By Claire Gaul / Joani van Vuuren of Webber Wentzel
Much has been written about the statutory obligations that are to be imposed on financial service providers in respect of their clients in terms of the Protection of Personal Information Act, 4 of 2013 (“POPIA“).
What may be less familiar are the obligations POPI will place on employers in relation to the collection and processing of information pertaining to their employees.
POPIA establishes a framework which will require responsible parties to process personal information in accordance with eight conditions which will confer rights on individuals whose information is processed. POPIA regulates every aspect of the processing of personal information, from the moment that it is collected to the moment that it is destroyed.
Whilst POPIA was enacted in 2013, all of its provisions have not yet passed into law. Earlier this year a few limited sections commenced, in particular those provisions dealing with the establishment of the regulatory body which will have control over the enforcement of POPIA’s provisions.
The full Act will commence once the regulatory body is fully operational, which commentators suggest may be towards the end of this year). Employers will then have a grace period of one year to ensure compliance with the eight conditions set out in POPI.
Before we discuss the eight conditions, it is important to understand some key terms contained in the legislation.
- Firstly, the term ‘personal information’ is widely defined and includes any information which relates to a person including, identity numbers, race, gender, religion, education, health, income, personal views, and preferences or opinions.
- POPIA then makes provision for what is called ‘special personal Information’ which means a person’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, or criminal behaviour. Importantly, there is a general prohibition on the processing of special personal information unless explicit prior consent is obtained (or unless the employer can establish the existence of one of a number of limited justifications).
- The term ‘processing’ includes the collection, receipt, storage, modification, distribution or destruction of information.
- POPIA defines the term’ responsible party’ (on whom the statutory obligations rest) to include any public or private body which processes personal information.
- Finally, the term ‘information officer’ means the CEO or equivalent officer or any person duly authorised by that officer for purposes of POPI. Every responsible party must appoint an information officer to ensure compliance with the provisions of POPI and the officer must be registered with the registrar.
Next week we discuss the eight conditions for processing personal information.
Employer Duties under POPIA Part 2
As a responsible party under POPIA employers will be required to comply with the eight conditions set out below:
- Accountability: An employer must ensure compliance with POPIA from the moment that the purpose and means of processing is determined and during the processing itself. An information officer must be appointed by the employer and the employer must register the information officer with the regulatory body established under POPIA.
- Processing limitation: Processing of information may only take place if one of a number of conditions are met:
- the employee consents to the processing; or
- the processing is necessary to conclude or perform a contract to which the employee is a party;
- the processing is necessary for compliance by the employer with a statutory obligation;
- the processing protects a legitimate interest of the employer or the employee;
Personal information must be obtained directly from the employee unless the information is derived from a public record, consent to the use of another source is obtained or the employee has made the information public on, for instance, social media. In addition an employer may be able to justify obtaining the information elsewhere where compliance is not reasonably practical or would prejudice a lawful purpose of the collection of the information.
- Purpose specification: Collection of personal information must be for a specific, explicitly defined and lawful purpose related to a function or activity of the employer in the employment context. An employee an employer may only retain records of personal information for as long as it is necessary to achieve the specific purpose for which the information was collected. Employers must however comply with statutory provisions prescribing retention periods such as records for tax compliance and in terms of employment legislation. The destruction of records must be final and in a manner that the records cannot be reconstructed.
- Further processing limitation: In the absence of specific consent for further use the employer may only use the personal information if it is compatible with or in accordance with the purpose for which it was collected. An employer must comply with the test for compatibility when, for instance, passing on personal information to a medical aid or retirement fund, for unemployment benefits or in a business transfer transaction.
- Information quality: An employer must take reasonably practical steps to ensure that personal information is complete, accurate, not misleading and updated where necessary. Special care is required where information is collected form a source other than the employee personally.
- Openness: An employer collecting the personal information of its employees must take reasonably practical steps to ensure that the employee is aware of the information collected and the source of the information, the purpose for which it is collected, whether the employee is obliged to supply the information and what law, if any, prescribes the disclosure of the information to the employer. The employer must also inform the employee what information will be processed, to whom and the employee’s right to access and rectify the information collected or to complain to the Regulator. The employer must inform the employee before the information is collected from the employee and in any other case either before or as soon as reasonably practicable after collection.
- Security Safeguards: An employer must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate measures to prevent, inter alia, loss of or damage to the information. Reasonable measures to protect the personal information include the identification of possible security risks and the implementation of safeguards against unlawful disclosure of the information. Where there are reasonable grounds to believe that the personal information of an employee has been accessed or acquired by any unauthorised person the employer must notify the Regulator and the affected employee.
- Employee Participation: An employee has the right to know what personal information the employer has in its possession and to request the records or a description of the personal information that the employer holds. An employee is also entitled to know which third parties have or had access to the personal information.
How does POPIA apply in the workplace?
Given the rather legalistic manner in which POPI sets out the conditions imposed upon an employer for the lawful processing of employee information, we have set out below some examples of the questions employers ask when confronted with the requirements of POPIA:
Is it sufficient to include in the employee’s contract of employment a general consent to the processing of personal information?
Firstly, irrespective of the fact that the employee may have consented to the processing of his personal information, the employer is still obliged to comply with the conditions contained in POPIA. Secondly, POPIA defines ‘consent’ to means “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“. Arguably a general consent contained in the employment contract will not be sufficient for any ongoing collection of personal information but may be sufficient for the initial collection of personal information which the employer may require in order to employ the employee. In such instance the employment contract should specific what information the employer requires as a pre-condition to employment.
Must we obtain the consent from an employee before we collect information concerning any past criminal conduct?
Information pertaining to the criminal behaviour of an employee is regarded as ‘special personal information’ in respect of which there is a general prohibition on processing unless the employee (or applicant for employment) has specifically provided his or her consent or where another listed justification is present. One of these justifications will include where the processing of such information is necessary for the exercise of an obligation in law.
What other safeguards can an employer implement in order to ensure compliance with POPI?
Employers should implement internal policies detailing the mechanisms it has adopted to ensure compliance with POPI and setting out the circumstances in which they are required, for operational reasons, to process employee information.