The Protection of Personal Information Act 4 of 2013 (POPIA), commenced on 1 July 2020, although some of its provisions became effective as early as April 2014. The purpose of POPIA, as exemplified in section 2 is aimed at giving “effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations.”
Sections 3(1) and (2) read with sections 6 and 7 set out when POPIA applies, and details its exclusions. In terms thereof, POPIA applies to the workplace and any job applicants, current employees and former employees will be considered as “data subjects” as defined therein. Section 11(1)(b) of POPIA provides that personal information may be processed, where such processing is “necessary to carry out actions for or related to the conclusion or performance of a contract to which the data subject is party to”, the Act will thus be applicable to the employer-employee relationship.
The right to privacy as enshrined in section 14 of the Constitution of South Africa, and those privacy protections contained within POPIA are not without limitations. Personal Information can only be used for those strictly necessary purposes and in line with the purpose for which it was collected. In addition thereto, employers are obliged to protect the integrity and security of personal information of employees, be they prospective, current or former employees, by implementing measures in order to comply with the conditions of lawful processing of personal information as set out in POPIA.
Here are some pointers to begin with your POPIA compliance as an employer:
- The appointment of an information officer (and where necessary, a deputy information officer);
- Putting in place a secure information collection, processing, storage, amendment and disposal system;
- Ensure the system is compliant with the 8 conditions of lawful data processing in terms of POPIA;
- Ensure the current communication and HR procedures and policies are compliant with POPIA;
- Inform staff members about their rights and obligations with regards to POPIA provisions;
- Establish third party arrangements/agreements which are compliant with the 8 conditions of lawful data processing in terms of POPIA.
The eight conditions of lawful data processing in terms of POPIA are:
- Accountability requires that the responsible party, i.e. the employer, remain accountable in terms of POPIA, by ensuring that the processing of all personal information is compliant with the conditions prescribed in POPIA.
- Processing limitation places an obligation on the employer to ensure that information is processed only for the purpose for that which it was collected for, which purpose must be lawful, specific and known to the employee, and that processing must be performed with the consent of the data subject.
- Purpose specification which requires that the purpose of collecting specific information be unambiguous and exact.
- Further processing limitation requires that all further processing of the information must be aligned with or be linked with the initial purpose. Should a link between the purpose of the initial and further processing of the information be broken, then such processing requires further consent from the data subject (i.e. the employee), unless such processing falls within the exceptions in POPIA.
- Information quality refers to the collected information being accurate, complete and not misleading.
- Openness requires the data subject (i.e. employee) to be aware that the employer is collecting information, and to be notified of the specific purpose that information is being collected.
- Security safeguards requires the employer to ensure that the information is secure from unauthorised access, alteration, disclosure and obliteration amongst other things.
- Data subject (i.e. employee) participation requires that the employer ensure that data subjects are positioned to know if their information is held, deleted and/or amended as and when it becomes necessary under the circumstances.
Pagel Schulenburg Inc. can assist with advising each employer regarding their compliance with these 8 conditions of lawful data processing, and can formulate the relevant workplace policies to ensure compliance, or can review any existing documentation and/or policies to ensure that it is updated and aligned with POPIA.
The information contained in this site is provided for informational purposes only, and should not be construed as legal advice on any subject matter. One should not act or refrain from acting on the basis of any content included in this site without seeking legal or other professional advice. The contents of this site contain general information and may not reflect current legal developments or address one’s peculiar situation. We disclaim all liability for actions one may take or fail to take based on any content on this site.