Organisations, employees, the PoPI and you.
November 14, 2013
The Protection of Personal Information Bill (PoPI) is currently one of the most comprehensive pieces of privacy legislation in the world, and given some of the broad definitions of what ‘personal information’ is, compliance with this legislation may seem to some like yet another insurmountable obstacle.
This is according to Jenny Reid, Managing Director of iFacts who says that the trap that many may fall into is assuming that the Bill only protects information about people. “The tiny snag that may catch many organisations out is that the PoPI also applies to information about ‘juristic’ persons, in other words, companies and similar entities,” says Reid.
“Reinforcement of the Bill will ensure a significant level of protection for individuals and companies in South Africa with regard to how their personal information is handled,” she says. “Companies cannot afford to think that proposed new privacy laws do not apply to them,” says Reid. “In fact, organisations may need to protect more information than they expect or they will face unexpected consequences. For organisations with complex business processes that gather multiple types of personal information, the road to compliance will be a treacherous one.”
A ‘juristic person’, as defined in the PoPI is a company, entity, community or other legally-recognised organisation, with the right to the protection of its personal information, in much the same way as a ‘natural person’. For organisations, this means that, in addition to protecting the information they hold about customers and employees, they are also going to have to safeguard the information they hold about customers who are companies, as well as business partners, vendors and suppliers.
Who is affected?
The Bill applies to all companies that collect, store, or process personal information. These include organisations such as banks, insurance companies, medical and health organisations including medical practitioners, retail stores, and the government. As such, it also includes all employee information, including current and potential employees, so every organisation is affected. People who keep security information including occurrence books, incident registers, will also need to make sure they have the necessary indemnities in place.
Not only will the personal information of current employees need to be protected, but organisations will also need to comply with legislation when hiring new staff.
The Bill says that personal information may only be processed if it is absolutely necessary for the purpose that it is being processed for. It is also stated that such personal information may not be excessive and must be relevant and adequate. This could make the process of recruiting new employees far less straight-forward for many businesses.
“At iFacts we work extensively with personal information where organisations have called on us over the years to assist them with processing personal information, conducting background checks, employee screening and also to verify identity numbers, driver’s licences and qualifications,” says Reid. “The reason for this is simple. Organisations and their current staff also need to be protected. Far too often, potential employees present falsified information on their applications and organisations have every right to protect their entities and current employees.” She goes on to say that this new legislation does not remove the ability to do this, it states that consent from the applicant is absolutely necessary and that all information processed is relevant for the position for which the potential candidate has applied.
What is ‘personal information?’
Personal information would include the name, surname, marital status, identity number, contact details, physical and postal address, bank details, medical details, nationality, gender and race of the employee. Furthermore, it could include information relating to the spouse of the employee and their contact details.
According to the Bill, all personal information must be collected directly from the Data Subject, unless it is contained in public record, consent has been given by the employee that information can be obtained from another source, or no prejudice is done to a legitimate interest of the employee by obtaining the information.
What is the alternative?
Non-compliance with the PoPI will mean that an organisation could pay fines of up to R10 million, face possible jail sentences, suffer reputational damage, lose customers and fail to attract new ones, face potential civil law suits, and the prospect of being ordered to stop processing personal information.
South African organisations are expected to be fully compliant with the new Bill within one year of its enactment. “It is advised that all organisations begin reviewing the full effect that PoPI will have on their business, their employees and the hiring of potential employees in order to be ready when the law goes into effect,” concludes Reid.