SASLAW Seminar_ POPI Presentation.11.06.2013 (2)

SASLAW SEMINAR
11 JUNE 2013
Pamela Stein
The employment contract and POPI
TODAY’S PRESENTATION
 POPI: general overview and key terms :
 Eight conditions for lawful processing of personal
information:
 data
subject/employees
party/employer obligations:
rights
=
responsible
 recruitment and selection:
 employment records:
 special personal information:
2
WHY NEED FOR POPI?
• Is a constitutional imperative -informational privacybalanced with other rights
• Enhances the individual’s ability to protect personal
information-rights and remedies created
• Allows SA to be internationally competitive in the
information
age-regulation
in
accordance
with
international standards
3
POPI LEGISLATIVE HISTORY
• The 9th draft of the Bill was adopted by the National
Assembly in September 2012. WW website Information
Law and Data Protection page under "Useful Links" on the
right hand side
http://www.webberwentzel.com/wwb/content/en/ww/information-law
• Now --- NCOP --- National Assembly --• Now imminent
• Once enacted, period of 1 year (or 3 if Minister extends) to
get house in order with information that is being
processed at the time of the Act
• EU : History and recent developments
4
WHAT POPI REGULATES
• Regulates every aspect of the processing of personal
information from its collection to its destruction
• POPI regulates any processing of personal information of a
data subject by the responsible party or operator
• So once POPI is in force, it will regulate all processing of
personal information of a responsible party’s employees
5
PERSONAL INFORMATION
• Personal Information means information relating to an identifiable,
living natural person, and where applicable juristic person, including:
 information relating to the race, gender, sex, pregnancy, marital
status, national, ethnic or social origin, colour, sexual orientation,
age, physical or mental health, well-being, disability, religion,
conscience, belief, culture, language and birth of the person
 education or the medical, criminal, employment or financial history
of a person
 identifying number, email address, telephone and physical address,
location info, online identifier
 biometric information
 personal opinions, views or preferences of the data subject
 explicitly or implicitly private or confidential correspondence
 views of others about that person
 name if name would reveal information about the person
6
KEY DEFINITIONS
• “Processing” means collection, receipt, recording,
organisation, collation, storage, updating or modification,
retrieval, alteration, consultation, use, dissemination by
means of transmission, distribution or making available in
any other form, merging, linking, as well as restriction,
erasure or destruction of information
• “Special Personal Information” means data subject’s
religious or philosophical beliefs, race or ethnic origin,
trade union membership, political persuasion, health,
sexual life, biometric information, criminal behaviour –
alleged commission by data subject of an offence or any
proceedings in respect of this offence
7
KEY DEFINITIONS
• “Responsible party” - public or private body which alone or
in conjunction with others determines the purpose of and
means for processing personal information
• “Operator” - person who processes PI for responsible party
in terms of contract or mandate
• “Information Officer” – is the CEO or equivalent officer or
any person duly authorised by that officer. Every
responsible party must appoint an information officer to
ensure compliance by the responsible party with provisions
of the Act, and the officer must be registered with the
Regulator
8
LAWFUL PROCESSING
 The heart of POPI Lawful processing must comply with
eight data protection conditions
 Making POPI Accessible to all: Sections 4 and 5 of POPI
 Proactive approach: Data protection by design
9
APPLICATION OF POPI
Overview of application
 Applies to processing of PI
 of data subject
 entered into a record by or for responsible party
 who is domiciled in the Republic or, where not domiciled in the
Republic, makes use of automated or non-automated means to
process PI in the Republic (unless used solely to forward PI through
the Republic)
 irrelevant where data subject is domiciled – domicile of responsible
party is key
 Data subjects include natural and juristic person eg employees,
customers, clients, suppliers contractors
 If other legislation contains more extensive provisions regarding the
lawful processing of PI, that legislation will prevail otherwise POPI
applies
10
DATA PROTECTION CONDITIONS
 Condition 1: Accountability
 Condition 2: Processing limitation
 Condition 3: Purpose Specification
 Condition 4: Further Processing Limitation
 Condition 5: Information quality
