South Africa: Adopted Information Regulator guidance note on application for prior authorisation

On 15 January 2024, the Information Regulator of South Africa, issued a guidance note on processing personal information subject to prior authorisation under the Protection of Personal Information Act. The note applies to responsible parties processing certain types of data requiring prior authorisation under the POPIA, and which includes unique identifiers, credit reporting, criminal behaviour checks, or transferring special personal information or children's data to countries lacking adequate data protection laws. It requires prior notification to the regulator before processing such information and outlines conditions for lawful processing, including accountability, processing limitations, and data quality. Failure to comply may result in fines or imprisonment of up to 10 years, depending on the offence.