POPIA Topic 3

POPIA Topic 3

Written on 03/01/2021
MJ Minter Inc

The general provisions under POPIA will apply equally to any personal information processed by an employer as part of an employee’s employment, and all employers have until 1 July 2021 to ensure that their workplaces are fully POPIA compliant. 

The processing of an employee’s general personal information is necessary for a variety of reasons, such as: 

  • Concluding Employment Contracts 
  • Recruitment and Training 
  • The requirements of the Occupational Health and Safety Act, 1993, the Basic Conditions of Employment Act, 1997, and the Employment Equity Act, 1998. 
  • The Covid-19 Pandemic 

POPIA does also specifically include an employee’s employment history within the definition of personal information.

Chapter 3 of POPIA lists the 8 conditions for lawful processing of personal information. It is advisable that an employer be aware of these provisions.

Employers may also be required to process special personal information of an employee. To recap, this kind of special information relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information. 

The processing of this information attracts special additional rules of compliance in terms of POPIA. Employers need to be cognisant of these special rules – especially in light of the Covid-19 pandemic, and the impact that this has had on the workplace. 

How do we start the POPIA compliance program in the Workplace?

1. Designate an Information Officer 

By default, the role of Information Officer, is assigned to the CEO / Managing Director / Sole Proprietor of an entity, whichever is applicable – however, this role can be delegated to someone else.
The Information Officer’s responsibilities include: 
(i)    The encouragement of compliance by the employer with the conditions for lawful processing of personal information (such as the health information of employees relating to Covid-19)
(ii)   Dealing with requests, including employee access requests 
(iii)  Working with the Information Regulator in relation to investigations. 

2. Develop a procedure ensuring information is processed in a lawful manner.

3. Ensure that the processing of personal information is done in accordance with the 8 conditions for the lawful processing of personal information.

4. Obtain consent from employees for the processing of their personal information.

The first step employers can take to guard against liability in terms of POPIA is to ensure that the consent of employees is obtained, and the processing of the employee’s personal information is for a specified purpose. An employee must be in a position to “opt in” and know what their personal information will be used for. POPIA states that, in addition to consent, justification for processing can be attained where the processing of personal information is necessary for conclusion of a contract, complies with an obligation imposed by law, protects the interest of the employee, or is necessary for the legitimate interests of the employer. Thus, obtaining proper consent from employees on a voluntary basis is essential. The way this can be done is by:

  • providing consent forms for signature, when consent is required – these forms will set out the specific purpose for which the employee’s personal information will be processed, or
  • amending all contracts of employment to include special reference to the processing of personal information and consent.

5. Provide training to employees so as to ensure that information of clients and customers etc. are processed lawfully, and also to ensure that employees themselves, as ‘data subjects’ are aware of their rights. 

Employees have certain rights under POPIA. These include:

  • the lawful processing of their personal information;
  • to consent to the processing and further processing of personal information;
  • to be notified when their personal information is being collected or has been subject to a breach;
  • to be able to request access to their personal information;
  • to object to the processing of their personal information; and
  • to request the correction, destruction or deletion of their personal information. 

6. Putting in place measures to ensure the processing of ‘special personal information is lawful. 

7. Putting in place a Manual on Workplace Policies and Procedures 

It is the responsibility of the Information Officer to put a manual in Place on Workplace Policies and Procedures for POPIA. This manual should function as an important tool in training staff on the requirements, implications, implementation, and consequences of POPIA. Compliance with every aspect of POPIA should be understood by everyone in the workplace. By setting up the manual, the policies and procedures will be documented. But they also need to be seen to be implemented. Checklists for procedures and protocols for recording actions are thus also important to have in place. Examples of polices to be included in the manual would be:

  • A Privacy Policy;
  • A Monitoring and Surveillance Policy;
  • A Protection of Personal Information Policy;
  • A Data Protection Policy;
  • A Data Retention Policy;
  • A Communications Policy;
  • An Information Technology Security Policy;
  • A Covid-19 Policy

The list above is only an indication of commonly used policies. Depending on the size, scale and services of an employer, it may be necessary to consolidate the policies or establish new ones to adequately address high risk areas when processing personal information of employees, and/or clients, customers, services providers etc. (data subjects). These policies form a basis of compliance and awareness, however regular training of employees on and about the policies is essential. 

8. Ensure that adequate safe-guards are in place 

Employers are required to identify reasonably foreseeable risks, in respect of non-compliance with POPIA, and then develop safeguards, in order to respond thereto. For example, in relation to cybersecurity. Employers must, in terms of Section 18 of POPIA, implement appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of any personal information in their possession or control. 

