Monique Jefferson & Nadine Mather
PROTECTION OF PERSONAL INFORMATION ACT DATA PROTECTION IN SOUTH AFRICA What is the current status of data protection regulation in South Africa? Common Law Constitution The Protection of Personal Information Act (POPIA) Other applicable legislation Callout Box
PROTECTION OF PERSONAL INFORMATION ACT THE POTENTIAL IMPACT ON THE EMPLOYMENT RELATIONSHIP Potential questions relating to the employment relationship that arise as a result of the provisions of POPIA: Is an employee entitled to ask to see a reference before it is sent to a prospective employer? Can an employer conduct a credit record check on an applicant? Can an employer engage a third party to conduct criminal record checks on its behalf? Can an employer transfer employee information to its holding company in a country that does not have the same or similar data protection laws? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT WHAT IS PERSONAL DATA / INFORMATION An employee’s personal information may include, for example: remuneration and bank account details; medical aid number; fingerprint for access to the employer’s premises; performance review notes; a set of completed job applications; or emails relating to a work incident Do employer’s have rights under POPIA? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT WHO ARE THE ROLE PLAYERS Data subject – the Employee Responsible party – the Employer decides the purpose of data processing the way in which the personal data should be processed Operator – Third party service provider processes personal information for a responsible party in terms of a contract or mandate Information Regulator Information Officer Are any of the above role players required to register? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT WHAT IS PROCESSING Processing is anything that is done with personal information including: collection organisation storage disclosure transmission use Will POPIA apply in relation to a conversation between two colleagues in respect of their views of their candidate attorney’s performance? Would POPIA apply in a due diligence exercise where the details of employees’ remuneration is processed but the employees’ names have been redacted? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT WHAT IS PROCESSING POPIA will only apply to the processing of personal information: entered in a record by automated or non-automated means; and where the employer is domiciled in South Africa or is not domiciled in South Africa but makes use of automated or non-automated means in South Africa. POPIA will not apply to the processing of personal information if: it is for a personal or household activity; it has been sufficiently de-identified; it is by a public body for the purposes of national security; it is performed by the Cabinet; or it relates to the judicial functions of Court. Callout Box
PROTECTION OF PERSONAL INFORMATION ACT CONDITIONS FOR LAWFUL PROCESSING In terms of POPIA, there are eight conditions for lawful processing: Accountability Purpose specification Processing limitation Further processing limitation Information quality Openness Security safeguards Data subject participation Callout Box
PROTECTION OF PERSONAL INFORMATION ACT JUSTIFICATIONS FOR PROCESSING OF PERSONAL INFORMATION In terms of POPIA: Can an employer conduct a credit record check without a job applicant’s or employee’s consent? Will an employer be able to process an application for an income tax directive? Can an employer disclose an employee’s personal information, for example their bank details, to a payroll provider? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT JUSTIFICATIONS FOR PROCESSING OF PERSONAL INFORMATION Permissible grounds on which personal information is allowed to be processed are: consent by the employee; the processing is necessary for contract to which the employee is a party; there is a legal obligation to perform processing; protection of a legitimate interest of the employee; public law duty by a public body; necessary to pursue the legitimate interests of the employer / third party. Callout Box
PROTECTION OF PERSONAL INFORMATION ACT SPECIAL PERSONAL INFORMATION In terms of POPIA: Can an employer require an employee or job applicant to undergo a medical test? Can an employer conduct a criminal record check without an employee’s or job applicant’s consent? Can an employer upload photos of its employees on the company website or on social media platforms? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT SPECIAL PERSONAL INFORMATION The categories of special personal information include: Religious or philosophical beliefs Race or ethnic origin Trade union membership Political persuasion Health, sex life Biometric information Criminal Behaviour Callout Box
PROTECTION OF PERSONAL INFORMATION ACT SPECIAL PERSONAL INFORMATION Processing of special personal information is prohibited unless: the employee consents to the processing; the information has deliberately been made public by the employee; the processing is necessary for establishment, exercise or defence of a right or obligation in law; the processing is necessary to comply with an obligation of international public law; the processing is for historical, statistical, academic or scientific research; the regulator has granted authority for the processing in the public interest and there are appropriate security safeguards in place; or it is in accordance with the specific circumstances prescribed by POPIA. Callout Box
PROTECTION OF PERSONAL INFORMATION ACT RIGHTS OF DATA SUBJECTS In terms of POPIA: Is an employee entitled to ask to see a supervisor’s handwritten notes from a performance discussion? Can an employee request an employer to make changes to a reference on the basis that it is inaccurate? What if an employer’s HR representative mistakenly misplaces potential candidates CV’s on plane? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT RIGHTS OF DATA SUBJECTS An employee has the right to have her/his personal information processed in accordance with the conditions for lawful processing including the right to inter alia: Be notified that personal information about her / him is being collected and/or has been accessed or acquired by an unauthorised person; To establish whether her / his employer holds information about the employee and request access to such information (an employer may, however, refuse access based on the grounds in PAIA); To request the correction, destruction or deletion of her/his personal information; To object on reasonable grounds to processing of her/his personal information; To submit a complaint to Regulator or institute civil proceedings. Callout Box
PROTECTION OF PERSONAL INFORMATION ACT TRANSFERRING INFORMATION TO OTHER COUNTRIES In terms of POPIA: Under what circumstances can an employer send the personal information of its employees to its holding company in a foreign country? Can an employer store employees’ personal information on a cloud? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT TRANSFERRING INFORMATION TO OTHER COUNTRIES Transborder information transfers are prohibited unless such transfer falls within the ambit of the following exemptions: where the receiving country has similar laws in place, or is subject to binding corporate rules or a binding agreement concluded between the sending employer and receiving employer that provides for an adequate level of protection substantially similar to that in POPIA; the employee consents; the transfer is necessary for performance of a contract to which the employee is a party; the transfer is necessary for a contract in the interest of the employee; or the transfer is for the benefit of the employee and getting consent is impractical. Can an employer transfer medical results to its holding company in a foreign country that does not have adequate data protection laws? Callout Box
PROTECTION OF PERSONAL INFORMATION ACT STEPS TO COMPLY Transitional period of 12 months Review and develop standard clauses around data protection in employment contracts and workplace policies Conduct an audit as to what personal information is held, where is it held and by whom Establish what personal information is collected in one place and transferred to another Develop group-wide standard data protection policies and protocols if not already in place Establish means to comply with notification requirements Appoint an information officer and deputy information officers for purposes of POPIA and PAIA. Develop policies around retention Callout Box
Monique Jefferson & Nadine Mather