1. How does POPIA impact employers?
- POPIA regulates the processing of personal information of data subjects by responsible parties. These terms are quite technical, but in the employment context, essentially what this means is that anything that an employer can do with personal information that belongs to an employee (be it collecting information, storing or disseminating that information) – that must be done in accordance with the Act.
- That information can be anything that can be linked back to an employee and contained in a record, for example, employees' personal details, their disciplinary records, medical information etc. It would also extend to information about applicants for employment, when the employer asks for a copy of the applicant's CV, for example, or makes enquiries about their previous employment history.
- The Act sets out a number of conditions that must be met in order for information to be processed lawfully. For example, the Act says that they need to ensure that employees are aware of the personal information that the employer holds, what that information is used for, and that there are appropriate security measures in place to prevent loss or unauthorised access to the information.
- Because all employers collect the personal information of their employees, the Act applies to every employer in the country, no matter the size.
2. Does the Act require an employer to get an employee's consent to process all of their personal information?
- No, not necessarily. Consent is one of the justifiable grounds upon which an employer can process personal information, but this is not the only ground. Processing banking information of an employee, for example, is necessary for complying with the employer's contractual obligation to pay the employee's salary, and for this the employer does not require consent. Having said this, there are certain types of information that would require the employee's consent to processing, such as trade union membership.
3. What are the risks to employers who don't comply?
- One of the greatest risks is that administrative fines can be imposed for non-compliance, and these can be in an amount of up to ZAR 10 million. There are also certain provisions which, if contravened, would amount to a criminal offence under the Act, which could result in a fine or imprisonment. And then there is also the risk of reputational damage.
- But the good news is that there's time for employers to do everything they need to do to comply. This is because there is currently a one year transitional period which comes to an end on 30 June 2021.
4. What do employers need to do to get their houses in order and make sure that they are in compliance with this Act?
- There are five immediate steps that we would recommend employers take:
- The first step is that they must register their Information Officer and Deputy Information Officers with the Information Regulator. At this stage, it's been indicated that this registration is required before 31 March 2021.
- Once the employer's Information Officer is appointed, the second step would be to conduct a risk assessment to determine all of the personal information that is being processed by the business.
- Thirdly, once they know what information is being processed, they should prepare a compliance framework setting out what actions they are going to take to ensure compliance. This would include things like sending out a notification to employees informing them of the categories of information that the business holds about them and making sure that there are adequate security measures pertaining to personnel files.
- Fourthly, responsible parties must prepare or update their PAIA manuals, which is required in terms of the Promotion of Access to Information Act.
- Lastly, we would advise that employers conduct awareness sessions for their employees on the provisions of POPIA.
At Bowmans, we've developed a Toolkit that would assist employers and guide them in taking these steps, by providing template forms to use, guidance notes and useful summaries of the various obligations under the legislation.
5. How can employers access the Toolkit?
- Send an email directly to POPIAtoolkit@bowmanslaw.com. Once the toolkit has been purchased, employers will receive access to an online platform where all of the required documents can be found.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.