POPI Insert #6 Employees – Insert #3
Aspects that need to be addressed with & regarding employees include training, employee contracts, the challenges for both parties and finally what seems to be the immediate future namely remote working or as more popularly known, work from home (‘WFH’).
Training is not only recommended, it is a POPI prescribed requirement. The following is a cryptic but not exhaustive list of what needs to be addressed when training your employees and by the latter it should be borne in mind that all levels from ‘shop front’ to management need to be trained. POPI in fact envisages (as one of the job requirements) that training should be done by the appointed Information officer (‘IO’), hence my view that despite the extension of deadline for the application/appointment of the IO, it is advisable to go ahead with it right now. Here are the topics:
GENERICALLY FROM A BUSINESS PERSPECTIVE I.E. WHEN EMPLOYEES ARE DEALING WITH PUBLIC/CLIENTS
* What is POPI & GDPR (if applicable)?
* Compare POPI & GDPR
* What is personal information (‘PI’)and special personal information (‘SPI’)?
* What is ‘consent’ & how is it obtained?
* What is ‘processing’, what ‘processing’ does the business (‘Responsible Party’ – ‘RP’) do?
* How does employee need to ensure any processing is specific, adequate, relevant to the requirements, functions and activities if the RP and not excessive?
* Advising the client ('the Data Subject' - 'DS') if PI has not been obtained from DS
* Social media
* Dangers/threats to business: loss/misplacement of laptop, mobile phone or USB and leaving laptop on while unattended
MORE SPECIFICALLY CONTRACTUALLY BETWEEN EMPLOYER & EMPLOYEE (INCLUDED MOST OF THE ABOVE BUT NOW THE DS IS THE EMPLOYEE!)
* What is the PI of the employee? This can entail e.g. anything associated with the employee & contained in a record, e.g. personal details, disciplinary records, medical information, information about applicants for employment & makes enquiries about their previous employment history.
* The RP must explain to the employee when it does not need the employee’s consent regarding PI or SPI e.g. consent is required regarding trade union membership but not intercepting communications pertaining to the carrying on of the business or processing banking information for payroll purposes, meeting statutory obligations such as the Employment Equity Act or where the processing is necessary for pursuing the legitimate interests of the responsible party (in this case the employer) or of a third party to whom the information is supplied;
* Employees are entitled to know what PI of theirs is held by the RP
* When the RP appoints a third party to process PI and/or SPI of the employee a contract with such third party is required and it must adequately address all POPI and confidentiality requirements
* The RP must advise the employee of their right to address any complaints to the IR
* Current employment contracts must be reviewed as RICA compliance itself is not adequate – many of the issues mentioned above need to be addressed, discussed, recorded in writing and contained in a revised employment contract or an addendum thereto signed by the parties.
More about the pros & cons about work from home (‘WFH’) & MORE about liability issues in next ‘EMPLOYEE’ insert