Legalese has launched a COVID-19 specific page for legal resources and assistance during this unprecedented time. CLICK HERE

Back to Home

POPIA’s demand for specificity may lead to generalisation

11.11.2021
0

POPIA’s demand for more specificity may actually lead to more generalisation based on recent interpretations by the Regulator

Over-all point:

The regulator’s recent discussion on Prior authorisation for further data processing of identifiers will lead to undesired generalisation of Privacy Policies, as Responsible Parties try to capture all possible uses of the identifiers in order to avoid needing to acquire prior authorisation from the Regulator.

Introduction:

On Wednesday the 27th of October 2021, the office of the Information Regulator (“IR”) of South Africa, chaired by Adv. Tlakula, held a very informative webinar on the meaning and interpretation of Chapter 6 of the Protection of Personal Information Act, 2013 (“POPIA”) – namely the topic of Prior Authorisation (“the Webinar”).

Prior Authorisation is a concept where due to the sensitive nature of a particular facet of data processing, a Responsible Party (as defined in POPIA) responsible for that sensitive data processing is required to first obtain authorization from the IR in order to conduct that desired element of sensitive data processing.

Prior authorisation is discussed in Chapter 6 of POPIA, with section 57 explaining which processing functions require prior authorisation. One of the processing actions which require prior authorisation is captured in section 57(1)(a), which speaks to when identifiers (including ID numbers) are processed for a purpose other than what was originally intended at the time of collection. Should such a processing intention change, the Responsible Party must obtain prior authorisation from the IR in order to perform such altered processing function.

It is assumed that the intention of this section is to ensure that Responsible Parties do not process identifiers for an endless range of reasons, but stick to their listed original purposes, and only deviate therefrom once they have permission from the IR to do. This is undoubtedly a good aim.

That being said, Responsible Parties’ perception of acquiring prior authorisation from the IR is so fraught with anxiety and suspicion, that in order to avoid having to seek prior authorisation for further processing-uses for identifiers, it would seem obvious that all Responsible Parties have to do, is simply have very long and almost endless lists of original uses listed for the processing of identifiers in the first place. This way, a Responsible Party can almost always argue that as long as they explained the original uses to the data subject in the first place, they can process the data subject’s identifiers for a huge array of original purposes with never needing to obtain prior authorisation for a novel or further use.

The result is that whilst the requirement for prior authorisation is supposed to keep Responsible Party’s processing limited, it will realistically result in the opposite; Responsible Parties will simply list huge numbers of original processing uses for identifiers to avoid needing to obtain prior authorisation from the IR.

Main points:

Section 57 of POPIA states that:

“The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to:

  1. process any unique identifiers of data subjects
    1. for a purpose other than the one for which the identifier was specifically intended at collection; and
    1. with the aim of linking the information together with information processed by other responsible parties
  2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
  3. process information for the purposes of credit reporting; or
  4. transfer special personal information, as referred to in section 26, or the personal information of children as referred to in section 34, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.

At the Webinar, “Identifiers” were defined as including people’s identification (“ID”) numbers – a very common piece of personal information processed by almost an endless array of Responsible Parties.

As a result of section 57 compounded by the opinions of the IR officers on the Webinar, there is a result that should a Responsible Party process an ID number, but then need to process that ID number for different reasons for why it was originally collected, then that Responsible Party must first acquire prior authorisation from the IR in order to do so.

For everyone’s understanding, obtaining prior authorisation from the IR, after already having to survive the rigmarole of a process in just completing such an application, will be time consuming and probably a lot slower than what everyone expects. Not to be a harbinger of doom, but just the simple process of getting everyone’s Information Officers registered with the IR was a complete failure, and still is to this day. If an automated system like IO registrations failed horribly, it is understandable that Responsible Parties are going to want to avoid seeking prior authorisation from the IR whenever they can.

One of the major ways that Responsible Parties will seek to circumnavigate the need to obtain prior authorisation for ID number processing changes, would therefore be to avoid having to change the original processing needs of ID numbers in the first place. This can be simply achieved by a Responsible Party in their Privacy Policy by listing a range of original processing uses for ID numbers. This way, a Responsible Party can claim that they never change their original processing purposes for ID numbers, because all such possible processing uses are listed as their original processing needs from the get-go. Having such a long list of original processing uses means that the Responsible Party will never have a new further processing need for such ID numbers, and can hence avoid needing to apply for, and obtain, prior authorisation from the IR.

This work-around is a dangerous one, but is completely expected from an already over-regulated and under-supported business market in SA who wants less to do with regulators than ever before!

Conclusion:

Whilst the intention of prior authorisation for changes to a Responsible Party’s processing of ID numbers is logically sound, the slow and red-tape-filled reality of getting prior authorisation approval from the already over-worked IR’s office will undermine even the best of intentions. As a result, as opposed to forcing Responsible Parties to keep their processing of ID numbers as limited as possible (and their lists of original processing uses as limited as possible), the cynical South African in me expects that the exact opposite will almost surely occur: Responsible Parties will simply provide substantial original processing use lists for ID numbers from the start, to avoid ever having to seek prior authorisation for novel changes to the original processing uses.

– Thomas Reisenberger

Have any questions? Drop us a message below and we’ll be in touch!

Contact Us


190A Buitengracht St
Bo Kaap
Cape Town
8000
Contact us
close slider