All questions

Data protection

i Requirements for registration

Comprehensive legislation regulating data protection was published in 2013 in the form of the Protection of Personal Information Act 4 of 2013 (POPIA), but this has not fully come into effect. The many substantive obligations provided for in the POPIA are thus not yet binding or applicable, and it is unknown when they will come into operation, although the likely date appears to be closer than was previously the case given the development referred to below. Once the substantive provisions of the POPIA are made effective, companies will be given a one-year grace period to comply with its provisions, which may be extended. Once operative, the POPIA will place restrictions on what information may be collected from employees and applicants and processed by employers. The POPIA does not require employers to register with a data protection agency or other government body, but an employer can only collect and store personal information about its employees if it has notified the Information Protection Regulator and the employees, and it is necessary or related to a lawful and permitted purpose under the legislation. In September 2017 draft regulations were published for public comment. The final regulations were published on 14 December 2018.

Personal information may only be collected by an employer directly from and with consent of the employee, who must be informed of the purpose of any collection and who the intended recipients are once the information is collected. Personal information should not be kept for longer than necessary to achieve the (permitted) purpose for which it was collected and it must be distributed in a way that is compatible with the purpose for which it was collected. The employer must take reasonable steps to ensure that the information is accurate, up to date and complete.

Under the POPIA the employer must ensure that the employee's information is protected against risks of loss, damage destruction or unauthorised access. The employee must also be allowed to access his or her personal information and can demand that the information be corrected if it is found to be inaccurate.

ii Cross-border data transfers

The POPIA prohibits cross-border (and onward) transfers of personal information to countries that do not have substantially similar protections for the information (except under limited circumstances). Notification of transfers of sensitive personal information or the personal information of children must be given to the Information Regulator, and an employer must obtain the Information Regulator's prior authorisation before processing such information. The employee's consent to the transfer is generally required. The transfer must also be necessary under contractual arrangements involving the employee. Authorisation from the Information Regulator need only be obtained once and not each time that personal information is received or processed, except where the processing departs from that which has already been authorised.

iii Sensitive data

The POPIA considers the following information to be 'special personal information' for which additional protections are required: information concerning children; religious or philosophical beliefs; race or ethnic origin; trade union membership; political persuasion; health, sex life or biometric data of a data subject; and criminal behaviour in certain instances.

This special personal information may not be processed by an employer unless specifically permitted under exemptions provided for in the legislation. An example of an exemption would be the processing of racial information because the employer is required to comply with laws designed to protect or advance persons from groups historically disadvantaged by unfair discrimination (in terms of the EEA).

iv Background checks

Background checks are generally permitted provided they do not involve checks that amount to unfair discrimination under the EEA.

A Code of Good Practice issued under the EEA stipulates that an employer should only conduct an integrity check – such as contacting credit references and investigating whether the applicant has a criminal record – if this is relevant to the requirements of the job. The National Credit Act No. 34 of 2005 also stipulates that a credit bureau can only issue a credit report to a prospective employer when the employer is considering the candidate for a position that requires trust and honesty and entails the handling of cash or finances, and only with the prior consent of the candidate.

Medical testing is only permitted if legislation permits or requires it or if it is justifiable in the light of medical facts, employment conditions, social policy, the fair distribution of employee benefits or the inherent requirements of the job. Testing an employee for his or her HIV status is prohibited unless determined to be justifiable by the Labour Court. Psychological testing and other similar assessments are also prohibited unless the test has been scientifically shown to be valid and reliable, and that it can be applied fairly to all employees and is not biased against any employee or group of employees.

The Immigration Act and regulations thereto provide that medical reports and chest X-rays must be submitted in support of temporary and permanent residence visa applications. Police clearance certificates are also required from all countries where the temporary or permanent residence visa applicant has resided for more than a year since their 18th birthday.