The Protection of Personal Information Act (POPIA) has been in partial effect since November 2013. As of 01 July 2020, most of the remaining sections has commenced, and these sections bear relevance to employers.
The POPI Act is formulated based on the provision of the Constitution of the Republic of South Africa (Section 14, 1996) which provides that everyone has the right to privacy, including protection against any unlawful collection, retention, dissemination or use of personal information.
The Act itself promotes the protection of personal information processed by both public and private institutions. It establishes minimum requirements for the processing of personal information and provides for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of the Act as well as the Promotion of Access to Information Act (2000), the issuing of codes of conduct, the rights of persons regarding unsolicited electronic communications and automated decision making and to regulate the flow of personal information across the borders of the Republic and all connected matters. It applies to the processing of personal information of all personal data that is entered into a record by or for a responsible party through either manual or automated means.
These provisions also impact the means and methods employers, as the responsible party, use to gather, record, store, and use employee records. Anything that the employer collect that contains an employee’s personal information is governed by this Act. Personal information includes an employee’s application file, personal file, payroll information, leave/medical file, and any other information the employer has about the employee. In other words, anything that employer collects that contains an employee’s personal information.
The POPI Act defines “personal information” in very broad terms to include any information relating to the identity of a person as well as any information that can be used to identify a person, such as race, gender, sex, marital status, nationality, ethnicity, sexual orientation, physical or mental health, disability, religion, culture, language, education, medical, financial, biometric, criminal or employment information, identifying number, symbol, e-mail address, location, opinions, confidential correspondence, etc.
It is a fundamental principle of POPIA that an employee must consent to the processing of his/her personal information. This means that he/she must be fully informed of the scope and nature of the processing. Consent must also be given voluntarily for a specific process. Consent gained by an employer using an unequal negotiating position, will not meet the definition of consent according to the POPIA.
POPIA in practise
Employers must ensure that staff responsible for processing personal employee information, as described by the Act, are aware of the conditions and requirements imposed on employers by the Act.
Employers should review all data records to determine what personal and/or sensitive information it has for employees and where the information is stored. Where information is being processed without consent, employers should determine what the legitimate basis is for doing so, and if the processing is based on the “legitimate interest” of the employers, this should be documented. Employees should be notified of the scope and nature of personal information processing and their consent to do so must be gained for processing any information that has not been obtained or kept legitimately.
Notify employees of the nature and scope of processing and gain consent to the extent that any employee data is not being processed for any reason other than a legitimately sound one.
Data privacy policies should be drafted, and all employees must be trained with regards to the content of the policy. This policy should include steps by which employees can lodge complaints against the processing of personal information.
Employment contracts should be reviewed and updated where necessary to include wording in compliance with the principle of consent by the employee to process specific personal information, as required to enter into a contractual relationship – including full information of the scope and nature of the processing. An employment contract cannot include a general consent clause with the intent to cover ongoing information processing during the period of employment. POPIA defines ‘consent’ as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.” A general consent would not satisfy the requirement of specificity to every instance of information processing.
This article is offered only as an introduction to the implications of POPIA and its impact on employment. Employers have a 12-month grace period from the commencement of the act to reach compliance and are strongly encouraged to consult with a labour and personal information specialist. Contact our Cape Town office for assistance 021 919 6418.