Protection of Personal Information Act (POPIA) - An Employer’s Perspective

Purposes of the Act

The Protection of Personal Information Act of 2013 (POPIA) follows the example of similar, quite onerous legislation in the European Union aimed at protecting individuals’ right to privacy. More specifically, the Act aims to give effect to the right to privacy as provided for in the Constitution’s Bill of Rights by limiting the extent to which personal information may be processed by others, including employers.

Personal information is defined as information that relates to a natural or juristic person (such as a company). This includes, e.g., someone’s physical address, email address, date of birth, ID number, race, gender but also their criminal, financial and employment history, personal opinions or beliefs, trade union membership, etc.

Some personal information is designated as special information, that is, personal information relating to information concerning children; religious or philosophical beliefs; race or ethnic origin; trade union membership; political persuasion; health, sex life or biometric data of a data subject (finger printing, blood typing, voice recognition); and criminal behaviour in certain instances.

Processing refers to the handling of personal information, e.g., the collection, recording, storing, updating or distribution thereof.

Impact on the employment relationship

In the employment context POPIA covers all personal and special personal information that an employer (referred to as a ‘responsible party’) might have about job applicants, employees and former employees (referred to as ‘data subjects’). The Act imposes several new responsibilities on employers:

• Employers must appoint an information officer who needs to be registered with the Regulator.
• Personal Information may, subject to certain exceptions, only be collected by an employer directly from the employee.
• Employees must be informed why the information must be collected (purpose) and who the intended recipients of the information are.
• Personal Information may only be processed for an explicit, specific and lawful purpose (such as the conclusion of an employment contract).
• Personal information may not be kept for longer than necessary to achieve the purpose for which it was collected. This means, e.g., that personal information collected from an unsuccessful applicant should be destroyed after the recruitment process has been finalised and a successful candidate appointed.
• Personal Information must be distributed in a way that is compatible with the purpose for which it was collected.
• Personal Information may not be distributed to other third parties, e.g., for instance for marketing purposes.
• Employers must take reasonable steps to ensure that the information collected is accurate, up to date and complete.
• Employers must ensure that the personal information is protected against risks of loss, damage, destruction or unauthorised access.
• Employees must also be allowed to access their personal information and can demand that the information be corrected if it is found to be inaccurate.

When may personal information be processed?

The Act provides for limited use of employee data in some cases, i.e.:

• If the employee consents;
• When processing is necessary for purposes of employment, e.g. details of banking accounts in order to be able to pay an employees’ wage or salary; or for vetting relevant educational qualifications;
• If the employer has a legal obligation to perform processing, e.g., for tax purposes;
• To protect a legitimate interest of the employee’s, e.g., collecting personal information required by a retirement fund to which the employee belongs or is required to belong; and
• If it is necessary to pursue the legitimate interests of the employer or a third party, e.g., doing a check on the criminal record of someone who requires security clearance; or providing information to an external party whom the employee has authorised to carry out deductions from her or his wage or salary.

Special personal information

Additional protections apply to special personal information. This may only be processed if :

• The processing is carried out with the consent of the employee (written consent is not required but is advisable);
• The processing is necessary for the establishment, exercise or defence of a right or obligation in law;
• The processing is necessary to comply with an obligation of international public law;
• The processing is necessary for historical, statistical or research purposes if this serves a public interest (e.g., disease control); or
• The information has deliberately been made public by the employee, e.g. on social media.

What about medical testing?

Medical testing of employees can yield particularly sensitive information about employees. The Act mirrors section 23 of the Employment Equity Act which permits medical testing only if it is required or permitted by legislation or if it can be justified in the light of medical facts, employment conditions, social policy, or the fair distribution of employee benefits or the inherent requirements of the job. Testing for an employee’s HIV status is prohibited unless authorised by the Labour Court. Psychological testing and other similar assessments (such as psychometric tests) are also prohibited unless certain requirements are met, i.e., the test has been scientifically proven to be valid and reliable and that it can be applied fairly to all employees and is not biased against any employee or group of employees.

Rights of employees in respect of their personal information

Employees have the right to be notified by their employer that their personal information will be collected or has been accessed or acquired by an unauthorised person, i.e., someone who does not have consent to process the information. They also have the right to establish what information an employer holds and to request access to such information; to request the correction, destruction or deletion of personal information; to object on reasonable grounds to the processing of his/her personal information; and the right to submit a complaint to the Regulator or institute civil proceedings to protect their rights under the Act.

Consequences of non-compliance

The Act provides that employers can be fined between R1 million and R10 million, or imprisonment for one to ten years depending on the nature and seriousness of a transgression.

Some practical recommendations

Employers would be well advised to attend to the following:

1. Appoint an information officer or assign someone to take on this responsibility. It goes without saying that this person needs to become familiar with the broad purposes of the Act and their responsibilities in terms of it.
2. Develop a privacy policy or data privacy statement that:
   • mentions the circumstances under which personal information may be collected and what may it be used for;
   • states what kinds of personal information may be collected; to which internal and external recipients or categories of recipients personal information may be supplied;
   • states whether the information may be distributed or stored outside of the country’s borders; and
   • includes a general description of the of information security measures (such as fire walls) that will be implemented and monitored to ensure that the information is not accessible by unauthorised people.
3. Review or develop standard clauses on data protection in employment contracts and provide for employee consent to disclosure of information as authorised in terms of the Act.
4. Conduct an audit in respect of personal information currently being held, where such information is being held and for how long it has been held.
5. Raise awareness within the organisation of the implications of the Act and the importance of protecting privacy.
6. Report data breaches to the Information Regulator and employees concerned.
7. Do not share any personal information unless it would be permissible to do so in terms of the Act.

Implementation

Employers need to be compliant by no later than 30 June 2021, when the Act will come fully into effect. An organisation’s Information Officer should be able to register with the Information Regulator any time from 1 May 2021.

Conclusion

While the Act seems very long-winded and makes for difficult reading, it should not be too difficult for employers to comply. There are several steps that need to be taken, but these should be relatively easy to implement. The approach that an employer takes, may vary depending on the nature and size of the organisation.

Click here for the Information Officer registration form, guidance note and other POPIA related documentation.

Original article by Marissa Zeelie for www.labourwise.co.za.