In the discussion below we will draw your attention to the main points that employers will need to know and do, to be well on their way to full compliance come July 2021.
The time has finally come for employers to ensure workplace compliance with the Protection of Personal Information Act, 4 of 2013 ("POPIA"). Key provisions of POPIA commenced on 1 July 2020, leaving all employers (as the responsible party processing personal information of their employees in terms of POPIA) until 1 July 2021 to ensure that their workplaces are fully POPIA compliant.
What does this mean for your business?
POPIA does not specifically define "employee". Its provisions pertain to "data subjects", which is a person to whom personal information relates and in the context of POPIA, this covers an employer's employees. Employees as data subjects have certain rights under POPIA. These include:
the lawful processing of their personal information;
consent to the processing and further processing of personal information;
notification when personal information is being collected or has been subject to a breach;
requesting access to their personal information;
objecting to the processing of their personal information; and
requesting the correction, destruction or deletion of their personal information.
Personal information employers must protect
POPIA states that "personal information" is information pertaining to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person. Whereas, in terms of POPIA, "processing" of personal information includes, for example, the collection, receipt, recording, storage, modification, use, distribution, merging and erasure of personal information.
As an employer, the processing of employee's personal information is inevitable. It may be necessary for employers to process their employee's personal information for a variety of reasons, such as in concluding employment contracts, occupational health and safety, recruitment and training and for general compliance with applicable law. In addition to processing personal information, employees may also find themselves having to process "special personal information" of their employees. Special personal information is a special category of personal information provided for under POPIA and relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of data subjects. The processing of special personal information carries with it special rules of compliance in terms of POPIA and employers should take note of those rules.
Simple steps employers can take now to comply with POPIA
The first step employers can take to guard against liability in terms of POPIA is to ensure that the consent of their employees is obtained, and the processing of their employee's personal information is for a specified purpose. An employee (as a data subject) must be in a position to "opt in" and know what their personal information will be used for. POPIA states that, in addition to consent, justification for processing can be attained where the processing of personal information is necessary for conclusion of a contract, complies with an obligation imposed by law, protects the interest of the data subject or is necessary for the legitimate interests of the employer.
Chapter 3 of POPIA lists the 8 conditions for lawful processing of personal information. It is advisable that an employer be aware of these provisions. Failing which, non-compliance may result in penalties in terms of POPIA, which include imprisonment of up to 12 months and/or administrative fines of up to R10-million.
In addition to the 8 conditions above, it may be necessary for an employer to process information as a result of legislation. The most common statues in the context of employment are the Occupational Health and Safety Act, 1993, the Basic Conditions of Employment Act, 1997, and the Employment Equity Act, 1998.
As was mentioned earlier, obtaining proper consent from employees on a voluntary basis must be prioritised. Here are a few suggestions an employer may consider in establishing proper consent protocols:
suitably worded consent forms must be executed when consent is required. These forms must indicate the specific purpose for which the employee's personal information will be processed. For example, where monitoring of employees will take place as a result of a new system of working from home; or
contracts of employment must include special reference to the processing of personal information and consent.
Data Protection Policies
Although not clear cut, data privacy policies have been shown to assist employers in jurisdictions with similar data protection standards as that of POPIA. These policies can assist an employer in ensuring compliance with POPIA's provisions:
Monitoring and Surveillance Policy;
Protection of Personal Information Policy;
Data Protection Policy;
Data Retention Policy;
Information Technology Security Policy;
The list above is only an indication of commonly used policies. Depending on the size, scale and services of an employer it may be necessary to consolidate the policies or establish new ones to adequately address high risk areas when processing personal information of employees. These policies form a basis of compliance and awareness, however regular training of employees on and about the policies is essential.
Employers are required to ensure reasonably foreseeable risks in respect of non-compliance with POPIA and that these risks are regularly verified and that safeguards to ensure compliance are developed, effectively implemented and updated to respond to new risks or deficiencies – this can pertain to cybersecurity protocols. Employers must, in terms of section 18 of POPIA, implement appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of any personal information in their possession or control.
POPIA should not be regarded as an obstacle to conducting one's business successfully, specifically when it comes to one's own employees. Current business practice already dictates compliance with generally accepted privacy norms. Tightening of current structures and policies must become a priority. We recommend contacting us to walk you through the basics of POPIA compliance – thereby placing you, your business and employees in the best possible position come July 2021.
Originally published August 11, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.