Requirements for the processing of Personal information in Terms of the POPI Act.
The Protection of Personal Information Act, Act No.4 of 2013 (POPI) provides for a legal framework in terms of which information of a personal nature, held of any data subject, which includes a natural living or juristic person should be dealt with in a confidential way. The definition of personal information in the POPI Act includes amongst others any information of a date subjects race and ethnic origin, the data subjects medical, financial and criminal history; any identification number as well as a data subjects biometric information. The POPI Act provides for certain requirements to be adhered to in the lawful processing of Personal Information.
Legislative Requirements to provide Personal Information.
Legislative requirements within the South African context provides for various information of a personal nature that should be provided to service providers, government departments, etc. in order to provide a service and basically to conduct a lawful business within South Africa. Although the POPI Act provides that personal information may be processed i.e. received, stored and divulged if it is necessary to adhere to legal requirements. The disclosure of such information should be undertaken in such a way that the requirements of the act are taken into regard. A very delicate balancing act is therefore necessary in order to ensure that information essential to adhere to legal requirements are submitted, while still ensuring that such information is being protected and dealt with confidentially as required by the POPI Act.
Legislative Requirements to provide information in terms of the Health and Safety Regulations.
Health and safety legislation requires a business to not only comply with safety standards, but also to ensure that employees are submitted to rigorous health tests and that a health and safety file is compiled which will include multiple aspects of personal information of such employees. In order to adhere to this legislation, the health and safety file should be made available to different parties in the service process on request, including a health and safety inspector. Taking into regard the personal nature of such information especially the health of a person, which is believed to be special personal information, it should be provided to and divulged to parties requesting it in such a way that the requirements for the lawful processing of personal information as required in terms of the POPI Act is maintained.
Steps to ensure that information is treated confidentially
The steps include determining that the information provided is necessary in order to adhere to the requirements of health and safety. It is therefore essential when compiling such a file that the business first determines which information is compulsory and only to include such information in the health and safety file.
The information should furthermore be protected against possible loss, theft or the unauthorised destruction or unauthorised access thereof. This will include storing the information in a safe environment, where only limited personnel have access to the files. In the event that it is a requirement that such information should be disclosed away from the business premises i.e. off-site, only designated employees should receive access thereto. These employees should be provided with necessary training regarding the requirements for the lawful processing of information in terms of the POPI Act and should also be requested to sign policies relating the requirements for the lawful processing of personal information. This should be made part and parcel of a company’s policies and procedures and disciplinary code. The company should from time to time verify that these procedures are followed by for instance ensuring that the health and safety files if possible are returned to the business when the project it was requested for has been finalised.
Any person outside the company’s employee who furthermore receive information either as a contractor, health and safety inspector or in whatever other capacity should sign a non-disclosure or operator agreement in terms of which they agree that the information received, if it is of personal nature, will be kept confidential by them and will only be processed in very limited circumstances.
ABOUT THE AUTHOR
Jano Fourie is a SEESA Consumer Protection & POPI Legal Advisor since August 2011 and has almost 7 years previous experience as an attorney. He obtained his BA Law and LLB degrees from the University of Stellenbosch. He also obtained a Masters Degree in Tax Law from UNISA.