Being that section 14 of the South African constitution provides that everyone has to the right to privacy, the need to controls and measures to be introduced in order to protect that privacy, became evident.
Areas in your business which POPI affects your employees, includes but it not limited to recruitment and selection, health records, Employment Equity and skills development reporting, payroll and labour relations. Data protection laws need to be implemented within the bounds of the Labour Laws where there are often overlaps where in the employee must navigate.
Effective July 1st 2020 employees have 1 year to implement certain aspects of the POPI Act. Establishing the tools and measures which employees need to implement to ensure their responsible process of personal protection, will take some time and so employees are advised not to delay in getting their checklists and actions plans together.
Employers come into contact with absolutely all of an employee’s personal information, starting from the moment that they apply to your company for a vacancy. Your typical CV has the following: email address, cell phone number, landline numbers, ID number, physical addresses, gender, age, marital status, general state of health, where you went to school, what skills a person has and indicates whether you can drive a car. Once an employee is recruited the employer has access to their banking details, pension and provident information and tax details. Already, one individual applying for a vacancy has provided their potential employer, with enough information, which handled incorrectly, to make them potential victims of cyber-crimes. Imagine the sheer magnitude of information one employer, or recruitment agency, could have in their possession. Imagine walking up to a person on the street and handing them all this information and walking away. Does that feel comfortable to you? And yet we so easily hand over this information to others to safeguard hoping that indeed they have the capacity to do so.
Employees need to take heed of the potential risk they create for an individual should they not protect their right to privacy. In fact, the POPI act applies to anyone who has access to or keeps any type of record which has personal information of another individual. This means that your payroll clerk, who you trust with access to certain information, could be a liability for your business. Having access to personal information means that controls need to be put in place to ensure that anyone and everyone who access this information knows how to keep it secure and it’s the company’s responsibility to do so.
POPI principles include accountability, limiting the processing of information, the collection of information for a specific purpose only and not requiring information which is essentially not required for the purpose for which it is intended. Once collected information must be secured, kept accurate and not manipulated and may not be forwarded to anyone who does not have the authority to access it and if this is done, the person who’s information is being forwarded, should be aware of the fact and consent to it. By principle, employees should be able to request to know who has access to their information and so a record of this must be established as part of your company’s procedures.