South Africa’s Constitution gives every person the right to privacy and requires that legislation be promulgated to implement this right. As a result, the Protection of Personal Information Act of 2013 (POPI) was drawn up but did not come into effect for seven years after its enactment.
The primary sections of POPI became law on 1 July 2020. Although POPI is not a labour law per se, it substantially affects employers because they process a great deal of information on employees and other persons associated with the employer.
The legislators brought this legislation into effect in July 2020 in order to give employers and other persons time to make their information processing systems legally compliant. The deadline for compliance is 1 July 2021.
This ‘grace’ period ending on 1 July 2021 is not a long one and the time will speed past. Most employers are focussing on the survival of their businesses at present but need to devote time and attention to POPI compliance.
The reason that employers must take time out for POPI is because non-compliance can result in imprisonment of up to 10 years and a fine of up to R10 million.
The core purpose of POPI is to protect the rights of natural and juristic persons to the privacy of their personal information.
For the purposes of this act “personal information” is information relating to a living natural person and an existing juristic person that relates to the person’s personal characteristics, views, identity, education, medical, financial, criminal, employment history, ID number, address, location phone number, online identifier, biometrics, private correspondence and opinions about the person. It even applies to his/her/its name if the recording or revealing of his/her/its name would reveal his/her/its personal information.
POPI effectively designates every organisation as a “Responsible Person” and holds everyone who determines the purpose or means of processing personal information responsible for the legal implementation thereof.
“Processing of information” covers a multitude of sins because it means the collection, receipt, recording, storage, updating, use, accessing, dissemination, making available, merging, restriction and destruction of information.
While the processing of the information available to an employer is still legal, in many cases POPI places extremely heavy restrictions on such processing. As the phrase “processing of information” applies to both automated and non-automated record systems and covers everything from collecting, retaining and provision of information, every aspect of the employer’s entire information system, policy, procedure and practice are subject to POPI.
In summary, the primary conditions for the lawful processing of information include:
- The entity processing the information must hold itself accountable for legal compliance and must have an information officer
- The processing must itself be lawful
- The information must be adequate, relevant and not excessive
- If the information relates to a child, consent must have been given.
- The processing must be necessary and for a specified purpose
- The information must be accurate, complete and not misleading
- The records must not be kept longer than necessary
- The information must be subject to the requirements of the Promotion of Access to Information (PAI) Act
- The records must be kept securely so that the information is not vulnerable to access by unauthorized persons.
In addition, the sending of unsolicited marketing communications to persons is heavily restricted.
In a nutshell, every employer needs to collect, keep and share copious personal records of many different kinds. POPI prohibits the keeping of records of certain kinds and very heavily restricts the processing of permitted information.
Currently, the record systems, policies, procedures and practices of most entities are not compliant with POPI and many employers do not even know the extent to which they are not compliant.
As the audit will take a lot of time and filling the compliance gaps will take even longer employers are advised to start with their POPI compliance audits right away.
To buy our e-book WALKING THE NEW LABOUR LAW TIGHTROPE please contact Ivan via firstname.lastname@example.org or 011-888-7944.