Prior Authorisation

The Protection of Personal Information Act (POPIA) requires responsible parties to obtain prior authorisation from the Information Regulator before processing certain types of personal information that may pose a higher risk to the rights of data subjects.

 

Prior authorisation is required in specific circumstances outlined in section 57 of POPIA, particularly where the processing involves unique identifiers, sensitive personal information, or the linking of information across multiple sources.

When is Prior Authorisation Required?

A responsible party must apply for prior authorisation where processing involves:

  • The use of unique identifiers for a purpose other than that for which they were originally collected, especially when linking information from different sources
  • Processing of information relating to criminal behaviour or unlawful conduct on behalf of third parties
  • Processing of personal information for credit reporting purposes
  • The transfer of special personal information or children’s information to a third party in a foreign country that does not provide an adequate level of data protection

The Information Regulator considers each application on a case-by-case basis, assessing the risks and justifications provided.

 

Who Can Apply?

Any public or private body acting as a responsible party under POPIA may apply for prior authorisation. This includes organisations that process personal information as part of their operations and fall within the categories requiring approval.

How to Apply

Applications for prior authorisation are submitted through the eServices portal. The process includes:

  • Completing the prior authorisation application form
  • Providing detailed information about the intended processing
  • Uploading supporting documentation (where applicable)
  • Submitting the application for review by the Information Regulator

Each application is reviewed by the Information Regulator. You may be contacted for clarification or additional information. Once reviewed, the outcome will be communicated via the portal and email.

 

What Happens After Submission?

  • Additional information or clarification may be requested
  • The application will be evaluated based on compliance with POPIA and the potential impact on data subjects
  • The outcome will be communicated via the portal and email

You must ensure continued compliance with all non-exempted provisions of POPIA, and exemptions may be revoked if abused.