by Ahmore Burger-Smidt, Director and Head of Data Privacy Practice and member of Competition Law Practice; and Nyiko Mathebula, Candidate Attorney

The Information Regulator

1. The Information Regulator (“Regulator“) recently issued a Guidance Note for responsible parties to use when applying for prior authorisation in terms of sections 57 and 58 of the Protection of Personal Information Act 4 of 2013 (“POPIA“).
2. Section 57(1) of POPIA requires that a responsible party obtain prior authorisation from the Regulator, prior to processing any personal information falling under section 57(1)(a) – (d) of POPIA. This includes processing unique identifiers.
3. Section 58 of POPIA then proceeds to set out the terms on which a responsible party would notify the Regulator if processing is subject to prior authorisation.
4. The Guidance Note itself is not controversial as it merely seeks to clarify the process for notification to the Regulator and obtaining prior authorisation. However, the trouble comes in the definition of the term “unique identifier”. POPIA defines it to mean –”…any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.“
5. To effectively apply sections 57 and 58 of POPIA, responsible parties must be able to properly categorise the personal information they process or intend to process. In this context, this requires a proper understanding of what a unique identifier is of which the above definition does not immediately offer assistance in providing that proper understanding.
6. A unique identifier must be distinguished from standard personal information such as your name, surname and address, and special personal information such as your religious or philosophical beliefs, race or ethnic origin and sex life. Therefore, it is understood that a unique identifier must constitute something more than the aforementioned types of personal information.
7. A plain reading of the above definition makes it clear that it is meant to be interpreted restrictively. This is because it only addresses “unique” personal information that is assigned to a data subject by a responsible party for the purposes of that responsible party’s operations. In other words, it is not any and all personal information that will meet the above definition.
8. For example, individuals interacting with organisations will in some instances be assigned numbers or codes that can be used to uniquely identify them. These may include customer reference numbers (suppliers/retailers), employee codes (employers), student numbers (educational institutions), medical aid numbers (health), policy numbers (insurance) and even identity numbers (government). In that instance, each assigned number or code will constitute a unique identifier. Unique identifiers may also go further to include Internet Protocol addresses (“IP address“) which may not only serve to identify an individual but also disclose their location as well.
9. The question to be asked is whether the information in question was assigned to a person by a responsible party for the purpose of uniquely identifying that person in relation to the operations of that organisation. Should the answer be yes then the information will constitute a unique identifier. That is the distinguishing factor that must be considered when processing unique identifiers.
10. It is further important to note the two criteria set out under section 57(1)(a) of POPIA, which provide that:”(1)The responsible party must obtain prior authorisation from the Regulator, in terms of section 58, prior to any processing if that responsible party plans to –
    (a) process any unique identifiers of data subjects –
    (i) for a purpose other than the one for which the identifier was specifically intended at collection; and
    (ii) with the aim of linking the information together with information processed by other responsible parties.” [our emphasis]
11. Let us consider an example. Say a retailer assigns a unique customer code or reference number (i.e. unique identifier) to a customer for the purposes of awarding loyalty points and rewards. Should the situation arise where the retailer wishes to use that unique identifier for another purpose which is not compatible to the initial purpose, in conjunction with information processed by another organisation (e.g. another company within the retailer’s group of companies/subsidiaries), for whatever purposes, that would trigger section 57(1)(a) and the requirement in relation to prior authorisation.
12. However, where the retailer processes the unique identifier in a manner compatible with the initial purpose for which the information was collected there would be no need to obtain prior authorisation from the Regulator.
13. Consequently, it becomes important for responsible parties to understand their initial purpose for collecting unique identifiers, which purpose can be justified and linked to a unique identifier without the requirement to obtain prior authorisation. This is in contrast to where responsible parties have a new and incompatible purpose which triggers the prior authorisation requirement.
14. It is further important to note that the processing of unique identifiers must still comply with the requirements of lawful processing as provided for in POPIA. A responsible party cannot look at the issue of unique identifiers in isolation but rather interpret it in light of the full POPIA landscape and lens of the Act to ensure lawful processing. Such a holistic interpretation and understanding can only be achieved through an impact assessment which is an absolute requirement. For more on this subject, kindly refer to our article on an introduction to POPIA.