South Africa’s Protection of Personal Information Act (POPIA) took effect on 1 July 2020 with a grace period of 12 months to comply with the provisions of the Act.

POPIA will give effect to the constitutional right to privacy, by introducing measures to ensure the personal information of 'data subjects' (such as employees, clients etc) are safeguarded when it is processed by 'responsible parties' (i.e. employers, service providers etc). POPIA provides conditions for the lawful processing of personal information. Responsible parties will have to comply with these principles whenever the personal information of individuals is collected, stored or used. If a responsible party were to breach the duties imposed by POPIA, it could be faced with an administrative fine of up to R10, 000, 000 (ten million Rand). Owing to the serious consequences arising from non-compliance, it is essential that the provisions of POPIA are adhered to and compliance procedures adopted to ensure the obligations imposed are satisfied.

As an employer, the processing of employee's personal information is necessary for a variety of reasons, such as in concluding employment contracts, occupational health and safety, recruitment and training and for general compliance with applicable law. Special personal information is a specific category of personal information provided for under POPIA and relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health and biometric information of an individual. The processing of special personal information carries special rules of compliance in terms of POPIA and employers should take serious note of such.

Employers should guard themselves against liability in terms of POPIA and ensure that the consent from the employee is obtained where necessary. Processing of the employee’s personal information should be done for a specified purpose. An employee must be in a position to "opt in" and know what their personal information will be used for. POPIA states that, in addition to consent, justification can be provided by the responsible parties where the processing of personal information is necessary for conclusion of a contract, complies with an obligation imposed by law, protects the interest of the data subject or is necessary for the legitimate interests of the employer.

POPIA should not be regarded as an obstacle to conducting business. Current business practice already dictates compliance with generally accepted privacy norms. Tightening of current structures and policies when dealing with personal information must become a priority for businesses.

For more information on Understanding the POPI Act, click here 

Vishane Pramrajh | Employee Benefits Manager