The reason for the POPI is to promote the protection of personal information processed by public and private bodies; to introduce information protection principles and certain conditions so as to inaugurate the minimum requirements for the processing of personal information; to provide for the establishment of an Information Protection Regulator; to provide for the issuing of codes of conduct, and therefore will affect all employers and the revising of their codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making and to regulate the flow of personal information across the borders of the Republic.
Essentially the POPI was created to promote the constitutional right to privacy as entrenched in our Constitution. POPI therefore introduces measures that will ensure the personal information of data subjects such as an employee is protected when it is processed by the responsible party such as the employer. POPI ultimately provides for the lawful processing of personal information. Companies and all employers will have to comply with these principles once POPI is approved by the President.
The POPI contains two pivotal definitions, namely “personal information” and “processing” and constantly points to the ‘lawful processing of personal information’. Personal information is defined in the POPI Bill to include the race, age, gender, sex, pregnancy status, marital status, nationality, ethnic or social origin, sexual orientation, physical or mental health, disability, religion, culture and language, blood type or any other biometric information of the employee; the personal opinions, views or preferences of the employee; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence of the employee. The the definition will ultimately include information relating to the educational, medical, financial, criminal or employment history of the employee and all information pertaining to a persons location and contact details such as e-mail and physical addresses and telephone and cellular phone numbers of the employee as well.
Processing is very broadly defined in the POPI Bill to include any operation or activity, that deals with or is concerned with the collection, recording, organisation, collation, storage, updating or modification, retrieval of personal information. It will only become clear in litigation as to what the definition of processing will all include due to it being such a broadly defined concept. The POPI further sets out a framework of conditions and provisions to regulate and promote the lawful processing of personal information.
The first and most important condition is that the responsible party must ensure that the conditions and measures entrenched in the POPI Bill and same which will give effect to the protection of personal information are complied with. Therefore compliance and accountability is regarded to be the first principle. To ensure this employers and responsible parties must appoint an Information Officer and Deputy Information Officers to ensure compliance with these conditions and deal with complaints from data subjects or employees who seek to enforce their rights in terms of the POPI.
Secondly the POPI imposes several limitations on how an employer or responsible party may process the personal information of an employee or data subject. Firstly the processing of information must be lawful, meaning that it may not be contrary to South African law and that it must be conducted in a reasonable manner that will not infringe upon the right to privacy of the employee or data subject. Personal information must be collected directly from the data subject, unless the information is public. An employer or responsible party may only process personal information if there is adequate reason for such processing. This will for instance include situations where the employee or data subject gave full consent to the processing.
The responsible party or employer may only collect personal information for specific reasons that is explicitly defined and for lawful purposes related to the function of the employer or responsible party for example where there is an obligation on the employer or responsible party in terms of legislation such as the Basic Conditions of Employment Act 75 of 1997 and Labour Relations Act 66 of 1995.
The further processing of personal information must be in accordance with the purpose for which it was originally collected. To determine whether further processing is in compliance with the purpose of collection, the responsible party or employer must take into account the relationship between the purpose of the intended further processing and the purpose for which the information has been collected originally; the nature of the information concerned; the consequences of the intended further processing for the data subject; the manner in which the information has been collected; and any contractual rights and obligations between the parties.
The responsible party or employer must furhter ensure the quality of the information processed. The responsible party must take reasonably and practicable possible steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
The responsible party must take all reasonably practicable steps to ensure that the data subject or employee is aware of the information being collected; the name and address of the responsible party or employer whether or not the supply of the information by that data subject or employee is voluntary or mandatory; the consequences of failure to provide the information; any particular law authorising and requiring the collection of the information; and further information such as the recipient or category of recipients of the information. The responsible party or employer must secure the integrity and confidentiality of personal information in its possession or under its control. In other words, the responsible party or employer must implement all appropriate and reasonable technical and organisational measures to prevent loss, damage or unlawful access or processing of personal information.
Reason for the above being that the data subject or employee has the right to request access to the record of his or her personal information held by the responsible party or employer. The record must be provided within a reasonable time, manner and form and may be at a prescribed fee. The data subject or employee has a right to request that the record be corrected or deleted if this is warranted.
If an employer were to breach the duties imposed by POPI, it can be charged with an administrative fine of up to R10 000 000 (TEN MILLION RAND). Although the POPI Bill is not enacted as legislation by date of publishing of this article, responsible parties or employers must ensure that their staff, especially those who process employee information on a regular basis such as Human Resources and information technology officials, are aware of the duties imposed on employers by POPI.