained in the Regulator’s Guidance Note. This note also includes some insight into how to interpret the terms used.

The only other avenue is if your processing is covered in a Code of Conduct that has been approved by the Regulator. You can read more about that here: Invitation for applications for Prior Authorisation, 11 Mar 2021.

If any of the four scenarios outlined above sound like something that you do, then you probably do need to apply for Prior Authorisation.

If you are unsure, please get advice from a POPI lawyer or contact us for a 1-hour consultation to unpack your situation.

If you are unsure how to manage POPI requirements, please get your management team trained up on what they need to know