The POPI Act in short.
The Protection of Personal Information Act (or POPI Act) is South Africa’s version of the European GDPR act. It describes the conditions for responsible parties to lawfully process and store the personal information of data subjects.
The POPI Act does not stop you from processing and does not require you to get consent from data subjects to process their personal information. Whoever decides to process personal information is responsible for complying with the conditions.
There are eight general conditions, they are listed below. The responsible party is also responsible for their operators (those who process the data for them – Internal and External) to meet the conditions.
The POPI Act is important because it protects data subjects from harm, like theft and discrimination. The risks of non-compliance include reputational damage, fines, and criminal charges, and paying out claims to data subjects. The biggest risk, after reputational damage, is a fine for failing to protect personal data (Especially Account numbers).
What are the 8 conditions laid out by the POPI Act?
There are 8 key conditions that are introduced by the POPI act. Any entity (both natural and juristic persons) that processes, stores or controls personal information must comply with these key conditions of the POPI act.
1. You are accountable, no excuses.
The responsible party will be held accountable for the management and implementation of the items mentioned above.
2. Limitations on how you may process Personal data.
Personal information must be processed in accordance with the law. It must be managed and stored in a secure and careful manner and may not intrude on the privacy of the person whose information is being processed.
3. Don’t over process the personal data.
Information may not be processed beyond the initial purpose, why it was collected, that would make it incompatible with the original purpose.
4. All information must have a reason.
The information must only be collected for a specific reason, which is properly and clearly defined and must be for legitimate purposes. The information may not be kept for longer than needed. Data cannot be kept indefinitely if it is not being used anymore.
5. Make sure the data is accurate.
The person collecting the data must take steps to ensure that the data is complete, accurate, up to date, and not misleading in any way.
6. Security is most important.
You are required to ensure the integrity of the data as well as protecting it from unauthorised access in your organisation and from external parties.
7. Right to know how much and what.
Details of what data and information is being collected must be made available to the person requesting the information, free of charge. They must understand what data is being collected, why such data is being collected, how it is stored, where it is stored and that they have the right to request that it be discarded after its initial purpose has been met.
8. Be honest about your intent.
Personal information may only be collected by someone who has given notice to or disclosed the requirements, the purpose of, and the reason to the person concerned. Consent should be obtained.
What can happen to me?
Directors of any company must take a leading role in the implementation of measures that ensure POPI Act compliance. Penalties for non-compliance are severe and can result in fines of up to R10 million, or a jail sentence of up to 10 years. To avoid non-compliance, it is recommended that professional advice be taken.
How does POPI impact my HR practices and Employee data.
Employee data is personal data. This means that your business needs to protect the personal data of your Employees at all costs.
If we look at where personal information is used in business, we sometimes cannot believe how much data is available on the company network, on paper forms lying in an “in-tray”, on leave applications waiting to be processed, and in all the personnel files stored in the HR office.
If employee data turned into Gold overnight (keep in mind that it has about the same value) you would rush to the office and lock all HR files up in a safe and protect the combination with your life!
Don’t forget that your HR files and data that are kept in paper files are prone to being lost, misplaced and even copied without your knowledge.
What to keep in mind for you HR data:
All HR data needs to be kept for 5 years (Regulation states this for the Basic Conditions of Employment act and as laid out by the Department of labor)
Basically all Employee data has a personal identifier to indicate the Employee who it belongs to, this does mean it is protected by POPI.
Example: You cannot have Leave forms, or printed out emails lying around with a person’s name on it.
Some of the sensitive HR data that is considered under POPI as being Personal Information:
- Race / nationality / ethnic / social origin / colour
- Gender / sex
- Marital status
- Sexual orientation
- Physical or mental health / well-being / disability
- Religion / conscience / belief
This is extended by any educational, medical, criminal, employment, or financial information.
Do not worry, there are solutions out there that can help your with being compliant to the POPI Act, and it could be as simple as implementing an Online HR platform like HRSimplified.
Most of these Online systems come with additional benefits like:
- Secure access to all data from anywhere. The HR team can now also work remote and have access to secure and password protected data. (POPI Act requirement)
- Allow limited views of the data, with controlled access to the data on User level. (POPI Act requirement)
- No more Loosing paper-based files and data. Online Data is always available, and backups are made of all data to ensure the redundancy and security. (POPI Act requirement)
- Stronger security exists in these SaaS solutions since the ownership of the security is placed on the Vendor. They must spend more money on security, than you can spend securing your office and network. (POPI Act requirement)
- Reduce overheads for storing paper-based files and off-site backup costs.
- Reduce stationery and printing costs for paper forms and files.
- Reduce processing time for online processes rather than paper based.
- Expand what you store about your Employees with detailed online records, and ensure your data is structured and complete.
- HR Reporting and HR Analytics become trivial and easy, but also secure since you are in control of who has access to the reports.
Read more about our Paperless offering HERE
For more information about how HRSimplified can assist you in being POPI Compliant, please book a consultation with our Sales team.