Security, POPI Act and Data Protection

POPI Compliance and Protection

Ensure POPI Act Compliance for your Human Resources

Three crucial things to consider:

  • Your employees need to be informed that their data is being stored in some kind of system, what is stored and how.

  • Your business needs a POPI and Data Security HR Policy to ensure your employees know how to work with personal data

  • The HR System you are using need to have all the security and access restrictions in place to ensure your employees personal data is protected

POPI Consent and Opt-In Form

The HRSimplified GENUS system requires your Employees to complete a Consent form to allow your Business to store, process and enrich Employee data.

Please download the form and have your Employees Sign the form, scan it and upload to their profile in HRSimplified under documents to ensure it is stored and secured for future reference.
FREE DOWNLOAD

Send download link to:

I confirm that I have read and agree to the Privacy Policy, and understand our POPI Act Compliance.

Subscribe for exclusive content and recommendations from time to time.

Data Protection Policy (POPI Act) HRP019

Download for a free Data Protection Policy (POPI Act) for your business.

To be completed by all Employees that process or have access to personal data.
FREE DOWNLOAD

Send download link to:

I confirm that I have read and agree to the Privacy Policy, and understand our POPI Act Compliance.

Subscribe for exclusive content and recommendations from time to time.

POPI Act and Compliance

The Protection of Personal Information Act (or POPI Act) is South Africa’s version of the European GDPR act. It describes the conditions for responsible parties to lawfully process and store the personal information of data subjects.

The POPI Act does not stop you from processing and does not require you to get consent from data subjects to process their personal information. Whoever decides to process personal information is responsible for complying with the conditions.

A big part of the POPI act (And GDPR) is to know exactly what Personal data is being stored in the organisation.

It is important to known exactly where every copy of the data is, even if it is being stored in multiple locations. (Like paper files and network locations)

It needs to be clear who has access to that data.

It needs to be possible to report on who has accessed the data and what they have done with the data (Audit logs on data access)

It is required from a Business to prove that security is in place to ensure access to Personal data is restricted.

HRSimplified GENUS’ security, data storage, auditing and user role based access to the data allows the Business to be compliant with the POPI Act.

HRSimplified also stores data for 5 + years making the business compliant with the Department of Labor regulations as well.

The following Personal data is stored per Employee:

  • Organisation name
  • Employee type
  • Employee First Name
  • Employee Middle Name
  • Employee Last Name
  • Organisation team
  • Department
  • Identity number
  • Foreign indicator
  • Passport number
  • Country of origin
  • Work permit number
  • Work permit expiry date
  • Position
  • Gender
  • Marital status
  • Disability status
  • Date of birth
  • Date joined
  • Date Employment Ended
  • Employee manager
  • Payment frequency
  • Gross amount
  • Hourly amount
  • Retirement amount
  • Retirement type
  • Medical amount
  • Medical dependents
  • Skills development amount
  • Tax Status
  • Employee Occupational Category code
  • Employee Occupational Category
  • Employee Occupational Level
  • Payment type
  • Job category
  • Job position
  • Job grading
  • Current Sick days
  • Current annual days
  • Current special days
  • Current study days
  • Current family days
  • Sick days allowed
  • Annual days allowed
  • Special days allowed
  • Study days allowed
  • Family days allowed
  • Ethnic category
  • BEEE Status
  • Email address
  • Cell contact details
  • Home contact details
  • Postal address
  • Physical address

Additional Employee data that can also be stored per employee

  • Employment Contracts
  • Employee Documents
  • Employee Skills
  • Employee Work History
  • Employee Goals
  • Employee performance Review forms
  • Employee HR Notes

With the Roles and permissions structure of HRSimplified GENUS views of the data is possible in a controlled manner.

The Business is responsible for setting up the permissions and roles of the Employees on the system to ensure that the correct people have access to the correct Employee data..

  • A Manager can view limited Employee data for the Employees that report into that Manager
  • A HR Admin user can view data for all Employees in the HRSimplified GENUS system
  • A HR Executive User can view all data including Company data and invoicing data
  • A Employee can only see their own personal and employee data
  • A Receptionist Role can only see the COVID-19 input form for all Employees to allow them to capture COVID data for the Staff. They can also see their own Employee data only.
  • A Project Manger Role can see all project related data and the normal Employee data for their own data.
  • A Finance Admin Role can see all Claims date for All employees but cannot see Employee private and Employee HR related data.

