The Protection of Personal Information Act 4 of 2013 (“POPI”) makes provision that every data subject’s personal information should be processed in terms of the act. Although some employers/companies are under the impression that the act only applies to their clients and/or suppliers it is important to note that employees also fall under the definition of a data subject. (Data subject means the person to whom the personal information relates).
Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
a) The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
b) Dissemination by means of transmission, distribution or making available in any other form;
or
c) Merging, linking, as well as restriction, degradation, erasure or destruction of information.
Section 18 of POPI stipulates that when an employer (responsible party) collects personal information (from data subjects, including employees) to be processed for a specific purpose, the employer (responsible party) must take reasonable, practicable steps to ensure the data subject (employee) is aware of –
- The type of personal information is collected (if collected from another source, the source should be named);
- The name and address of the employer;
- The purpose for which the personal information is collected;
- Whether the supply of personal information is mandatory or voluntary;
- The consequences of failure to provide personal information;
- Any particular law authorising or requiring the collection of personal information/
- Whether the employer intends to transfer the information to a third party or international organisation and the level of protection offered by them.
The Act makes provision for the fact that a responsible party (an employer) should comply with the legal requirements as set out above. It is important to note that sufficient procedures and/or policies should be implemented to comply with the Act when processing personal information of employees (data subjects). A practical way to comply with the above would be issuing a Privacy Policy and/or addendum to the employment contract of employees containing the above information.
The Act further places an obligation on employers (responsible parties) to inform all employees (data subjects) who process personal information of fellow employees (data subjects) of POPI requirements. This may be done by implementing internal policies with regards to the processing of personal information. These policies will limit the risk of employers. Compulsory training sessions with all employees will also limit the risk of the employers (the responsible party).
Unfortunately, human error or intentional actions of employees (data subjects) cannot be predicted and section 109 (3) (a) to (h) of POPI determines that certain factors should be taken into consideration by the Regulator when issuing an administrative fine, including but not limited to –
- whether the responsible party could have prevented the contravention from occurring;
- any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information.
It is clear from the above that by having policies in place it would play a role when determining a fine.
Although not all sections of the POPI Act are effective as yet, it will take a considerable time to implement policies and train employees and it should be done before all sections are effective.
ABOUT THE AUTHOR
Stephanie Christensen holds BComm Law and LLB degrees. She was admitted as an Attorney of the High Court of South Africa in 2009. She has been with SEESA since 2009 and with SEESA Consumer Protection & POPI at the Cape Town office since February 2016 as a legal advisor.