Protection of personal information act & your employees - what you should know

Before you read this post, walk into your office and locate the files containing information regarding the business’ employees. Who has access to these files? Are they stored securely? How long has the business retained this information? Has the information been backed-up? Is that storage secure? What information do you actually hold about your employees? How did you obtain this information?

And most importantly, if you can answer these questions, can you easily show that there is a link between those answers and the purpose for which you will use that information.

You may ask why these questions are important. The Protection of Personal Information Act (‘POPI’) will soon become effective, and with that, will require compliance with its rules and regulations by any person or business that processes personal information. Unlike prior legislation which has been industry specific, POPI will (in one way or another) affect every business, regardless of type or industry. Failure to comply with the requirements of POPI may result in fines of up to R10 million, up to ten years imprisonment and/or claims for civil damages.

An often overlooked area of personal information processing is that of “human resources”. Every business in existence in South Africa is a processor of personal information if it holds any information about its employees. Employers will be required to collect, process, store and destroy the personal information it holds about its employees in terms of POPI’s rules and regulations.

For every working business relationship, a certain amount of personal information must be collected. This includes identification, financial, educational, addresses, telephone numbers, health information and any additional information that is required in terms of the specific employment relationship. Employers may even hold information such as race, trade union membership or biometric information amongst others, which is considered to be “special personal information” and which requires a higher level of protection.

It has long been simply accepted that employees are to provide their information to their employers and that this information will simply be held in the employees’ files. However, in reality few businesses have policies or procedures in place to adequately protect and process that information in a manner that will be in line with POPI.

Employee information is to be protected and should not be shared or easily accessible by persons who do not require access to the information. CV’s that are sent by prospective employees are required to be dealt with in terms of POPI as often a vast amount of personal information is shared by these prospective employees with the hope of obtaining a position in your business. Similarly, personal information held about employees who have moved on from your business must also be dealt with and destroyed if no longer needed by law or for another legitimate reason. This information may also include employee files and even reference letters.

As an employer, you must understand and disclose to your employees the exact ambit of the information you are collecting and the specific purpose of why you are collecting the information. Employees must be aware that any information that is collected from them will be collected with their knowledge and consent. As an employer, you must also guard against collecting information which is not necessary or not for any of the purposes which you have stated. Another essential part is that the information must be accurate and up to date, and that the employees should be able to access the information held about them.

One way to enable the above is to have a clear understanding of where the employee data sits within your organisation and how it is managed. Once that understanding has been reached, a policy relating to employee data should be prepared and all further decisions relating to employee data must be made with reference to that policy. This policy must enable the employer and employees to understand their rights to their data and privacy in a simplified and clear manner which is in line with the requirements of POPI.

In addition, POPI requires the appointment of an information officer within your organisation and this person will be the main reference point for all information privacy related aspects of your business.

This information officer will also be vital in the event that a breach occurs and your employees’ personal information is stolen or accessed without authorisation. The information officer will also ensure that proper training is provided to employees within the business in order for them to understand with whom information may be shared, who may or may not have access to information or what to do when a suspected breach of the information privacy policy occurs or a suspected security breach has occurred.

In summary, POPI will have a great effect on all businesses, even if your primary business activity is not that of processing information. What every business has at its core is a database of sensitive personal information, which it processes. Every business is thus a responsible party in terms of POPI, and every business must at the very least ensure that it is compliant with the requirements of POPI.

Should you require any further information or assistance, kindly contact Futcher & Poppesqou Attorneys on and we will gladly assist in your business’ POPI compliance journey.

This article is a general summary of certain legal issues. This article does not constitute legal advice and does not purport to be a detailed or complete explanation of the subject matter.