Security, breaches & governance

Prior authorisation: the narrow section 57 list

Only four categories need the Regulator’s once-off authorisation — POPIA has no general licensing or registration of processing.

Published Last reviewed 6 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
A small set of high-risk processing operations requires once-off prior authorisation from the Information Regulator before they begin: processing unique identifiers for a new purpose and linking them with other responsible parties’ information; processing criminal-behaviour or unlawful-conduct information on behalf of third parties; processing for credit reporting; and transferring special or children’s information to a country without adequate protection. If none of these describes your processing, no authorisation or notification is needed — POPIA has no general registration of processing.

On this page

The four triggers

What the Act provides

Prior authorisation is required before: processing unique identifiers of data subjects for a purpose other than the one for which the identifier was specifically intended at collection and with the aim of linking the information with information processed by other responsible parties; processing “information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties”; processing “information for the purposes of credit reporting”; or transferring special personal information or children’s information to a third party in a foreign country that does not provide an adequate level of protection.

Protection of Personal Information Act 4 of 2013, s 57(1) (effect)Read it on Dept of JusticePDF

Read the triggers narrowly, because they are narrow. An ID number used to onboard a customer is not a trigger; repurposing identifiers and linking them across responsible parties is. Vetting your own candidates is not a trigger; screening as a service for others is. Holding your customers’ payment history is not a trigger; operating credit reporting is. And ordinary offshore cloud use is not a trigger; special or children’s data to a non-adequate country is.

The section 58(2) bar: wait for the Regulator

Authorisation is once-off, but it is a genuine gate: the section 58(2) bar on proceeding before the Regulator responds has applied since 1 February 2022. A screening or credit-reporting venture cannot launch first and regularise later — the unauthorised processing is itself unlawful. Per the Regulator’s guidance, processing of this kind already under way before 1 July 2021 was not subject to the application requirement; new entrants apply through the Regulator’s prescribed process and wait.

No general licensing — naming the misconception

A persistent sales pitch claims businesses must “register with the Information Regulator” to process personal information. They must not. POPIA has no general registration, licensing or approval requirement for processing — the four triggers above are the entire universe of prior authorisation. The registration that is universal is the information officer’s (s 55(2)) — a different duty about a person, not a permission for processing. Conflating the two sells compliance packages; separating them is the law.

Frequently asked questions

Does my business need to register its processing with the Regulator?

No. POPIA has no general registration or licensing requirement for processing. Only the four narrow section 57 categories need once-off prior authorisation — and information-officer registration is a separate, universal duty.

Who typically falls in the section 57 categories?

Background-screening businesses (criminal-conduct information for third parties), credit bureaus (credit reporting), operations linking unique identifiers across responsible parties for new purposes, and anyone sending special or children’s information to non-adequate countries.

What happens while the application is pending?

Since 1 February 2022, section 58(2) bars processing until the Regulator responds. Per the Regulator’s guidance, processing of this kind already under way before 1 July 2021 was not subject to the application requirement.

Is prior authorisation an annual licence?

No — it is once-off for the described processing. Material changes to the processing would call for a fresh look.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Security, breaches & governance

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub