The Protection of Personal Information Bill (“POPI”) will place substantial obligations on employers (both individuals and juristic entities) is expected to be enacted soon. It was submitted to the President for signature on 20 August 2013.
POPI will allow for and provide conditions on the lawful processing of personal information. It will give effect to the constitutional right to privacy by ensuring that the personal information of “data subjects” (for example, employees) is protected when it is processed by “responsible parties” (for example, employers).
Employers will have to comply with the conditions whenever an employee’s personal information is collected, stored or used. Failure to comply may lead to an administrative fine of up to R10 000 000. It is therefore advisable to put compliance procedures in place now.
What is personal Information?
Most information collected from an employee will be “personal information” as the term includes race, age, gender, sex, pregnancy status, marital status, nationality, ethnic origin, sexual orientation, physical or mental health, disability, religion, culture, language, education, financial status, criminal background, employment history, e-mail and physical addresses and phone numbers of the employee. It would also include correspondence sent by the employee that is private, such as a personal email.
All personal information must be processed lawfully. The definition of “processing” is wide and includes:
- any operation or activity, whether or not by automatic means, concerning personal information including the collection, recording, organisation, collation, storage, updating or modification, retrieval, consultation or use of information;
- the dissemination of the information by means of transmission or distribution; and
- the linking, restriction, degradation, erasure or destruction of information.
The Conditions for lawful processing of personal information
Accountability – An employer must ensure compliance with the eight conditions in POPI and effect must be given to them at the time that the purpose and method of processing is determined, as well as during the processing itself. An Information Officer and his Deputy must be appointed to ensure compliance and to deal with complaints.
Limitations on processing – POPI imposes limitations on how the processing must be carried out – it must be lawful and not contrary to South African law. In addition, it must be conducted in a reasonable manner without infringing upon the employee’s privacy. The personal information processed must be adequate, relevant and not excessive relative to the purpose for which the processing was undertaken.
An employer may only process personal information if there is sufficient justification for such processing, including:
- where the employee gives full consent to the processing;
- where the processing is necessary to conclude or perform an employment contract;
- if imposed by law;
- if it protects a legitimate interest of the employee, such as medical history and needs;
- if it protects a legitimate interest of the employer; and
- if it is necessary for the proper performance of a public law duty by a public body.
Personal information must be obtained directly from the employee unless the employee consents otherwise or where the information has been made publicly available, for example on Twitter or Facebook.
Purpose specification – Personal information may only be collected for specific, defined and lawful purposes related to the function of the employer. Employees must be made aware of this purpose.
Personal information may only be retained for as long as a law or applicable code of conduct determined by the Information Regulator provides. In the absence of this, the retention period must be long enough for the employee to have a reasonable opportunity to request access to the records.
However, an employer may not retain personal information records for longer than is necessary for achieving the purpose for which the information was collected unless the employment contract requires longer retention.
Further processing limitation – If an employer wishes to process information more than once, the subsequent processing must also comply with the POPI conditions and be aligned with the original purposes for which it was collected. For example, where an employer has collected employee email addresses and then makes them available to each employee, such distribution would constitute “processing” and would have to comply with the initial purpose for which the emails were collected.
Information quality – An employer must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated.
Openness – An employer must maintain documentation of all “processing”. Although an onerous duty, before processing, an employer must take reasonably practicable steps to ensure that the employee is aware of certain facts such as what information is being collected, the purpose of such collection and who will have access to the information. The employee must be informed of their right to access the personal information, to rectify it and to object to the processing of it. The employment contract should incorporate all of this information in to it.
Security safeguards – An employer must ensure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate and reasonable technical and organisational steps to prevent loss, damage or unlawful access or processing of it. The employer must identify all realistically foreseeable internal and external security risks and establish appropriate safeguards. This must include all generally accepted information security practices and procedures which apply to it generally or specifically including updated anti-virus software and firewalls for the protection of digitally-stored personal information. Backups should be made on a remote server and physical records must only be accessible by authorised personnel and should be kept in a secure location.
Where there are reasonable grounds to believe that personal information has been accessed by any unauthorised person, the employer must notify the Information Regulator and the employee as soon as possible.
Employee participation – An employee has the right to request access to the record of their personal information and such access must be provided within a reasonable time, manner and form and may be at a prescribed fee. The employee has a right to request that the record be corrected or deleted and if an employer receives such a request but refuses to comply, it must provide the employee with a notification to that effect.
Processing of “special personal information”
POPI prohibits employers from “processing special personal information” (meaning personal information relating to the religion, race or ethnic origin, trade union membership, political persuasion, health, sex life, biometric information or criminal behaviour) of an employee unless general authorisation is granted (by consent or if it is publicly available) or if a listed exception applies for specific categories. An employer may process information concerning an employee’s race or ethnic origin if it is necessary to comply with affirmative action laws such as BEE legislation.
Transborder information flows
Of particular relevance to groups of companies with both South African and foreign branches, POPI contains provisions relating to the dissemination of information by a South African entity to a third party in a foreign country. An employer may not transfer an employee’s personal information to a third party in a foreign country unless the third party is subject to a law or agreement that provides substantially similar principles for reasonable processing as contained in POPI.
POPI Compliance – general recommendations to employers
- Ensure that staff, especially those who process employee information regularly such as Human Resources and IT personnel, are aware of the duties imposed on employers by POPI.
- Appoint Information and Deputy Information Officers.
- Draft a data privacy policy and ensure that all employees are made familiar with its contents including procedures enabling employees to lodge complaints against processing.
- Implement a document retention policy to ensure employee’s personal information records are destroyed after a reasonable periods.
- Word employment contracts broadly so that employees provide consent to the wide definition of processing in POPI and incorporate sufficient information relevant to the processing so that it can be said an employee gave informed consent.