In PART 1 we referred to the use of employee information by an employer and when it would be a breach of employee privacy in terms of the Protection of Personal Information (POPI) Act No. 4 of 2003. In PART 2 we discussed the employment related information that is protected in terms of POPI and in PART 3 we discussed ‘processing’ or ‘further processing’ of information and when it would be lawful to process information.
The purpose of this article, PART 4, is to discuss the eight conditions for the lawful processing of information, referred to in PART 3. We shall deal only with 4 of the eight conditions and the remaining 4 in Part 5.
Condition 1: Accountability
The employer must ensure that the conditions are complied with at the time of the determination of the purpose and means of the processing and during the processing itself. Employers must appoint an information officer who is someone duly authorised by the employer. The employer must register with the Regulator the information officer who is responsible for compliance by the employer with the provisions of POPI , working with the Regulator and dealing with requests from employees relating to their personal information.
Condition 2: Processing Limitation
Processing of personal information must be limited to lawful processing in a reasonable manner that does not infringe the privacy of the employee. The purpose of processing must be adequate, relevant and not excessive and with the consent of the employee which consent may under certain circumstances be withdrawn.
Processing is limited amongst others to protect or pursue legitimate interests or is necessary for the proper performance of a public law duty of an employer in the public service.
Personal information must be obtained directly from the applicant for employment or employee unless the information is derived from a public record or the employee has consented to the use of another source or has made the information public on for instance social media.
The processing limitation is especially relevant to the verification of information furnished by applicants for positions when only relevant and adequate information should be sought and verified.
Condition 3: Purpose Specification
When collecting personal information it must be for a specific, explicitly defined and lawful purpose related to a function or activity of the employer in the employment context. The employer must inform the applicant or employee of the purpose.
Without the consent of an employee an employer may only retain records of personal information for as long as it is necessary to achieve the specific purpose for which the information was collected. Pre-employment records and information should be destroyed when it does not serve any further purpose although the results of the vetting and verification may be retained for longer.
Employers must however comply with statutory provisions prescribing retention periods such as records for tax compliance and in terms of employment legislation.
The destruction of records must be final and in a manner that the records cannot be reconstructed.
Condition 4: Further Processing Limitation
Employers may with the consent of an employee put personal information to further use. In the absence of specific consent for the further use the employer may use the personal information if it is compatible with or in accordance with the purpose for which it was collected in the first place. An employer must comply with the test for compatibility when for instance passing on personal information to a medical aid or retirement fund, for unemployment benefits or in a business transfer transaction.
The remaining 4 conditions are Information Quality, Openness, Security Safeguards and Employee Participation, which will dealt with in the next article, PART 5.