What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
South Africa’s Constitution sets the foundation for privacy in the country, giving everyone the right to privacy, including “the right not to have…the privacy of their communications infringed” (Sec. 14).
The Protection of Personal Information Act, 2013 (POPIA) regulates and sets the standard that public and private bodies must follow. All responsible parties that process personal information, including employers, must be fully compliant with POPIA by July 2021. Under POPIA, employers (and other data processors) must follow certain parameters to process personal information, including:
- processing data in a reasonable manner that doesn’t infringe on the privacy of the individual;
- limiting processing to what’s adequate, relevant and not excessive;
- only processing data with the individual’s consent, to comply with a legal obligation, or for another permitted reason;
- only collecting personal information directly from the employee (with a few exceptions);
- retaining personal information for no longer than necessary under law, contract between parties or other permitted reason;
- collecting personal employee data only for a specific purpose (any additional processing must be compatible with the original purpose);
- taking reasonable steps to ensure the accuracy and completeness of information, and to ensure information isn’t misleading and is updated as necessary;
- informing the employee about their personal data that is being collected along with their rights related to the collection;
- taking appropriate security measures; and,
- giving individuals access to the personal information that is being collected about them.
Under POPIA, processing sensitive personal information may require the consent of the employee. Sensitive personal information includes information concerning: religious/philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, and/or criminal behavior.
In addition, Regulations Relating to the Protection of Personal Information were published in December 2018. These Regulations further define the requirements outlined in POPIA.
The current authority responsible for enforcement of data privacy law and regulations in South Africa is the:
Information Regulator (South Africa)