In PART 1 we referred to the use of employee information by an employer and when it would be a breach of employee privacy in terms of the Protection of Personal Information (POPI) Act No. 4 of 2003. In PART 2 we discussed the employment related information that is protected in terms of POPI.
The purpose of this article, PART 3, is to discuss ‘processing’ or ‘further processing’ of information and when will it be lawful to process information.
What does ‘processing’ or ‘further processing’ mean?
POPI applies only to personal information and special personal information that is subject to ‘processing’ or ‘further processing’. The term ‘processing’ applies to a comprehensive range of activities. It includes the initial obtaining of personal information, the retention and use of it, access and disclosure and final disposal of the data.
The processing of personal information in the workplace from recruitment to retirement is covered. Likely activities that will constitute processing or further processing of personal or special personal information are:
- the recruitment and selection process commencing with the advertising of vacancies, receiving, sorting and storing of applications, the shortlisting process, interviews, vetting and verifying of data provided by the applicant (data subject), communications to successful and unsuccessful applicants and letters of appointment;
- processing payment of remuneration, recording bank account details, payslips and tax records;
- receiving and storing of leave applications and records, sick leave and medical records, records and communications relating to injuries on duty and otherwise;
- monitoring performance, conducting written performance assessments, dealing with promotions and demotions and the records of disciplinary processes;
- obtaining distributing and storing information relating to medical aid membership, medical aid claims, payment of medical aid subscriptions, membership of retirement funds, contributions to retirement funds and their administrators and retirement benefits;
- obtaining, creating and storing of information relating to termination of employment, the issue of references and exit interviews, and
- the exchange of information of staff members in a business transfer or out sourcing transaction.
When will it be lawful to process information
Processing and further processing of personal information is only lawful if it complies with the eight conditions specified in POPI. An employee (data subject) has the right to have his or her personal information processed in accordance with these conditions. The eight conditions for the lawful processing of personal information are:
- accountability – as referred to in s8
- processing limitation – as referred to in ss9 to 12
- purpose specification – as referred to in ss13 and 14
- further processing limitation – as referred to in s15
- information quality – as referred to in s16
- openness – as referred to in ss17 and 18
- security safeguards – as referred to in ss19 to 22
- data subject participation – as referred to in ss23 to 25.
An employee in addition has the right to access to his or her personal information and to request the correction, destruction or deletion of his or her personal information. The employee may also on specified grounds object to the processing or further processing of personal information.
POPI generally does not apply to the processing of personal information in the workplace that has been de-identified or relates to the functions of a court.
The eight conditions for lawful processing apply to the workplace activities in various ways. In our next article PART 4, we shall discuss each of the eight conditions in more detail.