HR Pulse




Menu Style


Compliance: 5 Things you urgently need to know about POPI


President Jacob Zuma assented to the POPI Act, which protects individuals' personal information, in November. As an employer, you need to adhere strictly to this act because if you don't, you could be facing an administrative fine of up to R10 000. Recently, I spoke with Jacques van Wyk, of Werksmans Attorneys, who told me about five things you – as an employer – need to know about POPI so that you can be in compliance with this act.

1. What is 'personal' information?

Most information you collect from your employees, says Jacques, is 'personal information'. This includes, for example, information about an employee's:

  • Age,
  • Medical records,
  • Location, e.g. physical address,
  • Biometric data, e.g. fingerprints, you might have gathered from a fingerprint-controlled access system, and
  • Private correspondence, e.g. personal e-mails.

2. What is 'special personal' information?

According to POPI, 'special personal' information is to do with, for example, an employee's religion, trade union affiliations or political persuasions. Says Jacques: "To process information such as this, you have to be in compliance with a number of regulations. For example, your employee has to give you 'general authorisation' to process that information or make it publicly available."

3. You're not allowed to engage in automated decision-making!

You cannot hold your employees to decision, which is based solely on automated decision-making, if it subjects him to significant legal consequences. An exception to this is if the employment contract allows you to do this, says Jacques.

An example of automated decision-making would be if you use software to create a profile of the employee and included, for example, his performance at work and his creditworthiness.

4. Transferring employees' information overseas has become very tricky

"POPI also contains a number of provisions you have to be in compliance with when you transfer employees' information to foreign entities," says Jacques. For example, you may not transfer an employee's personal information to a third party, which is in a foreign country, unless the country the third party is in is subject to privacy-regulation legislation that is similar to POPI.

5. You must process your employees' personal information legally

'Processing' an employee's information – says Jacques – is defined as any activity that you perform on the personal information. These activities include, for example, collecting and recording the information.

There are a number of regulations that you have to comply with for your processing of the information to be considered legal.

Jacques has prepared a white paper for us on these requirements. Follow this link to download this booklet.