Updated privacy and personal information rules companies in South Africa need to know about

Parts of the long-awaited Protection of Personal Information (POPI) Act came into force on 1 July 2020, and companies will have a period of one year to become compliant, or risk substantial fines or even imprisonment.

While the updated rules around personal information and marketing are well documented, the POPI also introduces obligations on employers and grants rights to employees in respect to personal information and the legislation will have an impact on all aspects of the employment life cycle, says law firm Cliffe Dekker Hofmeyr.

Below the group outlined how the POPI changes the current hiring and employment process, as well as how it can impact termination.

Advertising, recruitment and selection

Cliffe Dekker Hofmeyr said that the following would all be considered personal information when advertising, recruiting and selecting employment candidates:

• Curriculum vitae;
• Identity document;
• Educational qualifications and transcripts;
• Interview forms;
• Psychrometric test results;
• Email addresses;
• Cell phone number;
• Criminal and background checks.

The personal information (PI) of applicants’ must be obtained directly from them, unless derived from a public platform, the firm said.

“Where an employer makes use of a recruitment agency, the applicant must consent to his/her PI being obtained from the recruitment agency. The personal information of unsuccessful applicant(s) must be destroyed once a decision has been taken not to employ the applicant(s).”

Employee onboarding, induction and training

Cliffe Dekker Hofmeyr said that the following would all be considered personal information in the employee onboarding, induction and training process:

• Contract of employment;
• Residential address;
• Next of kin contact details;
• Medical aid details;
• Biometrics;
• Email address;
• Cell phone number;
• Bank account details;
• Payslips;
• SARS tax records.

“The nature of the information required pertaining to a next of kin constitutes personal information in terms of POPI, as it is information related to an identifiable, living, natural person,” Cliffe Dekker Hofmeyr said.

“Accordingly, an employer must notify the next of kin that their personal information is being processed and only process personal information pertaining to a next of kin with their consent. The onus of proof rests with the employer to prove that consent was received from a next of kin.”

Day to day employee management and engagement with unions

Examples of PI in day to day management include:

• Screening records in the context of Covid-19;
• Employee personnel file; disciplinary records;
• leave applications;
• Doctors notes;
• Drug & Alcohol test results;
• Performance reviews
• The processing of information related to Trade Union membership.

Cliffe Dekker Hofmeyr provided the following suggestions for the day-to-day management of personal information:

• Ongoing analysis of PI to verify the quality, accuracy and completeness of the PI;
• Conduct risk assessments to determine loopholes in the protection of PI;
• Revise HR policies and contractual arrangements; and
• Revise and update contractual arrangements.

Termination 

Cliffe Dekker Hofmeyr said that the following information should be retained on termination for the applicable periods as per legislation:

• Contract of employment  (3 years);
• Arbitration Awards (3 years);
• SARS employee records (5 years);
• OHSA Incident records (3 years);
• Employee disciplinary records (indefinite).

“Save for the information that must be retained in terms of applicable legislation, an employer must dispose of information where an employment relationship is terminated,” it said.

“Personal information retained for further processing in terms of section 15(e) of POPI must be processed solely for that purpose and should not be published in an identifiable form.”