Comply or be liable for damages: How employers can ensure compliance with POPIA

October 2021

The Personal Protection of Information Act 4 of 2013 (POPIA) came into effect on 1 July 2020, and responsible parties have been granted a grace period of 12 months (30 June 2021), to ensure compliance with POPIA. The nature of the civil liability created in terms of section 99(1) of the POPI Act and the restricted nature of the defences in terms of section 99(2) create significant risk for employers which may not be adequately addressed by the steps typically taken by employers to limit such risk.

What do employers need to do to ensure compliance with POPIA?

Employers need to ensure that they lawfully process information. This can be achieved through complying with the eight conditions in POPIA, namely:

Accountability: Employers need to ensure that the conditions are complied with at the time of determination of the purpose and meaning of processing and processing itself. Employers can do this by appointing a compliance officer.

Processing limitation: The processing of personal information must be limited to lawful processing in a reasonable manner that does not infringe the privacy of the employee.

Purpose specification: When collecting information, it must be for a specific, defined and lawful purpose, related to the function of the employer in the employment context. The employer must inform the applicant or the employee of the purpose of the required documents.

Further processing limitation: Employers require the consent of the employees to put personal information to further use, e.g., passing on information to a Medical Aid or retirement fund.

Information quality: An employer must take steps to ensure that the information collected from the employee is complete, accurate and continually updated where necessary.

Openness: An employer requesting information must ensure that the employee is aware of the information collected, the source of the information, the name and address of the responsible party, the purpose for which the information is requested and what law if any, prescribes the disclosure of information.

Security Safeguards: An employer must take reasonable steps to ensure that the personal information in its possession remains secure. The employer can do this through considering virus programs, back-ups and off-site storage. Should there be reasonable grounds to believe that an employee’s information has been accessed, the employer must notify the regulator and the affected employee.

Employee participation: An employee has the right to know what information the employer has pertaining to him/ her and may request the records or description of the information the employer holds.

Further steps for employers to ensure compliance with POPIA

  • Employers must appoint an Information Officer.
  • Employers should review recruitment processes, HR policies and employment contracts, and include provisions on processing of personal information where necessary. Employers should also acquire consent to process personal information and special personal information in this regard.
  • Employers should establish adequate policies to ensure compliance with the 8 conditions (listed above).
  • Employers should host awareness training for employees on compliance with POPIA.

Ensuring adequate safeguards

In terms of section 19 of POPIA, employers are required to implement appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of any personal information in their possession or control. Thus, employers are required to guard against reasonably foreseeable risks in respect of non-compliance with POPIA taking measures to ensure that compliance is developed and implemented effectively.

Consequences of non-compliance

Criminal: POPIA imposes various criminal offences for non-compliance. Non-compliance with POPIA can result in imprisonment not exceeding 10 years and/or a fine not exceeding R10 million.

Civil: In terms of section 99 of POPIA, a data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of POPIA.

Possible defences to be raised by an employer

Section 99(2) of the POPI Act sets out the limited defences which an employer may raise in response to a claim in terms of section 99(1). The defences include vis major, consent of the plaintiff, fault on the part of the plaintiff, compliance was not reasonably practicable in the circumstances of the particular case or the Regulator has granted an exemption in terms of section 37.

Of concern to employers will be the fact that the defences do not include circumstances in which the employer is able to show that it did all that was reasonably practicable to ensure that the employee did not breach the POPIA Act.

In conclusion, employers should comply relevant requirements of POPIA. By failing to do so, employers are at the risk of imprisonment of up to 10 years and/ or fines of up to R10 million or being liable for damages.

K. Cowley
(Chairperson – (CEA – TESD)