Protection of Employee data: Protection of Personal Information Act (POPI)

9th September 2018
LABOUR BRIEF NO. 411

Numerous “information” legislation, including Kind (3) and other Government guidelines, are very clear about the onus and obligations of Employers/Business to ensure that personal and personnel information is adequately protected and confidential.

Of the most onerous of these is of course the (POPI) Act!  This Act hold non-compliant Employers liable for both penalties and fines, for reasons where the Employer cannot adequately demonstrate compliance or reasonable effort to ensure compliance.

RSA companies have about (80%) of the essential “policies and procedures in place in terms of most HR/IR risk matters, however very few actually adequately apply their own “policies” and most breach their own procedures.  In fact studies indicate that less than (38%) of these Employers are effectively managing their own procedures.  This fact is a huge concern and presents a very real risk to the Employer concerned.

There is also the risk of Employers unwillingly or unwittingly sharing sensitive Employee data or information on social media or with other Employers/Companies when involved with for instance, merger discussions.

It is therefore advised that initially, Employers to ensure that the below listed steps be acknowledged and implemented in an effort to minimise the risk that the (POPI) Act presents to most Companies, due to the employment relationships;

a) Strict provisioning of data security measures (e.g.: data masking, encryption, and privacy control, plus prevent unauthorised data access and strict confidentiality measures),

b) Creation of privacy rules and implementation thereof,

c) Limit authority in in terms of data generation and access, creating access controls and limits of authority,

d) Archiving of records must be addressed and managed effectively, as well as data growth must be accounted for and also managed continuously, as well as audited regularly,

e) Restrict and define data access and accountability created (e.g.: restrict who may view “privacy” information and when, especially data linked to health and personal matters).

K. Cowley
(Chairperson – (CEA – LBD)

Related Posts