Processing of employees’ personal information is a necessary function in every workplace. POPIA prescribes how companies should collect, store, and share such information to protect employees’ privacy rights.
Here are some fundamental POPIA principles to keep in mind:
- Be clear about why you need the information (‘the purpose’).
- Only collect the minimum personal information necessary for the intended purpose.
- Implement adequate technical and organisational security measures to safeguard information from data breaches and unauthorised access.
- Update, correct, or amend the personal information if necessary.
- Employees have the right to request that the company correct or update their information.
What does all this mean for employers?
The POPIA imposes significant responsibilities on employers to protect employees’ personal information. Failure to comply with the Act can result in severe penalties, including substantial fines of an amount not exceeding R10 million or imprisonment.
Companies must:
- Draft comprehensive policies and procedures that ensure the lawful processing of personal information. This may include, for example, an Access Control Policy or an Information Security Policy.
- Train employees and raise awareness about the POPIA.
- Implement security safeguards to prevent data breaches.
- Appoint a dedicated Information Officer and Deputy Information Officers to ensure compliance.
- Review and update data protection practices regularly to stay current with evolving regulations.
With the Information Regulator stepping up their “target-based compliance monitoring exercises”, employers must fully understand and comply with the Act’s provisions to ensure compliance. Embracing the principles outlined in this article is a good start for employers to create workplaces where employees’ personal information is processed lawfully.
SEESA can assist you with your POPIA compliance. Our expert Legal Advisors are ready to assist you in compiling a POPIA compliance framework to ensure compliance.