Non-compliance with the Protection of Personal Information Act, 2013 ("POPIA") can have serious and unintended consequences for employers. For example, in jurisdictions where data privacy laws have been in place for a number of years, there have been multiple examples of employees using allegations of an employer's non-compliance with data protection laws in an attempt to leverage more compensation or other benefits in labour disputes. Data breaches and subsequent costly litigation can also arise where disgruntled (or former) employees access or acquire personal information belonging to their employer for nefarious purposes. It is also important to note that the most commonly processed personal information is actually employee data. Also, and as demonstrated by the collection of data during the COVID-19 pandemic, often the data is of a sensitive nature.
As POPIA came into effect from 1 July 2020 (subject to a one-year "grace period" for compliance in terms of POPIA), it is imperative for employers to take note of the following instances in which liability is likely to attach to employers in terms of POPIA:
- The manner in which employers
obtain consent to process employees' personal
information can lead to liability:
- "consent" is defined in POPIA as "any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information" (our emphasis added). Written consent, by way of consent form, should be obtained by employers to negate any possible disputes on whether or not consent has been obtained (bearing in mind that consent for the general processing of personal information is not permitted). The consent form should, at a minimum, contain the following:
- The purpose for which consent is required, in other words, what personal information or special personal information, the employer wishes to process and why;
- Who the intended recipients of the personal information are and, if shared with a third party, that the employer will ensure that the personal information is adequately protected in compliance with any and all applicable laws, regulations and standards on protection of personal information;
- Any consequences which might arise should the employee not provide consent. If there is another ground in terms of which an employer is required to process the personal information, this should be stipulated in the consent form. In this way, the employee will be made aware that if consent is not provided, the employer is entitled to process the personal information through other means;
- The period for which the personal information will be stored;
- The employee must be able to access his/her personal information stored by the employer and may request that it be rectified, deleted or destroyed; and
- The employee must be made aware that
he/she may withdraw consent at any point.
- Knowledge of the need to process personal information is paramount when determining whether a considered, measured and informed decision has been made.
- How can consent lead to liability? For example, in Greece in July 2019, PricewaterhouseCoopers (PwC) was fined EUR150 000 by the Hellenic Data Protection Authority ("HDPA") for breaching the General Data Protection Regulation ("GDPR"), following a complaint by the Association of Auditors of the Attica Region, for using an inappropriate legal basis for processing of employees' personal information. PwC required its employees to sign a blanket consent for PwC to process their data – this included their data being processed for a variety of reasons (including communication of data to third parties and monitoring the use of the company's computers). PwC argued that it should not be held liable because at the time the alleged breach occurred, the GDPR was new and complex and that PwC had requested the employees sign a consent form. The HDPA determined that there was an imbalance of power in the employer-employee relationship, and that the consent was therefore not binding.
- It is noteworthy that an independent European advisory body on data protection and privacy, which was set up under Article 29 of the EU Directive on Data Protection (which was the GDPR's predecessor) which holds the view that "[e]mployees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship. Given the imbalance of power, employees can only give free consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer."
- It might therefore be preferable for employers to rely on a different justification for the processing of personal information of employees. If written consent is provided by the employee (in the manner set out above), an argument could be made that the employee was well informed and was therefore not coerced when making his/her decision to provide consent. However, a more cautious approach would be to rely on an alternative ground, if available, to process the personal information.
- POPIA creates an onerous form
of statutory vicarious liability for employers:
- Section 99 of POPIA provides a remedy for data subjects (or the Information Regulator at the request of data subjects) to institute a civil action for damages against a responsible party (employer) for breaching any provision of POPIA, for the interference with the protection of personal information, "whether or not there is intent or negligence on the part of the responsible party"
- The Supreme Court of Appeal (in the case of Stallion Security (Pty) Limited v Van Staden) recently determined that the South African law "should be further developed to recognise that the creation of risk of harm by an employer may, in an appropriate case, constitute a relevant consideration in giving rise to a sufficiently close link between the harm caused by the employee and the business of the employer". In view of the Stallion decision, the yardstick of a "sufficiently close link", traditionally satisfied through the employee acting in the course and scope of his or her employment, may now be satisfied simply through "the creation of risk of harm by the employer".
- Section 99(2) of POPIA provides only limited defences for a responsible party to any action for damages. These defences are, briefly: vis major, consent of the plaintiff, fault on the part of the plaintiff, compliance was not reasonably practicable in the circumstances of the particular case or the Regulator has granted an exemption in terms of section 37. Apart from the above defences, the employer will be unable to defend a claim for damages brought by a data subject in terms of section 99(1) of POPIA.
- Unlike other data protection laws (for example in the UK, Australia and New Zealand), to the employer's detriment, POPIA does not provide a defence to a responsible party who has done everything reasonably and practicably possible in its power to ensure that its employees comply with the requirements of POPIA. However, this will likely serve to mitigate any amount awarded against a responsible party by a court in due course.
- It is imperative, now more so than ever, for employers to take proactive steps to ensure compliance with the provisions of POPIA and to obtain comprehensive legal advice (from compliance to breach) in order to mitigate any possible liability from the outset (commencing with appropriately worded consent clauses/forms, privacy notices and the implementation of data protection policies and procedures which are mandatory under POPIA).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.