Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits.
In South Africa, the person at the employer who is given the Information Officer role is responsible for:
- encouraging compliance with the Personal Information Protection Act, (POPIA);
- handling requests made under POPIA;
- otherwise ensuring the employer’s compliance with POPIA provisions;
- working with the Regulator in the event of POPIA investigations; and,
- other responsibilities, as prescribed.
The Information Officer must be registered with the Regulator. Employers are generally not required to register data under the Protection of Personal Information Act. That said, responsible parties must get permission from Information Regulators in certain instances, including when:
- the employer plans to process unique identifiers of data subjects for a purpose other than the one for which the data was originally collected and plans to link that data with information processed by other parties (Sec. 57(1)(a), POPIA); or,
- special personal information and/or children’s personal information is being transferred to a third party in a foreign country that doesn’t provide an adequate level of protection for processing personal information (Sec. 57(1)(d), POPIA). Special personal information includes: religious/ philosophical beliefs, race/ethnicity, trade union membership, political persuasion, health/sex life, biometric information, and criminal behavior relating to alleged offences/proceedings.
Responsible parties are also expected to register data in advance with the Information Regulator when personal information is being processed for the purposes of credit reporting or behavior or objectionable conduct on behalf of third parties (Sec. 57(1)(b) and (c), POPIA).
