POPIA Tips In The Workplace: A Quick Guide For Employers
Tiaan Dwyer | HR Specialist
August 03 2021
The month of July has finally come for business owners to ensure privacy compliance with the Protection of Personal Information Act (POPIA) for all of their employees.
In this article, I’ll draw your attention to the main points employers will need to know and do to be and remain compliant with POPIA.
What does this mean for your business and you as a business owner?
POPIA and POPI act applies to all businesses, both small and large that operate in South Africa or process personal information in South Africa. In this matter, personal information can be summarised as information that can be tracked or linked back to an identifiable individual, business, or organisation.
Employers have until 30 June 2021 to be compliant; the act will be enforced from the 1st July 2021. Every business should have/designate an information officer who should be registered with the information regulator. This person is usually the CEO, business owner, or senior executive member. If any member other than the business owner or CEO processes personal information on behalf of the employer, they will need the necessary authorisation from the employer to do so and have a written contract summarising their roles and responsibilities. Along with permission, they must treat all personal information with integrity and confidentiality.
Any company or person/s who keeps personal information must take steps to prevent the loss, damage, and theft of personal information. It’s also important to note that POPIA prohibits the processing of special information, such as race, health status, criminal behaviour, or trade membership unions, unless:
- An employer obtains consent from the employee
- The information is required by law
- The information is for statistical or research purposes
- The employee makes their information public, on social media for example
Consequences of non-compliance
Failure to comply with POPIA can result in a fine between R1 million and R10 million, or imprisonment for one to ten years depending on the severity of the data breach.
8 steps employers can take to comply with POPIA
An employer must meet compliance requirements with POPIA the moment personal information is processed. An information officer needs to be appointed and registered with the regulatory body under POPIA.
Processing of information can begin once the conditions below are met:
- The employee must consent to information processing: or
- Processing is necessary to conclude or perform a contract to which the employee is a party;
- Processing is necessary for compliance by the employer with a statutory obligation;
- Processing protects a legitimate interest of the employer or the employee;
Employee information collected must be for a specific, defined, and lawful purpose. Also, employment information should not be held for longer than necessary to achieve the specific purpose.
Further processing limitation
Any further processing must be compliant with the purpose of the original collection
The employer must ensure all employee information is complete, accurate, updated, and without errors.
An employer must be transparent with their employees about how the information will be used and to who and take steps to communicate any other future disclosures of personal information collected and for what reason, where necessary.
An employer must ensure the integrity and confidentiality of personal information under their control. It must take all necessary steps to prevent and protect the loss or damage of that information to a third party or anyone not designated the “information officer” by the owner of the company.
An employee has the right to know what personal information is kept by the employer and they can, at any time, request the information records that the employer holds. An employee is also entitled to know which third parties have or had access to their personal information.
Practical Tips and Recommendations
- Appoint a trustworthy information officer who is familiar with data privacy laws and who can take on this responsibility.
- Understand the data you deal with. You can’t protect data if you don’t understand the data you have in your possession.
- Conduct an audit in respect of personal information currently being held and look for improvements
- Visibly demonstrate compliance in the form of communication and documentation
- Notify employees of processing and gain their consent beforehand
- Report data breaches to the Information Regulator and employees concerned.
- Do not share any personal information unless permissible to do so
- Always review the security policy you have in place to ensure no data leaks occur
Conclusion and disclaimer
While this short article does not cover everything an employer needs to act upon regarding POPIA, it’s a good starting point. The new POPIA act might seem difficult to implement, it shouldn’t be challenging for employers to comply with especially if you’ve prioritised employee privacy in the past.
If there is something I want you to know about me right away, it’s that I have a passion for supporting business owners. I believe in the future of South Africa and that there are so many opportunities out there to be successful and to make a change to our economy.
I want to be part of that change by providing businesses with core HR and Labour Solutions that will not only result in legislative compliance but actually positively impact their bottom line.
Over the years I have gained practical HR experience working in various sectors such as mining, construction, financial services, and corporate legal. As a business owner myself, I can relate well to businesses and what their needs are.