Posted: 03 Sep 2020
The Protection of Personal Information Act 4 of 2013 (POPIA) which came into force on 1 July 2020 places several obligations on employers in terms of managing employee’s personal information; it also gives certain rights to privacy to employees. Employers need to be fully complaint with POPIA by 30 June 2021. Non-compliance can result in significant penalties – up to 10 years’ imprisonment and/or ZAR 10 million in administrative fines.
We set out below – the key things you ought to know as an employer.
POPIA applies to personal information and special personal information that is subject to processing or further processing. Processing encompasses a wide range of activities including the initial obtaining of personal information and the use and retention of that information as well as access, disclosure, and final disposal of that information.
From an employment perspective, POPIA applies to:
- information such as identity numbers, contact details, employment history, psychometric assessment results, references, qualifications, disciplinary records, union membership, grievances, health, and biometric information; and
- the full life cycle of the employment relationship – from recruitment to post termination and continues to apply for five years after the relationship has ended (and still applies where the employer is approached as a reference).
Employers must therefore ensure that they lawfully process the personal information of job applicants, employees, retired employees and dismissed employees. To the extent that employers process personal information of independent contractors and other service providers, they must also ensure that they lawfully process such information. Lawful processing will be achieved by complying with the eight conditions set out in POPIA –
Further processing limitation
Data subject participation
POPIA prohibits processing of special personal information, which includes information on race, health, criminal behaviour and trade union membership unless:
- an employer obtains express consent to do so from the relevant employee; or
- the information is required by law – (legal necessity); or
- the information is for historical, statistical or research purposes; or
- the information was deliberately made public by the data subject.
Next steps for employers
From an employment perspective, employers should take the following steps to ensure POPIA compliance –
Step 1: Appoint an Information Officer.
Step 2: Review current job application process document and employment contract- include provisions on:
- Processing of personal information and special information (where necessary).
- Consent to process personal information and special personal information.
Step 3: Draft and implement internal data protection policy with a special focus on POPIA:
- Internal policies and procedures to comply with 8 conditions.
Step 4: Host training for employees on POPIA and internal data protection policies. Employees will not only be data subjects, but also processing information on behalf of the employer and will need to be aware of and comply with the conditions.