Pamela Stein The employment contract and POPI

SASLAW SEMINAR 11 JUNE 2013

TODAY’S PRESENTATION



POPI: general overview and key terms :



Eight conditions for lawful processing of personal information:



data subject/employees party/employer obligations: rights = responsible



recruitment and selection:



employment records:



special personal information:

2

WHY NEED FOR POPI?

•

Is a constitutional imperative -informational privacy balanced with other rights

•

Enhances the individual’s ability to protect personal information-rights and remedies created

•

Allows SA to be internationally competitive in the information age-regulation in accordance with international standards

3

POPI LEGISLATIVE HISTORY

• • •

The 9 th draft of the Bill was adopted by the National Assembly in September 2012. WW website Information Law and Data Protection page under "Useful Links" on the right hand side http://www.webberwentzel.com/wwb/content/en/ww/information-law

• •

Now --- NCOP --- National Assembly -- Now imminent Once enacted, period of 1 year (or 3 if Minister extends) to get house in order with information that is being processed at the time of the Act EU : History and recent developments

4

WHAT POPI REGULATES

•

Regulates every aspect of the processing of personal information from its collection to its destruction

•

POPI regulates any processing of personal information of a data subject by the responsible party or operator

•

So once POPI is in force, it will regulate all processing of personal information of a responsible party’s employees

5

PERSONAL INFORMATION

•   

Personal Information means information relating to an identifiable, living natural person, and where applicable juristic person, including: information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person



education or the medical, criminal, employment or financial history of a person



identifying number, email address, telephone and physical address, location info, online identifier



biometric information



personal opinions, views or preferences of the data subject



explicitly or implicitly private or confidential correspondence views of others about that person name if name would reveal information about the person

6

KEY DEFINITIONS

• •

“Processing” means collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as restriction, erasure or destruction of information “Special Personal Information” means data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, criminal behaviour – alleged commission by data subject of an offence or any proceedings in respect of this offence

7

KEY DEFINITIONS

•

“Responsible party” - public or private body which alone or in conjunction with others determines the purpose of and means for processing personal information

• •

“Operator” - person who processes PI for responsible party in terms of contract or mandate “Information Officer” – is the CEO or equivalent officer or any person duly authorised by that officer. Every responsible party must appoint an information officer to ensure compliance by the responsible party with provisions of the Act, and the officer must be registered with the Regulator

8

LAWFUL PROCESSING



The heart of POPI Lawful processing must comply with eight data protection conditions



Making POPI Accessible to all: Sections 4 and 5 of POPI



Proactive approach: Data protection by design

9

APPLICATION OF POPI

Overview of application



Applies to processing of PI



of data subject



entered into a record by or for responsible party



who is domiciled in the Republic or, where not domiciled in the Republic, makes use of automated or non-automated means to process PI in the Republic (unless used solely to forward PI through the Republic)



irrelevant where data subject is domiciled – domicile of responsible party is key



Data subjects include natural and juristic person eg employees, customers, clients, suppliers contractors



If other legislation contains more extensive provisions regarding the lawful processing of PI, that legislation will prevail otherwise POPI applies

10

DATA PROTECTION CONDITIONS



Condition 1: Accountability



Condition 2: Processing limitation



Condition 3: Purpose Specification



Condition 4: Further Processing Limitation



Condition 5: Information quality



Condition 6: Openness



Condition 7 : Security Safeguards



Condition 8: Data participation

11

CONDITION 1: ACCOUNTABILITY



Responsible party to ensure conditions for lawful processing CONDITION 2: PROCESSING LIMITATION



Lawfulness of processing



Minimality



Consent, justification and objection



Collection directly from data subject CONDITION 3: PURPOSE SPECIFICATION



Collection for specific purpose



Retention and restriction of records

12

CONDITION 4: FURTHER PROCESSING LIMITATION



Further processing to be compatible with purpose of collection CONDITION 5: INFORMATION QUALITY



Quality of information CONDITION 6: OPENNESS



Documentation



Notification to data subject when collecting personal information

13

CONDITION 7: SECURITY SAFEGUARDS



Security measures on integrity of personal information



Information processed by operator or person acting under authority



Security measures regarding information processed by operator



Notification of security compromises CONDITION 8: DATA SUBJECT PARTICIPATION



Access to personal information



Correction of personal information



Manner of access

14

DATA SUBJECT/EMPLOYEE RIGHTS

• • • • • • •

the right to have personal information lawfully processed notification of processing and unlawfully access access rights right to correction, destruction or deletion right to object, to the processing not to be subject to a decision which is based solely on the basis of the automated processing of personal information right to complain to the Regulator and institute civil proceedings regarding interference its personal information

15

RESPONSIBLE PARTY/EMPLOYER’S OBLIGATIONS



Must comply with all the conditions for lawful processing of employee’s PI:



Accountability, as referred to in section 8;



Processing limitation as referred to in sections 9 to 12;



Purpose specification as referred to in sections 13 and 14;



Further processing limitation as referred to in section 15;



Information quality as referred to in section 16;



Openness as referred to in sections 17 and 18;



Security safeguards as referred to in sections 19 to 22; and



Data subject participation as referred to in sections 23 to 25.

16

PROCESSING OF SPECIAL PERSONAL INFORMATION

• • • • • •

Special Personal Information = religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, criminal behaviour – Prohibition on processing special personal information UNLESS there is : CONSENT or Processing is necessary for the establishment, exercise or defence of a right or obligation in law; Cannot disclose any special personal info without consent

17

AUTHORISATION FOR PROCESSING SPECIAL PERSONAL INFO

data subject’s



religious or philosophical beliefs



race or ethnic origin



trade union membership



political persuasion



health or sex life



criminal behaviour

18

RECRUITMENT

   

advertising who is receiving the information specify the purpose of the information only relevant personal information =recruitment decision



criminal convictions? Only if relevant to the job offered



collection of information from other sources? Disclose



collection of special personal information? Ensure that it is relevant and that all conditions necessary satisfied



provide a secure method for sending applications

19

VERIFICATION OF DATA

•

Explain that verification will take place

•

Use credible 3 rd party verification agencies

•

Consent for disclosure from 3 rd parties

•

Facebook?

•

Provide applicant with an opportunity to make representations on any of the checks should discrepancies arise

20

SHORTLISTING AND SELECTION

     

Automated shortlisting? Appeal?

Interviewee’s right to access interview notes Pre-employment vetting – only where particular and significant risks involved at the latest stage possible Disclose vetting procedure Retention of recruitment records: how long?

Destruction of interview notes after a period of time

21

EMPLOYMENT RECORDS



distinguish between records that include special personal information and those that do not

        

disclosure of records kept to employee access rights up-to-date and accurate security sickness and injury records pension and Provident fund schemes references third-party disclosure requests mergers and acquisitions

22

RETENTION OF EMPLOYMENMT RECORDS

• •

records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected unless –

o

required or authorised by law;

o

required by a contract between the parties

o

consent

o

historical, statistical or research purposes

o

personal information has been used to make a decision about the date subject thereafter destruction or deletion

23

THANK YOU PAMELA STEIN: [email protected]

24