Often employees’ personal information is the last thing we think of when wrestling with our Protection of Personal Information (POPI) compliance, but they should not be. Employees do not only play a role in getting and keeping companies compliant with POPI but are also data subjects themselves. This means that we need to be POPI compliant when collecting, using, storing, and deleting our employees’ personal information. This is often easier said than done, as employers often just don’t know how to practically comply with POPI regarding their employees’ personal information.
When collecting personal information, we must be aware that we may need consent from our employees to collect and use their personal information depending on what type of personal information it is. If we are collecting or using any personal information concerning an employee’s race, ethnic origin, trade union membership, political persuasion, health i.e. vaccination status, or biometric information, we need to get consent from our employees to collect, use and store the personal information and we also need to keep proof of the consent on file.
When using our employees’ personal information, we must be aware that we may only use it for the purpose for which it was collected, and these purposes must be communicated to the employee.
When storing our employees’ personal information, whether electronically or in hard copy, we must be aware that we need to have safety measures in place to protect against the loss, damage, or unauthorised access of the personal information. Access to hard copy files should be limited and should be behind lock and key, either in an office or a cabinet. Access to electronic files should also be limited and we need to have adequate information security measures in place. The requirement in this instance is dependent upon the basics already employed within the workplace, but you should have the basics in place, such as, passwords protecting your computers and limiting access to your network or wi-fi.
To determine whether you are on track with your POPI compliance regarding your employees’ personal information, you can utilise the below checklist. Not all questions will be applicable to all companies, however if you answer NO to two or more of the questions relevant to your company, you are likely in breach of POPI.
Have you registered an information officer for your company?
1. Have you received consent from your employees to collect, use or store their biometric information?
2. Have you received consent from your employees to collect, use or store their trade union membership?
3. Have you received consent from your employees to collect, use or store their vaccination status?
4. Have you received consent from your employees to collect, use or store their race or ethnic origin?
5. Have you received consent from your employees to collect, use or store their personal information outside of South Africa?
6. Are your hardcopy human resource files stored securely in a locked office/cupboard?
7. Are your softcopy human resource files stored securely with the necessary information technology security in place?
8. Do you have a clean desk policy or similar measure to ensure no personal information is left lying around?
9. Do you have a data protection policy or similar measure that governs how you collect, use, store or process your employees’ data?
10. Have you informed your employees about what personal information you have about them?
11. Have you informed your employees about how you use your employees’ personal information?
12. Have you informed your employees about how you protect their personal information?
13. Have you informed your employees about how long you keep their personal information?
Contact LabourNet today to assist you with all your POPI needs or to conduct a free risk assessment to check your compliance status!
T: +27(0)31 266 6570
C: +27 (0)82 786 7480