Reproduced by Sabinet Online in terms of Government Printer’s Copyright Authority No. 10505 dated 02 February 1998
66
No. 37067
GOVERNMENT GAZETTE, 26 November 2013
Act No. 4 of 2013
Protection of Personal Information Act, 2013
66
(d) otherwise ensuring compliance by the body with the provisions of this Act;
and
(e) as may be prescribed.
(2) Officers must take up their duties in terms of this Act only after the responsible
party has registered them with the Regulator.
5
Designation and delegation of deputy information officers
56. Each public and private body must make provision, in the manner prescribed in
section 17 of the Promotion of Access to Information Act, with the necessary changes,
for the designation of—
(a) such a number of persons, if any, as deputy information officers as is necessary 10
to perform the duties and responsibilities as set out in section 55(1) of this Act;
and
(b) any power or duty conferred or imposed on an information officer by this Act
to a deputy information officer of that public or private body.
CHAPTER 6
15
PRIOR AUTHORISATION
Prior authorisation
Processing subject to prior authorisation
57. (1) The responsible party must obtain prior authorisation from the Regulator, in
terms of section 58, prior to any processing if that responsible party plans to—
(a) process any unique identifiers of data subjects—
(i) for a purpose other than the one for which the identifier was specifically
intended at collection; and
(ii) with the aim of linking the information together with information
processed by other responsible parties;
(b) process information on criminal behaviour or on unlawful or objectionable
conduct on behalf of third parties;
(c) process information for the purposes of credit reporting; or
(d) transfer special personal information, as referred to in section 26, or the
personal information of children as referred to in section 34, to a third party in
a foreign country that does not provide an adequate level of protection for the
processing of personal information as referred to in section 72.
(2) The provisions of subsection (1) may be applied by the Regulator to other types of
information processing by law or regulation if such processing carries a particular risk
for the legitimate interests of the data subject.
(3) This section and section 58 are not applicable if a code of conduct has been issued
and has come into force in terms of Chapter 7 in a specific sector or sectors of society.
(4) A responsible party must obtain prior authorisation as referred to in subsection (1)
only once and not each time that personal information is received or processed, except
where the processing departs from that which has been authorised in accordance with
the provisions of subsection (1).
20
25
30
35
40
Responsible party to notify Regulator if processing is subject to prior authorisation
58. (1) Information processing as contemplated in section 57(1) must be notified as
such by the responsible party to the Regulator.
(2) Responsible parties may not carry out information processing that has been 45
notified to the Regulator in terms of subsection (1) until the Regulator has completed its
investigation or until they have received notice that a more detailed investigation will
not be conducted.