What employers need to know about PoPIA
Employers need to be fully compliant with PoPIA by 30 June 2021. Non-compliance can result in significant penalties - up to 10 years imprisonment and/or R10m in administrative fines.
Key things you ought to know as an employer
PoPIA applies to personal information and special personal information that is subject to processing or further processing. Processing encompasses a wide range of activities including the initial obtaining of personal information and the use and retention of that information as well as access, disclosure and final disposal of that information.
From an employment perspective, PoPIA applies to:
- information such as identity numbers, contact details, employment history, psychometric assessment results, references, qualifications, disciplinary records, union membership, grievances, health and biometric information; and
- the full life cycle of the employment relationship - from recruitment to post termination and continues to apply for five years after the relationship has ended (and still applies where the employer is approached as a reference).
Employers must therefore ensure that they lawfully process the personal information of job applicants, employees, retired employees and dismissed employees. To the extent that employers process personal information of independent contractors and other service providers, they must also ensure that they lawfully process such information.
Lawful processing will be achieved by complying with the eight conditions set out in PoPIA:
- Accountability
- Processing limitation
- Purpose specifications
- Further processing limitation
- Information quality
- Openness
- Security safeguards
- Data subject participation
PoPIA prohibits processing of special personal information, which includes information on race, health, criminal behaviour and trade union membership unless:
- an employer obtains express consent to do so from the relevant employee; or
- the information is required by law – (legal necessity); or
- the information is for historical, statistical or research purposes; or
- the information was deliberately made public by the data subject.
Next steps for employers
From an employment perspective, employers should take the following steps to ensure PoPIA compliance:
Civil claims against employers
Section 99(1) of PoPIA provides that a data subject or the Regulator (at the request of the data subject) may institute a civil action for damages against a responsible party for breach of PoPIA. Action may be instituted irrespective of whether or not there is intent or negligence on the part of the "responsible party". "Responsible party" include employers.
Employers must bear in mind that many employees process high volumes of personal information both internally and externally. A good example of this in practice is the Human Resources function of any employer.
Employers will need to ensure that they follow the steps listed above to limit the risk of employees processing information unlawfully and in contravention of PoPIA.
Employers should bear this section in mind as it creates significant legal risk for employers if employees do not process information lawfully and in compliance with PoPIA.
About Kirsten Eiser & Shane Johnson
Kirsten Eiser, Partner and Shane Johnson, Professional Support Lawyer at Webber WentzelRelated
Public release of the NRSO: Educators to get first look 27 Feb 2025 What you need to know about the new direct marketing guidance note 11 Dec 2024 5 risks of personalised marketing in the context of the PoPIA 5 Dec 2024 2024 Matric results to be withheld from newspapers, says Information Regulator 14 Nov 2024 Tips to protecting your personal information when gaming 12 Sep 2024 How PoPIA's protection extends to Pty Ltds 22 Aug 2024 Putting the consumer in control: the power of consent 15 Nov 2023 Enforcement Notice issued to Dis-Chem due to contravention of PoPIA 4 Sep 2023
