A warning for South African employers to comply with the Protection of Personal Information Act

Organisations across the globe are coming to grips with new data privacy laws. The General Data Protection Regulation (“GDPR”) is a regulation in the European Union on data protection and privacy. The GDPR’s aim is to give control to individuals over their personal information and sets out provisions related to processing personal data of individuals. Similarly, in South Africa, we have the Protection of Personal Information Act, 4 of 2013, (“POPIA”) that seeks to provide persons with rights and remedies to protect their personal information and to regulate the manner in which organisations may process their personal information.
In terms of POPIA, the word “processing” has a wide meaning. It is intended to cover any conceivable operation or activity concerning personal information. It ranges from collecting, recording, storing, and deleting personal information to making personal information available to others in any form.
In Germany, The Hamburg Commissioner for Data Protection and Freedom of Information (“HmbBfDI”) issued a fine of about 35 million Euros against H&M for excessively processing hundreds of H&M employees’ personal information.
Since at least 2014, some employees have been subjected to extensive recording of details about their private lives.
After an employee was absent from work (sick leave, family responsibility leave, and annual leave, etc.) the supervising team leaders conducted “Welcome Back Talks” with the relevant employee. After the talk, the supervising team leaders recorded the employee’s feedback from the talk, be it vacation experiences, symptoms of an illness and diagnosis thereof or family issues.
Some supervisors went as far as acquiring a broad knowledge of their employees’ private lives through office gossip and general conversations. The details of the employees’ private lives ranged from sensitive family matters to religious beliefs, and this information was recorded, digitally stored, and partly readable by up to 50 other managers within the company.
According to HmbBfDI, the recordings were made with a high level of detail and recorded over a great period of time to document the development of their employees lives and issues. Accordingly, the combination of collecting details about the employees’ private lives and the recording of their activities led to an intensive encroachment on their civil rights.
The excessive data collection and recording thereof became known as the data became accessible company-wide for several hours in October 2019, due to a configuration error. HmbBfDI was notified about the security breach and extreme data collection and ordered that the contents of the H&M’s network drive be “frozen” and then be handed over to them. About 60 gigabytes of data was compiled and submitted for evaluation. Interrogations of numerous witnesses confirmed this unlawful practice.
H&M took various corrective measures to right their wrongs. They presented HMbBfDI with a concept on data protection to be implemented within the company, which included appointing a data protection coordinator, introducing monthly data protection status updates, increasing whistle-blower protection, and a consistent concept for dealing with an individual’s right of access to their information.
Most notably, company management apologised to the employees and paid a considerable amount of compensation to those affected.
In South Africa, if an employer is conducting itself in similar fashion to that of H&M, they would be in breach of several provisions (conditions) contained in POPIA, including, but not limited to:
Accountability – which provides that the responsible party (employer) must ensure that the conditions for the lawful processing of personal information are complied with at the time of determining the purpose and means of the processing, and during the processing itself.
Processing Limitation – which provides that personal information must be processed lawfully and in a reasonable manner, and only if it is adequate, relevant, and not excessive given the purpose for which it is processed.
Purpose Specification – which provides that personal information must only be collected for a specific, explicitly defined, and lawful purpose related to a function or activity of the responsible party and should not be retained for longer than is necessary to achieve that purpose.
Openness – which provides that if personal information is collected, the responsible party (employer) must take reasonably practicable steps to ensure that the data subject (employee) is aware of:
• The information being collected and where information is not collected;
• The purpose for which the information is being collected;
• Whether giving the information is voluntary or mandatory;
• Whether there is any law authorising or requiring the collection of the information; and
• Consequences of failure to provide the information.
Security Safeguards – which provides that the responsible party (employer) is required to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures, having regard to generally accepted information security practices and procedures.
Data subject participation – which provides that a data subject (employee) has a right to request a responsible party (employer) to confirm whether personal information is held about the data subject and be provided with a record or a description of the information held. A data subject may further request a responsible party to correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
Becoming compliant with POPA is a journey and does not happen overnight.
South African business owners are warned to start their POPIA compliance journey as soon as possible. Organisations, regardless of size, must ensure that they are operating within the legal framework of POPIA on the 1st of July 2021 to avoid penalties of up to R 10 000 000.00.
Privacy Law and Data Protection Services offered by BLC Attorneys
BLC Attorneys provide full-service privacy law and data protection services and can assist your organisation in the following ways:
1.1. POPIA Manual: we assist in drafting personalised POPIA manuals for your business;
1.2. Policies, procedures, and controls: we assist in drafting and/or updating of policies, procedures, and controls relevant to your organisation to meet the necessary legal requirements;
1.3. Training: we provide POPIA training workshops for information officers, management, and employees in person or via an e-learning setting;
1.4. POPIA audit: We carry out privacy impact assessments and draft recommendation reports;
1.5. POPIA third party audit: We can review and audit third party compliance with POPIA;
1.6. International information transfer: We advise on cross-border personal information transfers;
1.7. Information security breach: We offer pre-security and post-security breach services;
1.8. International Personal Information Transfer: We advise on cross-border personal information transfers; and
1.9. POPIA and General Data Protection Regulation advisory: Have a question relating to how legislation impacts your organisation? We can furnish you with a legal opinion to assist you in navigating these murky waters.
Author: Mikhael Cain