 Condition 6: Openness
 Condition 7 : Security Safeguards
 Condition 8: Data participation
11
CONDITION 1: ACCOUNTABILITY
 Responsible party to ensure conditions for lawful
processing
CONDITION 2: PROCESSING LIMITATION
 Lawfulness of processing
 Minimality
 Consent, justification and objection
 Collection directly from data subject
CONDITION 3: PURPOSE SPECIFICATION
 Collection for specific purpose
 Retention and restriction of records
12
CONDITION 4: FURTHER PROCESSING LIMITATION
 Further processing to be compatible with purpose of
collection
CONDITION 5: INFORMATION QUALITY
 Quality of information
CONDITION 6: OPENNESS
 Documentation
 Notification to data subject when collecting personal
information
13
CONDITION 7: SECURITY SAFEGUARDS
 Security measures on integrity of personal information
 Information processed by operator or person acting under
authority
 Security measures regarding information processed by
operator
 Notification of security compromises
CONDITION 8: DATA SUBJECT PARTICIPATION
 Access to personal information
 Correction of personal information
 Manner of access
14
DATA SUBJECT/EMPLOYEE RIGHTS
• the right to have personal information lawfully
•
•
•
•
•
•
processed
notification of processing and unlawfully access
access rights
right to correction, destruction or deletion
right to object, to the processing
not to be subject to a decision which is based solely
on the basis of the automated processing of
personal information
right to complain to the Regulator and institute civil
proceedings regarding interference its personal
information
15
RESPONSIBLE PARTY/EMPLOYER’S
OBLIGATIONS
 Must comply with all the conditions for lawful processing of
employee’s PI:
 Accountability, as referred to in section 8;
 Processing limitation as referred to in sections 9 to 12;
 Purpose specification as referred to in sections 13 and 14;
 Further processing limitation as referred to in section 15;
 Information quality as referred to in section 16;
 Openness as referred to in sections 17 and 18;
 Security safeguards as referred to in sections 19 to 22; and
 Data subject participation as referred to in sections 23 to 25.
16
PROCESSING OF SPECIAL PERSONAL
INFORMATION
• Special Personal Information = religious or philosophical
beliefs, race or ethnic origin, trade union membership,
political persuasion, health, sexual life, biometric
information, criminal behaviour –
• Prohibition on processing special personal information
UNLESS there is :
• CONSENT
• or
• Processing is necessary for the establishment, exercise or
defence of a right or obligation in law;
• Cannot disclose any special personal info without consent
17
AUTHORISATION FOR PROCESSING SPECIAL
PERSONAL INFO
data subject’s
 religious or philosophical beliefs
 race or ethnic origin
 trade union membership
 political persuasion
 health or sex life
 criminal behaviour
18
RECRUITMENT








advertising
who is receiving the information
specify the purpose of the information
only relevant personal information =recruitment
decision
criminal convictions? Only if relevant to the job
offered
collection of information from other sources?
Disclose
collection of special personal information? Ensure
that it is relevant and that all conditions necessary
satisfied
provide a secure method for sending applications
19
VERIFICATION OF DATA
• Explain that verification will take place
• Use credible 3rd party verification agencies
• Consent for disclosure from 3rd parties
• Facebook?
• Provide applicant with
an opportunity to make
representations on any of the checks should
discrepancies arise
20
SHORTLISTING AND SELECTION
 Automated shortlisting? Appeal?
 Interviewee’s right to access interview notes
 Pre-employment vetting – only where particular and
significant risks involved at the latest stage possible
 Disclose vetting procedure
 Retention of recruitment records: how long?
 Destruction of interview notes after a period of time
21
EMPLOYMENT RECORDS
 distinguish between records that include special
personal information and those that do not
 disclosure of records kept to employee
 access rights
 up-to-date and accurate
 security
 sickness and injury records
 pension and Provident fund schemes
 references
 third-party disclosure requests
 mergers and acquisitions
22
RETENTION OF EMPLOYMENMT RECORDS
• records of personal information must not be
retained any longer than is necessary for achieving
the purpose for which the information was collected
unless –
o required or authorised by law;
o required by a contract between the parties
o consent
o historical, statistical or research purposes
o personal information has been used to make a
decision about the date subject
• thereafter destruction or deletion
23
THANK YOU
PAMELA STEIN: pamela.stein@webberwentzel.com
24