9. Implementing procedures to address and deal with any complaints from employees regarding the processing of their personal information. 

Covid-19, the Workplace and POPIA:
On the 15th March 2020, a national state of disaster was declared by the South African Government due to the Covid-19 pandemic that reached our shores in early 2020. Regulations and Directives have been published to provide for procedures to be followed during the period of lockdown. In terms of these, employers are required to process personal information and special personal information of both employees and clients/customers/service providers (i.e. third party visitors to the workplace) to prevent and mitigate the spread of Covid-19.

Regulation 46(5) issued in terms of Section 27(2) of the Disaster Management Act, 2002, states that employers are required to implement measures for employees who are over 60 years of age, or those with comorbidities, to facilitate their safe return to work, which may include special measures at the workplace to limit employees’ exposure to Covid-19 infection and where possible that the employees work from home.

Regulation 46(6) states that construction, manufacturing, business and financial services firms with more than 500 employees must finalise appropriate sector or workplace arrangements or compacts to address, inter alia, the screening of employees daily for symptoms of Covid-19 and for referring the employees who display symptoms for medical examination and testing where necessary, and submitting data collected during the screening and testing process to the Director-General: Health.

The Occupational Health and Safety Labour Directive 20.11 states (inter alia) that if a worker has been diagnosed with Covid-19, an employer must:

  • Inform the Department of Health and the Department of Employment and Labour, and
  • Investigate the mode of exposure including any control failure and review its risk assessment to ensure that the necessary controls and PPE requirements are in place;
  • Give administrative support to any contact-tracing measures implemented by the Department of Health.

Directive 25.2 requires workers to immediately inform the employer if they experience any symptoms such as cough, sore throat, shortness of breath, loss of smell or taste, fever, body aches, redness of eyes, nausea, vomiting, diarrhoea, fatigue, weakness or tiredness – while at work.

Employers are thus obligated to process health information of employees in terms of these Regulations and Directives by way of screening, recording of symptoms, test results, and the registering of comorbidities.

This information, by its nature, is special personal information, as defined by POPIA. Ideally, proper, written, clear, voluntary and specific consent should be obtained by the employee / third party in regard to the processing of such information. Where there is no such consent, or a refusal to give consent, Section 27 of POPIA would apply – whereby an employer (as a Responsible Party) may make an application to the Information Regulator to authorise the processing of special personal information where such processing is deemed by the Information Regulator to be in the public interest and subject to adequate safeguards.

Section 32(1)(f) of POPIA entitles employers to process health information of employees if necessary, for (i) the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on health or sex of the data subject or (ii) the reintegration of or support for workers or persons entitled to a benefit in connection with sickness or work capacity.

Directive 47 of the Occupational Health and Safety Directive also places an obligation on workers to comply with measures introduced by employers in regard to Covid-19. 

The 8 conditions for the lawful processing of the personal information as set out in POPIA would also apply in these circumstances. By way of example, we have listed three of these conditions below, and how they would be implemented in regard to Covid-19 in the workplace:

Condition 3: Purpose Specification 

  • Whereby records on Covid-19 information should not be retained for longer than necessary to achieve its purpose. 

Condition 5: Information Quality 

  • It is important to ensure that the correct symptom screening results are stored in respect of the correct employee. 

Condition 8: Data Subject Participation 

  • Employees are entitled to request access to their personal information on Covid-19 as processed by the employer. 

Regulation 17 has clarified the situation relating to Condition 3, by stating that:
“Within 6 weeks after the national state of disaster has lapsed or been terminated – 
(a) The information on the Covid-19 Database (Department of Health) shall be deidentified,
(b) The deidentified information on the Covid-19 Database shall be retained and only used for research, study and teaching purposes…”

POPIA and considerations for Auditors and Accountants:
Auditors and accountants are privy to their clients’ personal and financial circumstances by the very nature of the services they provide. When auditors and accountants perform either an independent review or audit for a client, POPIA should be kept in mind, particularly when assessing the NOCLAR requirement (included in the IESBA Code of Ethics for Professional Accountants, and the SAICA Code of Professional Conduct). NOCLAR stands for “Non-Compliance with Laws and Regulations”. Any such non-compliance is required to be evaluated (also in the context of POPIA) and a possible Reportable Irregularity considered (for reporting to IRBA or CIPC, as appropriate). 

Employer Responsibilities and Penalties for non-Compliance with POPIA:
The responsibility is on the employer to comply, as the Responsible Party, with POPIA, failing which, penalties may include imprisonment of up to 12 months and/or administrative fines of up to R10-million.