The requirements of the POPI Act stipulates that an entity is required to take reasonable measures of a technical, as well as organisational nature, to ensure the adequate safeguarding of personal information. Personal Information, according to the Protection of Personal Information Act, 2013 includes the following:
- Information relating to the following of a person:
- Race/nationality/ethnic/social origin/colour
- Gender/sex
- Pregnancy
- Marital status
- Sexual orientation
- Age
- Physical or mental health/well-being/disability
- Religion/conscience/belief
- Culture/language
- Birth
- Education, medical, criminal, employment or financial history of a person
- Identifying number, email address, telephone and physical address, location information, online identifier
- Biometric information
- Personal opinions, views or preferences
- Explicitly or implicitly private or confidential correspondence
- Views of others about that person
- Name, if it appears together with other personal information about that person or if the name would reveal information about that person
Personal information may only be processed (collected, stored, received, organised etc.) if the following conditions are complied with:
- Accountability
All the conditions below must be complied with.
- Processing
Personal information may only be processed if the processing is lawful and in a reasonable manner which does not infringe the privacy of the data subject
- Consents
- Necessary to carry out a contract to which the data subject is a party
- Obligation imposed by law
- Protects legitimate interest of data subject
- Necessary for a proper performance by a public body
- Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied
Information must be collected directly from the data subject unless the information is obtained from a public record, then the data subject consented would not prejudice a legitimate interest of the data subject or if the collection is necessary in terms of a law.
Employers must obtain the employee’s consent for their personal information to be collected and used. They must be aware of the third parties (or other individuals) who might have access to it.
- Purpose Specification
Personal information must be collected for a specific, defined and lawful purpose related to a function or activity of the responsible party.
Records of information must not be retained for a longer period than is necessary. If it is kept for research, statistical or historical purposes, then it can be kept for longer if there are adequate safeguards in place from the records being used for other purposes.
The responsible party (the employer) must ensure that safeguards are in place to protect the data from being used for other purposes. Employees obtaining these types of personal information of other employees should have a clause in their employment contracts dealing with confidentiality.
- Further Processing Limitation
Further processing of personal information must be in accordance or compatible for the purpose it was collected for (see Section 15). It will not be incompatible if the data subject consents or the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purpose and will not be published in an identifiable form.
The employer must obtain the employee’s consent if further processing takes place and it is not compatible with the reason it was collected for.
- Information Quality
A responsible party must take steps to ensure the information is accurate, complete and not misleading.
- Openness
The data subject (employee) must be aware of the information being collected, or if information is not collected from the data subject, the source where it is collected from, the purpose for the collection etc. unless the data subject consents to the non-compliance. The responsible party must take reasonable steps to ensure that the data subject is informed.
If personal information of the employee is collected by a third party via the employer, the employee needs to be aware of it unless the employee consents to non-compliance.
- Security Safeguards
The responsible party must ensure the integrity and confidentiality of the information in its possession or under its control by taking reasonable and appropriate measures to prevent loss or damage to personal information and unlawful processing of information.
Anyone processing personal information on behalf of a responsible party may not disclose the information.
Data subjects must be notified if personal information has been accessed or acquired by an unauthorised person (or the responsible party has reasonable grounds to believe so).
The employer or third party should ensure that employee data is treated as confidential information. Our suggestion would be to include a confidentiality clause in the employment contracts. Passwords must also be set up on the systems.
- Access to personal information
A data subject (employee) has a right to request access to personal information, also to correct or delete it.
Although financial information is not specifically dealt with in the above mentioned Protection of Personal Information Act, according to the Basic Conditions of Employment Act, it is an offence for any person to disclose information which that person acquired while exercising or performing any power or duty in terms of this Act and which relates to the financial or business affairs of any other person, except if the information is disclosed in compliance with the provisions of any law.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)