With the Protection of Personal Information Act No 4 of 2013 becoming more and more part of our daily vocabulary, there are still many uncertainties regarding certain aspects of the Act.
Many employees feel that the Act of the employer requesting information of a positive COVID-19 result or information from themselves, their spouses or persons they alleged to have been in contact with or live with are in contravention of the POPI act.
In this article, the definition of Personal Information will be discussed as well as the lawful processing of Personal Information. More applicable and relevant to the current COVID-19 situation.
Personal Information means information relating to an identifiable, living natural person and, where applicable, an identifiable, existing juristic person including, but not limited to:
- Information relating to the race, gender, sex, pregnancy, marital status, national ethnic or social origin, colour, sexual orientation, age, physical or medical health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person, etc.
The business must ensure that the conditions of lawful processing of personal information and all measures that give effect to such conditions are complied with at all times. It is not always necessary to obtain the permission of the employee to process this type of information.
The information officer of a business must ensure that the business adheres to the following conditions for lawful processing of personal information:
- Accountability – Section 8;
- Processing Limitations – Section 9 -12;
- Purpose Specification – Section 13 – 14;
- Further Processing Limitation – Section 15;
- Information Quality – Section 16;
- Openness – Section 17 -18;
- Security Safeguards –Section 19-22;
- Data Subject Participation – Section 23-25.
The business may process information if processing complies with an obligation imposed by law on the business, for example – the new COVID-19 Directives issued on the 11th of June 2021. The business does not need the employee’s permission to process the COVID-19 results/medical information, as the business is obligated by law to do so.
When processing protects a legitimate interest of the data subject (the employee qualifying for sick leave), or the processing is necessary for pursuing the legitimate interests of the business or of a third party to whom the information is supplied to (OHS Health Regulations), the employer does not need the permission of the employee to process this information. Furthermore, the employee cannot state that said information is confidential and therefore the reason the employee (data subject) refuse to submit this information to the employer.
The further processing of personal information is compatible with the purpose of collection if:
- The further processing of the information is necessary to prevent or mitigate a serious and imminent threat to;
- Public Health or Public Safety;
- The life or health of the data subject or another individual(s).
If we look at sections 26, 27 and 32 of the Protection of Personal Information Act, it states that the business is also allowed to process Special Personal Information concerning the data subject’s health or sex life.
When the question arises whether an employer is entitled to collect personal information of an employee/data subject related to his/her health in relation to COVID-19 and then process this information further, the answer is yes. The employer may and is obliged by law to act and handle such medical information as it is in the Public, Data Subject and the Business best interests and in accordance with the conditions for lawful processing of Personal Information.
Contact your SEESA Consumer Protection & POPI Legal Advisor to assist your business with any processing of Personal Information queries you might have. Alternatively, SMS the word “SEESA” to 45776 for an expert legal advisor to contact you.
About the Author:
Kobus Hansen is a Labour and Consumer Protection & POPI Legal Advisor at the SEESA Kimberley branch. He obtained his B Iuris and his LLB through UNISA.
Act 4 of 2013 Protection of Personal Information Act