President Cyril Ramaphosa has announced that sections of the long-awaited Protection of Personal Information Act (POPIA) will finally be enforceable from 1 July 2020. Companies that process data regarding their employees, clients and service providers now have one year to ensure compliance with POPIA’s data processing provisions.
The key POPIA provisions relating to the employment relationship are set out below. In order to comply with POPIA, employers must:
• ensure that they are processing the personal information of their employees, job applicants, independent contractors and all other data subjects lawfully. In terms of POPIA, processing includes the collection, use, retention, updating and destroying of personal information. POPIA sets out eight conditions which, if followed correctly, will ensure the lawful processing of personal information. These conditions are (1) accountability; (2) processing limitations; (3) purpose specifications; (4) further processing limitations; (5) information quality; (6) openness; (7) security safeguards; and (8) data subject participation.
• observe the general prohibition on processing special personal information. This prohibition applies only to information that is considered special personal information, which includes religious beliefs, race, criminal behaviour, health, sex life, political persuasion and even trade union membership. The prohibition can be waived by obtaining consent from the data subject to process the information. However, consent can be revoked at any time. If an employer plans to rely on consent as the waiver, it is important that such consent is in writing to avoid any revocation issues later on. Ideally, consent should not be the only waiver that an employer can rely on to process special personal information. An employer should also be able to rely on the fact that (1) there was a legal necessity for the information to be processed, (2) there was a historical, statistical or research purpose for the information to be processed, or (3) the information was deliberately made public by the data subject.
• not subject employees to a decision which results in legal consequences or substantially affects them and is based solely on the automatic processing of personal information intended to provide a profile. This includes an employee’s work performance and is specifically mentioned in this prohibition.
• enter into a written agreement with any outsourcing service providers to ensure that adequate safety measures are in place, protecting the integrity and confidentiality of all personal information in its possession.
• be cognisant of where its service providers are based. POPIA places a duty on any responsible parties who transfer personal information to a foreign country to ensure that the country has adequate protections for personal information in place.
Since POPIA allows for a one-year transitional period, companies will need to be fully POPIA compliant by 30 June 2021. It is essential for companies to work out any problems before this date to avoid the hefty penalties for non-compliance, such as imprisonment of up to 10 years or administrative fines not exceeding R 10 million. Compliance with POPIA will also ensure that companies are able to avoid the reputational damage that follows a data breach.
Johan Botes is a Partner and Head of the Employment and Compensation Practice, and Kirsty Gibson is a Candidate Attorney at Baker McKenzie Johannesburg.