Issues in dispute
The purpose of POPI is to give effect to the Constitutional right to privacy, by introducing measures to ensure the personal information of “data subjects” (including employees) is safeguarded when it is processed by “responsible parties” (such as employers). POPI provides conditions for the lawful processing of personal information. It sets out eight core information protection principles and conditions, including accountability, purpose specification, information quality, openness, security safeguards and data subject participation. Employers will have to comply with these principles whenever personal information of employees is collected, stored or used. Certain types of information such as ethnicity and trade union membership are considered ‘special personal information’. The processing of such information is prohibited unless it falls within a statutory exception.
An employer may apply for exemption from the above principles by seeking authorisation from the Information Protection Regulator (‘the Regulator’), a juristic person to be established by POPI. Companies must also appoint an Information Protection Officer in order to assist in ensuring compliance with POPI. If an employer were to breach the duties imposed by POPI then it could be faced with an administrative fine of up to R10 million. POPI also applies to trans-border information flow. An employer wishing to distribute personal information about employees to a subsidiary or other company in another country may only do so if such country also upholds the principles for lawful processing of information or if the data subject consents.
In view of the above and the serious consequences arising from non-compliance it is essential that employers ensure that they comply with the provisions of POPI by putting procedures in place to ensure that they adhere to the eight conditions of lawful processing as contained within the Bill.