SASLAW SEMINAR 11 JUNE 2013 Pamela Stein The employment contract and POPI TODAY’S PRESENTATION POPI: general overview and key terms : Eight conditions for lawful processing of personal information: data subject/employees party/employer obligations: rights = responsible recruitment and selection: employment records: special personal information: 2 WHY NEED FOR POPI? • Is a constitutional imperative -informational privacybalanced with other rights • Enhances the individual’s ability to protect personal information-rights and remedies created • Allows SA to be internationally competitive in the information age-regulation in accordance with international standards 3 POPI LEGISLATIVE HISTORY • The 9th draft of the Bill was adopted by the National Assembly in September 2012. WW website Information Law and Data Protection page under "Useful Links" on the right hand side http://www.webberwentzel.com/wwb/content/en/ww/information-law • Now --- NCOP --- National Assembly --• Now imminent • Once enacted, period of 1 year (or 3 if Minister extends) to get house in order with information that is being processed at the time of the Act • EU : History and recent developments 4 WHAT POPI REGULATES • Regulates every aspect of the processing of personal information from its collection to its destruction • POPI regulates any processing of personal information of a data subject by the responsible party or operator • So once POPI is in force, it will regulate all processing of personal information of a responsible party’s employees 5 PERSONAL INFORMATION • Personal Information means information relating to an identifiable, living natural person, and where applicable juristic person, including: information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person education or the medical, criminal, employment or financial history of a person identifying number, email address, telephone and physical address, location info, online identifier biometric information personal opinions, views or preferences of the data subject explicitly or implicitly private or confidential correspondence views of others about that person name if name would reveal information about the person 6 KEY DEFINITIONS • “Processing” means collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as restriction, erasure or destruction of information • “Special Personal Information” means data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, criminal behaviour – alleged commission by data subject of an offence or any proceedings in respect of this offence 7 KEY DEFINITIONS • “Responsible party” - public or private body which alone or in conjunction with others determines the purpose of and means for processing personal information • “Operator” - person who processes PI for responsible party in terms of contract or mandate • “Information Officer” – is the CEO or equivalent officer or any person duly authorised by that officer. Every responsible party must appoint an information officer to ensure compliance by the responsible party with provisions of the Act, and the officer must be registered with the Regulator 8 LAWFUL PROCESSING The heart of POPI Lawful processing must comply with eight data protection conditions Making POPI Accessible to all: Sections 4 and 5 of POPI Proactive approach: Data protection by design 9 APPLICATION OF POPI Overview of application Applies to processing of PI of data subject entered into a record by or for responsible party who is domiciled in the Republic or, where not domiciled in the Republic, makes use of automated or non-automated means to process PI in the Republic (unless used solely to forward PI through the Republic) irrelevant where data subject is domiciled – domicile of responsible party is key Data subjects include natural and juristic person eg employees, customers, clients, suppliers contractors If other legislation contains more extensive provisions regarding the lawful processing of PI, that legislation will prevail otherwise POPI applies 10 DATA PROTECTION CONDITIONS Condition 1: Accountability Condition 2: Processing limitation Condition 3: Purpose Specification Condition 4: Further Processing Limitation Condition 5: Information quality Condition 6: Openness Condition 7 : Security Safeguards Condition 8: Data participation 11 CONDITION 1: ACCOUNTABILITY Responsible party to ensure conditions for lawful processing CONDITION 2: PROCESSING LIMITATION Lawfulness of processing Minimality Consent, justification and objection Collection directly from data subject CONDITION 3: PURPOSE SPECIFICATION Collection for specific purpose Retention and restriction of records 12 CONDITION 4: FURTHER PROCESSING LIMITATION Further processing to be compatible with purpose of collection CONDITION 5: INFORMATION QUALITY Quality of information CONDITION 6: OPENNESS Documentation Notification to data subject when collecting personal information 13 CONDITION 7: SECURITY SAFEGUARDS Security measures on integrity of personal information Information processed by operator or person acting under authority Security measures regarding information processed by operator Notification of security compromises CONDITION 8: DATA SUBJECT PARTICIPATION Access to personal information Correction of personal information Manner of access 14 DATA SUBJECT/EMPLOYEE RIGHTS • the right to have personal information lawfully • • • • • • processed notification of processing and unlawfully access access rights right to correction, destruction or deletion right to object, to the processing not to be subject to a decision which is based solely on the basis of the automated processing of personal information right to complain to the Regulator and institute civil proceedings regarding interference its personal information 15 RESPONSIBLE PARTY/EMPLOYER’S OBLIGATIONS Must comply with all the conditions for lawful processing of employee’s PI: Accountability, as referred to in section 8; Processing limitation as referred to in sections 9 to 12; Purpose specification as referred to in sections 13 and 14; Further processing limitation as referred to in section 15; Information quality as referred to in section 16; Openness as referred to in sections 17 and 18; Security safeguards as referred to in sections 19 to 22; and Data subject participation as referred to in sections 23 to 25. 16 PROCESSING OF SPECIAL PERSONAL INFORMATION • Special Personal Information = religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, criminal behaviour – • Prohibition on processing special personal information UNLESS there is : • CONSENT • or • Processing is necessary for the establishment, exercise or defence of a right or obligation in law; • Cannot disclose any special personal info without consent 17 AUTHORISATION FOR PROCESSING SPECIAL PERSONAL INFO data subject’s religious or philosophical beliefs race or ethnic origin trade union membership political persuasion health or sex life criminal behaviour 18 RECRUITMENT advertising who is receiving the information specify the purpose of the information only relevant personal information =recruitment decision criminal convictions? Only if relevant to the job offered collection of information from other sources? Disclose collection of special personal information? Ensure that it is relevant and that all conditions necessary satisfied provide a secure method for sending applications 19 VERIFICATION OF DATA • Explain that verification will take place • Use credible 3rd party verification agencies • Consent for disclosure from 3rd parties • Facebook? • Provide applicant with an opportunity to make representations on any of the checks should discrepancies arise 20 SHORTLISTING AND SELECTION Automated shortlisting? Appeal? Interviewee’s right to access interview notes Pre-employment vetting – only where particular and significant risks involved at the latest stage possible Disclose vetting procedure Retention of recruitment records: how long? Destruction of interview notes after a period of time 21 EMPLOYMENT RECORDS distinguish between records that include special personal information and those that do not disclosure of records kept to employee access rights up-to-date and accurate security sickness and injury records pension and Provident fund schemes references third-party disclosure requests mergers and acquisitions 22 RETENTION OF EMPLOYMENMT RECORDS • records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected unless – o required or authorised by law; o required by a contract between the parties o consent o historical, statistical or research purposes o personal information has been used to make a decision about the date subject • thereafter destruction or deletion 23 THANK YOU PAMELA STEIN: pamela.stein@webberwentzel.com 24