News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

POPI from an employment perspective

The Protection of Personal Information Bill, B9D - 2009, ('POPI') will place significant obligations on most individuals and juristic entities, including employers.

The purpose of POPI is to give effect to the constitutional right to privacy, by introducing measures to ensure the personal information of 'data subjects' (such as employees) is safeguarded when it is processed by 'responsible parties' (i.e. employers). POPI provides conditions for the lawful processing of personal information. Employers will have to comply with these principles whenever the personal information of employees is collected, stored or used. If an employer were to breach the duties imposed by POPI, it could be faced with an administrative fine of up to R10,000,000 (ten million rand). Owing to the serious consequences arising from non-compliance, it is essential that employers adhere to the provisions of POPI by putting compliance procedures in place to ensure the obligations imposed on them are satisfied.

Processing of 'personal information'

Employers should be aware that most information collected from an employee will constitute 'personal information' as the term includes the race, age, gender, sex, pregnancy status, marital status, nationality, ethnic or social origin, sexual orientation, physical or mental health, disability, religion, culture and language of the employee. The term also includes information relating to the educational, medical, financial, criminal or employment history of the employee. Location information also falls under this term and would include email and physical addresses, or telephone and cellular phone numbers of the employee. As the use of fingerprint and retina scanners becomes more common in the workplace, employers should take note that biometric information of employees such as fingerprints and retinal data will also constitute personal information. Personal information would also include correspondence sent by the employee that is implicitly or explicitly of a private or confidential nature such as a personal email.
Personal information must be processed lawfully. 'Processing' is broadly defined as being any operation or activity, whether or not by automatic means, concerning personal information; including the collection, recording, organisation, collation, storage, updating or modification, retrieval, consultation or use of information. Disseminating the information by means of transmission, distribution or making it available in any other form also falls under this term. Processing would also relate to the linking, restriction, degradation, erasure or destruction of information. What is pivotal is the recognition that the definition of processing is extremely broad.

Conditions for lawful processing of personal information

Condition 1: Accountability

The first condition for lawful processing is an imperative that the employer must ensure compliance with the eight conditions set out in POPI. Effect must be given to such conditions at the time that the purpose and method of processing has been determined, as well as during the processing itself. Employers must appoint an information officer and deputy information officers to ensure compliance with these conditions and deal with complaints from employees who seek to enforce POPI. These may be appointed from amongst currently-employed staff members.

Condition 2: Limitations on processing

POPI imposes several limitations on how an employer may process the personal information of an employee. The first of these limitations is that the processing must be lawful. This has two components; firstly that the processing may not be contrary to South African law and secondly, that it must be conducted in a reasonable manner that does not infringe upon the privacy of the employee. Terms such as 'reasonable manner' and 'privacy' are undefined in POPI. Regard will have to be had to case law dealing with the constitutional right to privacy in order to give substance to the meaning of these terms. The personal information processed by an employer must also be adequate, relevant and not excessive, relative to the purpose for which the processing was undertaken.

An employer may only process personal information if there is sufficient justification for such processing. Sufficient justification would include instances where the employee gave fully informed and proper consent to the processing. The employer bears the onus to prove that such consent was provided. The employee may withdraw consent at any time.

Alternate justifications for processing include where the processing is necessary to carry out actions for the conclusion or performance of the employment contract, or where processing is imposed on the employer by law. An example of the latter would be the obligation for an employer to store employee information in accordance with the provisions of the Basic Conditions of Employment Act 75 of 1997, as amended ("BCEA"), and the Labour Relations Act 66 of 1995, as amended ("LRA").

A further justification allowing for processing is that the processing protects a legitimate interest of the employee. The term 'legitimate interest' has been left undefined in POPI. Given the wide connotations of the term, this introduces an element of uncertainty, the boundaries of which will only be demarcated in practice. However a likely example of such an interest will be the employee's medical history and needs.

Equally undefined is the justification that processing would be necessary for pursuing the legitimate interests of the employer, or of a third party to whom the information is supplied. The latter justification leaves a large discretion to the employer to determine its legitimate interests. Lastly, processing will be lawful if it is necessary for the proper performance of a public law duty by a public body.

Personal information must be obtained directly from the employee unless the employer has received consent from the employee to do otherwise, or where the information has been made publically available. An example of the latter would be where the employee has posted the information on Facebook.

Condition 3: Prupose specification

When the employer collects personal information, it may only do so for specific, explicitly defined and lawful purposes related to the function of the employer. Steps must be taken to ensure employees are made aware of this purpose.

Employers may only retain personal information for as long as a law or code of conduct determined by the Information Regulator[2]provides. In the absence of a law or code of conduct, the retention period must be long enough to afford the employee a reasonable opportunity to request access to the records. An employer may not retain records of personal information for longer than is necessary for achieving the purpose for which the information was collected. An exception to this limitation would be where the employment contract requires longer retention. This exception allows for the employer to regulate the obligations bestowed upon it through the utilisation of its employment contracts.

Condition 4: Further processing limitation

If an employer wishes to process information more than once, the subsequent processing must also comply with the conditions set out in POPI and be compatible with the original purposes for which it was collected. An example would be where the employer has collected the email addresses of employees then makes it available to them by emailing the mailing list to each employee. Making it available would constitute 'processing' and would have to comply with the initial purpose for which the emails were collected.

Condition 5: Information quality

An employer must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. The employer must have regard to the purpose for which personal information is collected or further processed.

