The Protection of Personal Information Act 4 of 2013 (“POPI”) was enacted to give effect to the constitutional right to privacy. However, the right to privacy is not an absolute right and must be balanced by justifiable limitations which give effect to other rights and interests, such as an employer’s right to access to information.
Employers hold a vast amount of information about their employees, including their age, race, ID number, contact details, marital status, union membership and information about their health. In order to ensure compliance with POPI, employers will have to significantly change how they collect, store, use and communicate personal information belonging to their employees.
On 11 April 2014, the President published a notice in the Government Gazette proclaiming the commencement of certain sections of POPI. Prudent employers should begin taking steps towards compliance as the enactment of the remaining provisions is imminent.
Employees will acquire a number of wide-ranging rights under the bill, including the right to object to the employer processing his personal information; the right to request details from the employer of any personal information held about him and information about any third parties who have or have had access to that information; and the right to insist that the employer corrects or deletes certain personal information.
There are eight data-protection conditions or principles that govern the lawful processing of personal information. The term “processing” applies to a wide range of activities. The data-protection principles ensure that the “data subject” is aware and in control of the processing of the information that the processing is limited to the extent necessary without unjustifiably infringing on the privacy of the individual and that it is subject to secure processes.
Employers are, in the absence of the employee’s consent, prohibited from processing special personal information which includes information concerning an employee’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour.
POPI imposes criminal penalties for offences. While we wait for POPI to be enacted in its entirety, employers should conduct a comprehensive data protection audit. The audit should cover the full employment cycle from advertisements for vacancies, data collection for pre-employment screening purposes (both in relation to successful and unsuccessful applicants), processing of employee information throughout employment until the retention of employee records post the exit interview stage.
Melanie Hart is a Partner at Fasken Martineau.