PRINT
|
SUBSCRIBE | UNSUBSCRIBE
|
TEXT ONLY
Ready, set, protect! Is your workplace ready for POPIA?
The key provisions of the Protection of Personal Information Act, 2013 (“POPIA”) commenced on 1 July 2020, meaning that employers have until 1 July 2021 to make sure that their workplaces are fully POPIA compliant. Non-compliance carries some hefty penalties, which include imprisonment of up to 12 months and/or administrative fines of up to ZAR10-million.
We discuss below some of the key ways POPIA will affect the workplace and measures to be adopted by employers to comply.
THE DATA RIGHTS OF YOUR EMPLOYEES
Employees, former employees, applicants and third parties (who fall under the term “data subjects” in the Act) have various rights under POPIA, including:
- having their personal information processed lawfully;
- being notified when their personal information is being collected or has been subject to unauthorised access;
- requesting access to their personal information;
- objecting to the processing of their personal information; and
- requesting the correction, destruction or deletion of their personal information.
Employers must also be aware that employees have the right to submit a complaint to the Information Regulator and to institute civil proceedings in respect of an alleged interference with the protection of their personal information.
WHAT KINDS OF EMPLOYEE INFORMATION DO YOU NEED TO PROTECT?
“Processing” of personal information is broadly defined in POPIA and includes, but is not limited to, the collection, receipt, collation, storage, consultation, use, dissemination, merging and erasure of personal information.
Employers process personal information for a variety of reasons, including complying with the law, recruitment, training, promotion, discipline, security, health and safety in the workplace, quality control, customer service, secondments and employing foreign employees, concluding contracts and monitoring and/or assessing performance.
Many employers may also process “special personal information” of employees, such as religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information and certain criminal behaviour.
SOME STEPS YOU CAN TAKE TO COMPLY WITH POPIA
Obtain consent and specify what the data is going to be used for
The collection of personal employee information does not entitle the employer to make free and unlimited use of it. Employers should obtain the consent of data subjects before processing their personal and/or special personal information. Consent must be voluntary, informed and specific, and the employer must notify employees of:
- what personal information will be processed;
- for what purposes;
whether it will be transferred to another country; - whether supplying the information is voluntary or mandatory;
- any laws authorising or requiring the collection; and
- their data rights.
Implementing the measures below will ensure that voluntary, informed and specific consent is obtained for the processing of personal information:
- Have job applicants, new and current employees complete appropriately worded forms in terms of which consent is given for the processing of personal information and special personal information;
- Include clauses pertaining to the processing of personal information and special personal information in contracts of employment of new employees, and amend current employees’ contracts of employment to include such clauses; and
- Introduce measures in contracts with third parties. The type of measures that could be introduced will depend on factors such as the nature of the services to be provided, and the type or nature of the specific third party. Including appropriate consent clauses in contracts or consent forms entered into with third parties will ensure that consent from these third parties is obtained in terms of POPIA.
Obtaining consent remains the safest form of justification for processing personal information, including special personal information. However, POPIA provides additional circumstances that could justify processing personal information. This includes situations where the processing is necessary to comply with an obligation imposed by law; it protects a legitimate interest of the employee; and, where it is necessary for pursuing the legitimate interests of the employer as the responsible party or a third party to whom the information is supplied.
In addition, special personal information may be processed when:
- consent is obtained.
- where the processing is necessary for the establishment, exercise or defence of a right or obligation in law.
Employers may therefore be statutorily obliged to process personal and special personal information of employees by legislation such as the Occupational Health and Safety Act, 1993, the Basic Conditions of Employment Act, 1997, and the Employment Equity Act, 1998, and may do so without the consent of the employee.
- processing is for historical, statistical or research purposes.
- the information has deliberately been made public by the data subject.
Implement policies and procedures for processing information
It’s important to develop, implement and monitor specific policies and processes to ensure compliance with POPIA and the protection of personal information in the workplace.
Depending on the employer, a single and overarching policy document, or a variety of policies that operate collectively, may be adopted to govern the protection of personal information in the workplace.
Examples of policies employers may adopt include a:
- Protection of Personal Information Policy;
- Data Protection Policy;
- Data Retention Policy;
- Communications Policy;
- Information Technology Security Policy;
- CCTV Policy; or
- Data Subject Access Request Policy.
It is important that employers provide training to employees in order to ensure that they are aware of and understand the policies and procedures implemented in respect of the protection of personal information in the workplace.
Implement security measures to protect data
Employers are required to implement appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of any personal information in their possession or control. This requires establishing and maintaining technological and/or physical safeguards in respect of electronic and physical personal data. Employers should identify reasonable foreseeable risks, and regularly verify that their safeguards are effectively implemented and updated in response to any new risks or deficiencies. Third parties appointed a to process personal information on the employer’s behalf should sign a contract written contract specifying their compliance with the required security measures.
For a discussion on cybersecurity safeguards, click here.
Appoint an information officer
Employers must appoint an Information Officer and, if required, Deputy Information Officers. They will bear the responsibility to ensure compliance with the conditions for the lawful processing of personal information and other provisions of POPIA, deal with requests made in terms of POPIA, and work with the Information Regulator in relation to investigations.
The Information Officer of a private entity will generally be the “head” of the entity and therefore the Chief Executive Officer. The designation of the individual appointed as Information Officer in a public entity will depend on the nature of the public entity.
Contact us should you require assistance in getting your workplace ready for compliance with POPIA.
Suemeya Hanif
Employment | Executive
shanif@ENSafrica.com
+27 82 787 9934
Kerry-Anne do Couto
Employment | Associate
kdocouto@ENSafrica.com
+27 66 474 2622