Insert #4 Employees – Insert #1

As most companies will tell you, their employees constitute their most important asset. Handling that asset with care has never been more important than now due to the arrival of POPI.

Let’s start by applying the definitions (as per POPI) of personal information (‘PI’) more specifically to the employment situation – it includes employee’s (‘Data Subject’ – ‘DS’) physical and mental health; information relating to education, employment and financial history; personal opinions, views and preferences; correspondence sent by the DS that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the DS; the name of the DS if it appears with other personal information relating to the DS or if the disclosure of the name itself would reveal information about the DS.

Special personal information (‘SPI’) of employees include:  religious or philosophical beliefs, race or ethnic origin, political persuasion, health, resume, background checks, interview notes and records obtained as part of pre-employment medical questionnaire/examination

I came across an interesting article in the course of doing my research for on this topic and I believe it provides useful guidelines for practical application despite it being of foreign origin:   

Any organisation that collects, stores, uses or discloses personal and sensitive information has certain obligations under Australian privacy laws. However, these obligations are stricter in relation to sensitive information. This is because of how serious the effect of disclosing sensitive information may be on a person’s life. The nature of sensitive information means that if a business inappropriately handles that information, the person affected might suffer:

• discrimination;
• mistreatment;
• humiliation; or
• embarrassment.

Because of this, sensitive information attracts greater protection under privacy laws than personal information. Businesses that handle this type of information should be very careful.

https://legalvision.com.au/difference-between-personal-and-sensitive-information/

I am sure many of you have listened to a variety of POPI webinars & most of these will have made mention of the 8 principles that underpin POPI. Let’s take a fresh but brief look at these in the employment context:

• Accountability – it is imperative that POPI is applied in its entirety from the inception of interaction between employer (‘Responsible Party’ – ‘RP’) and employee bearing in mind that ‘processing’ includes ‘collecting and recording’  of information if and pertaining to the potential employee (DS)
• Process Limitation – ensure and confirm that that consent (‘voluntary, specific and informed’) has been obtained BEFORE any form of processing is carried out.    There are allowed exceptions but ideally PI should collect from the employee him/herself.     
• Process Specification – This goes hand in hand with the preceding ‘specific and informed’ prerequisite i.e. the parameters must be explained to the DS and NOT exceeded. POPI goes further and uses the words ‘explicitly defined’ thus making the extent to which the DS must be advised quite clear   
• Further Processing – Must be aligned with the process specification, the nature thereof that has been explained to the DS and the consent obtained be broad enough to encompass this activity and consequences, such as advising of sharing/disclosing PI with/to third parties .
• Information Quality – the consent and PO obtained from the DS must be ‘complete and accurate’ so get to the DS to confirm this in writing and to give an undertaking to update it if and when required. If documentation pertaining to the DS is obtained from a third party/source, verification is crucial    
• Openness and Participation – contained in the ‘informed’ aspect of ‘consent’ is that the RP must inform the DS of his/her right amend or have deleted PI, withdraw consent and lodge a complaint
• Security – DS must be advised that RP has appropriate security measures in place to prevent loss or unauthorised access to the PI and that will be implemented to deal with crises.       

More practical examples in next ‘EMPLOYEE’ insert