This is the last and final part of this article. To summarise, PART 1 was about the use of employee information by an employer and when it would be a breach of employee privacy in terms of the Protection of Personal Information (POPI) Act No. 4 of 2003, PART 2 was about the employment related information that is protected in terms of POPI, PART 3 the ‘processing’ or ‘further processing’ of information and when it would be lawful to process information and Part 4 was about four of the eight conditions for the lawful processing of information by the employer.
In PART 4 we discussed the following four conditions:
- Processing Limitation
- Purpose Specification
- Further Processing Limitation
The purpose of this article, PART 5, is to discuss the remaining four of the eight conditions for the lawful processing of information.
Condition 5: Information Quality
An employer must take reasonably practical steps to ensure that personal information of employees is complete, accurate, not misleading and updated where necessary. The employer must always have regard to the purpose for which the information was collected. Special care is required where information is collected from a source other than the employee personally.
Condition 6: Openness
An employer collecting personal information must take reasonably practical steps to ensure that the employee is aware of the information collected and the source of the information, the name and address of the responsible party, the purpose for which it is collected, whether the employee is obliged to supply the information and what law if any prescribes the disclosure of the information to the employer. The employer must also inform the employee exactly what information will be processed, to whom and the employee’s right to access and rectify the information collected or to complain to the Regulator. The employer is obliged to inform the employee before the information is collected from the employee and in any other case either before or as soon as reasonably practicable after collection. When the employer intends to transfer the information cross border it must inform the employee and also explain to the employee the protection that the information will have in the foreign country or with the international organisation.
Condition 7: Security Safeguards
An employer must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of or damage to or unauthorised destruction, unlawful access to or processing of personal information. The reasonable measures to protect the personal information include identification of possible security risks, establish and maintain safeguards against the risks, verify the safeguards from time to time and update those measures. Virus programmes, back-ups and off-site storage are all measures to consider. The measures must comply with generally accepted information security practices. For instance when an employer appoints a payroll administrator it must contractually oblige the administrator or any other third party to comply with the security safeguards and report to the employer any security breach. Where there are reasonable grounds to belief that the personal information of an employee has been accessed or acquired by any unauthorised person the employer must notify the Regulator and in a prescribed form also the affected employee.
Condition 8: Employee Participation
An employee has the right to know what personal information of him or her the employer holds. An employee has a right in the prescribed form to request the records or a description of the personal information that the employer holds. An employee is also entitled to know which third parties have or had access to the personal information. Upon request the employer must furnish the records or information unless the employer may rely on one of the grounds in the Promotion of Access to Information Act to refuse the record or information. An employee is entitled to request a correction of any personal information. The employer must inform the employee what action has been taken pursuant to the request for a correction. The employer must correct or delete the information subject to a request for correction or provide proof of the correctness of the information and attach a note to the record reflecting both the request and the response.
The eight conditions apply to the processing of personal information in the process from recruitment to retirement and oblige employers at each stage to consider carefully the purpose for collecting the information, why it should be retained and for how long, what they may use the information for and the obligation to grant employees access to the information.