It is important to realize that the Business owner are still responsible for the POPI compliance of their business and the data stored inside HRSimplified GENUS.

HRSimplified GENUS and DataSimplified PTY (Ltd) is responsible to safe guard and secure the data it stores on the HRSimplifed GENUS platform at all times.

HRSimplified GENUS and DataSimplified PTY (Ltd) may not sell or process the Personal data in the HRSimplified GENUS system for reasons other than providing the feature of the HRSimplified system to its users.

The Business owner needs to inform their Employees that their data is stored on the HRSimplified GENUS platform to ensure they comply to the POPI regulations.

Read our POPI and HR Blog for more information HERE

HRSimplified GENUS and POPI
HRSimplified GENUS Dashboard Security

HRSimplified GENUS Security and Communications

  • Based on ASP.NET Identity Framework
  • User & role management pages
  • Hierarchical organization units system to group users and entities
  • User login, register, password-reset and email validation pages
  • User, role and permission based flexible authorization
  • User and Tenant impersonation
  • User account linking
  • User Lockout
  • Log and show all login attempts for users
  • Password complexity settings (Set to the maximum setting to secure data)
  • Automatic Cross-Site Request Forgery (CSRF) protection
  • Session Timeout and Lock Screen
  • Validation
  • Logging
  • Exception handling
  • Caching
  • Automatic audit/security logging

All access to data from the User Interface is handled via an API interface, not allowing any direct access to the Database for any data retrieval.

All data stored in the HRSimplified system is Encrypted at database level. This means that even if a copy of the data could be obtained it would not be usable.

All personal data on Database level is obfuscated by replacing readable characters with incorrect data. This means that even if the data is viewed directly in the database it is not readable to the Support teams.

  • Require digit
  • Require lowercase
  • Require non-alphanumeric
  • Require uppercase
  • Required length of 8 characters
  • User Lock Out after 5 attempts
  • Account locking duration has been set

Sessions time out after a certain time to ensure that all data is protected, even if a user walks away form their workstation while leaving the system unlocked

HRSimplified GENUS has notifications that are sent via email for most actions preformed on the system.

For instance applying for leave will send a email to the applicant and the manager, these emails will be sent for each step of the Leave approval process to keep all parties involved.

HRSimplified GENUS will not use the email addresses of customers for any reason other than notifications.

Data Center Security Standards

Our data centres are all protected by state-of-the-art biometrics with audited movements logs.

The primary data centre boasts the first category-5 circular vault door on the African continent with the inside and outside surrounding areas being monitored 24/7 by CCTV.

Client access to the data center is via supervised appointment only and all visits are recorded.

The Data Center network is protected by state-of-the-art Juniper firewalls, routers, intrusion protection devices and network analyzers to ensure that all traffic in and out of the data center is protected and reaches the correct destination without interception.

Client environments are protected by hosted firewalls, segregating networks to keep communications secure.

As standard practice, the Data Center protects all hosted servers with anti-virus and scans all incoming and outgoing mail traffic for viruses and malware.

All data ports are closed to the outside world, and only traffic from specific IP addresses are allowed to reach specific target Ports on the internal network.

Data Center NOC operates 24/7 to respond to any alerts before they become a serious issue.

  • HP Enterprise Hardware
  • HP Enterprise Highly Available 3PAR Storage
  • Multi Node Hyper-V Failover Clusters

We use Veeam to protect your Virtual Servers.

  • 50 Recovery Points included
  • 31 Daily Recovery Points (Onsite-Disk)
  • 3 Daily Recovery Points (Offsite-Disk)
  • 11 Monthly Recovery Points (Offsite-Tape)
  • 5 Yearly Recovery Points (Offsite-Tape)
  • Dedicated Isolated Network (VLAN)
  • Shared or Dedicated Firewall
  • Two-Factor Authentication
  • VPN
  • DMZ (servers deployed behind a Cloud Hosted Virtual Router)
  • NAT
  • Reverse Proxy
  • Antivirus
  • Load Balancer
HRSimplified GENUS Data Center Security

Lets Talk About Your HR Needs

    captcha