Can employers be held liable for employee data breach conduct?

© Oleksandr Omelchenko – 123RF.com

“POPIA affects so many aspects of the business such as the information technology systems, customer processes and information handling practices, that POPIA cannot be ignored. Organisations need to be mindful of how they collect information, why they are collecting information, and importantly, how they are storing it. One of the most prudent facets of the POPI Act includes receiving informed consent from data subjects or employees concerning the use of their personal information,” explains Wessels.

Employers can also be held liable for the conduct of their employees regardless of whether there is any willful or negligent conduct on the part of the employee concerning data breaches. This vicarious liability further incentivises an organisation to train its employees on how to properly handle and dispose of personal information.

Citing the recent data breach experienced by the Credit Bureau, Wessels says organisations need to conduct a gap analysis to ascertain to what extent they meet compliance requirements to not suffer the same fate.

“POPIA compliance is not a one size fits all approach. Organisations can make use of experts to action the recommendations generated from the assessment report under the gap analysis to strengthen their data handling processes. Organisations found guilty of breaching POPIA requirements may be fined by the Information Regulator up to R10 million or face an imprisonment term not longer than 10 years,” warns Wessels.

He says companies often make the mistake of thinking POPIA is only relevant to organisations that deal in data sets, such as those in the Information and Technology sectors.

“POPIA is relevant to any organisation that deals with data subjects and any special and personal information, especially the kind often found in Human Resource departments such as resumés; identity documents; contracts of employment and banking details. POPIA seeks to regulate the processing of personal information which include, among other things, collection, storage and dissemination to ensure greater security of data and privacy. This means every company is affected,” says Wessels.

He says businesses that do not have measures in places to collect information safely and correctly may incur additional costs in training their staff on identifying what personal information is and how to store, process and delete it to avoid data leaks. Furthermore, companies may need to revise their HR policies and contractual arrangements and update their contractual arrangements.

“With so many companies having moved from brick and mortar to working in the digital space, partnering up with the right service providers becomes key to ensure businesses are mitigating any potential liability in terms of POPIA. Companies need to understand what their role is in the collection of personal information and start implementing processes now to ensure they are compliant rather than waiting on the Information Regulator to start fining organisations,” concludes Wessels.