top of page
Writer's pictureJohn Botha

Protecting Personal Information in HR: A Guide to POPIA Compliance

The Protection of Personal Information Act (POPIA) was signed into law in South Africa. Most of its operational provisions only came into force on July 1, 2020. The purpose of POPIA is to safeguard the personal information of citizens, whether processed by public or private institutions. It aims to balance the right to privacy with other rights, including access to information.


Data Subjects in the HR Context:

In the HR domain, there are several data subjects whose personal information is processed:

  1. Job Applicants: Individuals applying for positions within an organization.

  2. Employees: Current staff members, including permanent, temporary, and contract workers.

  3. Unions: Employee representative bodies.

  4. Training Providers: Entities involved in employee training and development.

  5. Other Service Providers.


Operators and Operator Agreements

  • Operators are entities that process personal information on behalf of data controllers (employers). Examples include outsourced payroll service providers, training service providers, pension funds, and medical aids.

  • When an operator processes personal information, a formal operator agreement must be in place. This agreement outlines the responsibilities and obligations of both parties regarding data protection.


De-Identification and Destruction of Personal Information

  • Employers must adhere to statutory retention periods specified in various acts, such as the Labour Relations Act, Skills Development Act, Employment Equity Act, UIF Act, COID Act, and OHS Act.

  • After these retention periods expire, personal information should be either de-identified (rendered anonymous) or destroyed securely.


Ensuring Systems Integrity and Security

  • HR functions must maintain systems integrity by implementing robust security measures:

    • Firewalls: Protecting HR databases and systems from unauthorized access.

    • Encryption: Safeguarding sensitive data during transmission and storage.

    • Backups: Regularly backing up HR data to prevent loss.

  • Incident Response Plans: HR teams should have protocols in place to handle data breaches or security incidents promptly.


Annual POPIA Refresher Training

  • Mandatory Training: Regular training sessions for HR staff ensure awareness of POPIA requirements.

  • Topics covered may include:

    • Understanding POPIA: Familiarizing employees with the act’s provisions.

    • Handling Personal Information: Proper collection, use, and storage.

    • Rights of Data Subjects: Educating staff about data subjects’ rights.

    • Reporting Incidents: Procedures for reporting breaches.


Compliance with POPIA is essential for HR functions to protect personal information, respect privacy rights, and avoid penalties. By understanding the act’s requirements, implementing necessary measures, and providing ongoing training, organizations can create a secure and privacy-conscious HR environment.


Computer keyboard with a blue key labelled 'Personal Information' and a padlock icon, symbolizing data security.



13 views

Comments


bottom of page