Condition 6: Openness

An employer must maintain documentation of all processing. A particularly onerous duty placed on the employer is that before processing, it must take reasonably practicable steps to ensure that the employee is aware of an array of facts. Such details would have to include what information is being collected, the purpose of such collection and who will have access to the information.
If the employer intends to transfer the information to a country outside South Africa, then the employee must be notified as such. The employee must also be informed of his or her right to access the information and the right to rectify it; as well as the right to object to the processing of personal information. Similarly, an employee must be informed of the right to lodge a complaint to the Information Regulator and the contact details thereof. It is recommended that all the information above be incorporated into the employment contract to cater for information that the employer knows or predicts will be processed.

Condition 7: Security safeguards

An employer must secure the integrity and confidentiality of personal information in its possession or under its control. This must be achieved by taking appropriate and reasonable technical and organisational measures to prevent loss, damage or unlawful access or processing of personal information.

The employer must take reasonable measures to identify all reasonably foreseeable internal and external security risks and establish appropriate safeguards. The employer must have due regard to generally accepted information security practices and procedures which may apply to it generally, or be required in terms of a specific industry or professional rules and regulations. All employers should ensure they have updated anti-virus software and firewalls for the protection of digitally-stored personal information.
Ideally, backups should be made on a remote server so as to be prepared for accidental deletion or local hard drive failure. Regular IT maintenance is also recommended. Physical records must only be accessible by authorised personnel and should be kept in a secure location. Where there are reasonable grounds to believe that the personal information of an employee has been accessed or acquired by any unauthorised person, the employer must notify the Information Regulator and the employee as soon as possible.

Condition 8: Employee participation

An employee has the right to request access to the record of his or her personal information held by the employer. The record must be provided within a reasonable time, manner and form and may be at a prescribed fee. The employee has a right to request that the record be corrected or deleted if this is warranted. If an employer receives such a request but refuses to comply, then it must provide the employee with a notification to that effect. It must also attach an indication to the record that a particular request was made but was not executed.

Processing of 'special personal information'

'Special personal information' means personal information relating to the religion, race or ethnic origin, trade union membership, political persuasion, health, sex life, biometric information or criminal behaviour of an employee. Employers may not process such information unless general authorisation is granted or if a listed exception applies for specific categories of special personal information. General authorisation would be granted in cases where the employee consents to the processing. General authorisation would also be granted where processing is necessary for the establishment, exercise or defence of a right or obligation in law or where the employee deliberately made the information publically available. Once again, if an employee had posted such information on Facebook, then processing would be lawful. Processing would also be lawful where the Information Regulator has authorised such processing after application by the employer or where processing is for statistical purposes.

An employer may process information concerning an employee's race or ethnic origin if the employee is only identified when it is essential for the required purpose and it is necessary to comply with affirmative action laws and measures such as BEE legislation.
The prohibition on processing personal information concerning an employee's trade union membership does not apply to the trade union to which the employee belongs; if such processing is necessary to achieve the aims of the trade union. No information regarding trade union membership may be supplied by trade unions to third parties without the consent of the employee. It is submitted that when employers wish to provide employees with the benefits or rights obtained through collective bargaining, then the general authorisation referred to above would find application.

Automated decision-making

An employee may not be subject to a decision resulting in legal consequences for him/her or affecting him/her to a substantial degree, which is based solely on the basis of the automated processing. Examples of automated decision making would be processing personal information and using software to create a profile of the employee including his or her performance at work, credit worthiness, reliability, location, health, personal preferences or conduct.

An exception to the principle outlined above would be where the automated decision has been taken in terms of the employment contract, or is authorised by a law or code of conduct. As long as appropriate measures are taken to protect the employee's legitimate interests, the automated decision making will be lawful.

Transborder information flows

POPI also contains provisions relating to the dissemination of information by a South African entity to a third party in a foreign country. This is of particular relevance to groups of companies with both South African and foreign branches or subsidiaries. An employer may not transfer personal information about an employee to a third party who is in a foreign country unless the third party is subject to a law or agreement that provides substantially similar principles for reasonable processing as contained in POPI. This provision is especially onerous as employers would have to perform research to ascertain this information. The same applies to the further transfer of personal information from the third party to other third parties in foreign countries.

General recommendations to employers to ensure POPI compliance

In light of the duties imposed on employers, it is recommended that the following steps be taken to ensure compliance with POPI. Employers should ensure that their staff, especially those who process employee information on a regular basis such as Human Resources and IT officials, are aware of the duties imposed on employers by POPI. An Information Officer and Deputy Information Officers must be appointed. A data privacy policy should be drawn up and the employer should ensure that all employees are made familiar with its contents. The policy should include protocols enabling employees to lodge complaints against processing. A document retention policy should also be implemented to ensure records of employee personal information are destroyed in reasonable periods.

From a contractual perspective, employment contracts should also be worded broadly when requiring the employee to provide consent to processing so as to cater for the broad definition of 'processing' in POPI. Employment contracts should incorporate sufficient information relevant to the processing so that it can be said an employee gave informed consent.

Employers should take care when processing 'special personal information' such as ethnicity and trade union membership. Employers must ensure that proper security safeguards are in place to protect personal information from unauthorised access or deletion. Employers must ensure they comply with POPI regarding the transfer of personal information to third parties in foreign countries. Legal research must be done to determine whether the country which the information is transferred to has promulgated privacy protection legislation similar to POPI.

Let's do Biz