Transcript SASLAW Seminar_ POPI Presentation.11.06.2013 (2)
Pamela Stein The employment contract and POPI
SASLAW SEMINAR 11 JUNE 2013
TODAY’S PRESENTATION
POPI: general overview and key terms :
Eight conditions for lawful processing of personal information:
data subject/employees party/employer obligations: rights = responsible
recruitment and selection:
employment records:
special personal information:
2
WHY NEED FOR POPI?
•
Is a constitutional imperative -informational privacy balanced with other rights
•
Enhances the individual’s ability to protect personal information-rights and remedies created
•
Allows SA to be internationally competitive in the information age-regulation in accordance with international standards
3
POPI LEGISLATIVE HISTORY
• • •
The 9 th draft of the Bill was adopted by the National Assembly in September 2012. WW website Information Law and Data Protection page under "Useful Links" on the right hand side http://www.webberwentzel.com/wwb/content/en/ww/information-law
• •
Now --- NCOP --- National Assembly -- Now imminent Once enacted, period of 1 year (or 3 if Minister extends) to get house in order with information that is being processed at the time of the Act EU : History and recent developments
4
WHAT POPI REGULATES
•
Regulates every aspect of the processing of personal information from its collection to its destruction
•
POPI regulates any processing of personal information of a data subject by the responsible party or operator
•
So once POPI is in force, it will regulate all processing of personal information of a responsible party’s employees
5
PERSONAL INFORMATION
•
Personal Information means information relating to an identifiable, living natural person, and where applicable juristic person, including: information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person
education or the medical, criminal, employment or financial history of a person
identifying number, email address, telephone and physical address, location info, online identifier
biometric information
personal opinions, views or preferences of the data subject
explicitly or implicitly private or confidential correspondence views of others about that person name if name would reveal information about the person
6
KEY DEFINITIONS
• •
“Processing” means collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as restriction, erasure or destruction of information “Special Personal Information” means data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, criminal behaviour – alleged commission by data subject of an offence or any proceedings in respect of this offence
7
KEY DEFINITIONS
•
“Responsible party” - public or private body which alone or in conjunction with others determines the purpose of and means for processing personal information
• •
“Operator” - person who processes PI for responsible party in terms of contract or mandate “Information Officer” – is the CEO or equivalent officer or any person duly authorised by that officer. Every responsible party must appoint an information officer to ensure compliance by the responsible party with provisions of the Act, and the officer must be registered with the Regulator
8
LAWFUL PROCESSING
The heart of POPI Lawful processing must comply with eight data protection conditions
Making POPI Accessible to all: Sections 4 and 5 of POPI
Proactive approach: Data protection by design
9
APPLICATION OF POPI
Overview of application
Applies to processing of PI
of data subject
entered into a record by or for responsible party
who is domiciled in the Republic or, where not domiciled in the Republic, makes use of automated or non-automated means to process PI in the Republic (unless used solely to forward PI through the Republic)
irrelevant where data subject is domiciled – domicile of responsible party is key
Data subjects include natural and juristic person eg employees, customers, clients, suppliers contractors
If other legislation contains more extensive provisions regarding the lawful processing of PI, that legislation will prevail otherwise POPI applies
10
DATA PROTECTION CONDITIONS
Condition 1: Accountability
Condition 2: Processing limitation
Condition 3: Purpose Specification
Condition 4: Further Processing Limitation
Condition 5: Information quality
Condition 6: Openness
Condition 7 : Security Safeguards
Condition 8: Data participation
11
CONDITION 1: ACCOUNTABILITY
Responsible party to ensure conditions for lawful processing CONDITION 2: PROCESSING LIMITATION
Lawfulness of processing
Minimality
Consent, justification and objection
Collection directly from data subject CONDITION 3: PURPOSE SPECIFICATION
Collection for specific purpose
Retention and restriction of records
12
CONDITION 4: FURTHER PROCESSING LIMITATION
Further processing to be compatible with purpose of collection CONDITION 5: INFORMATION QUALITY
Quality of information CONDITION 6: OPENNESS
Documentation
Notification to data subject when collecting personal information
13
CONDITION 7: SECURITY SAFEGUARDS
Security measures on integrity of personal information
Information processed by operator or person acting under authority
Security measures regarding information processed by operator
Notification of security compromises CONDITION 8: DATA SUBJECT PARTICIPATION
Access to personal information
Correction of personal information
Manner of access
14
DATA SUBJECT/EMPLOYEE RIGHTS
• • • • • • •
the right to have personal information lawfully processed notification of processing and unlawfully access access rights right to correction, destruction or deletion right to object, to the processing not to be subject to a decision which is based solely on the basis of the automated processing of personal information right to complain to the Regulator and institute civil proceedings regarding interference its personal information
15
RESPONSIBLE PARTY/EMPLOYER’S OBLIGATIONS
Must comply with all the conditions for lawful processing of employee’s PI:
Accountability, as referred to in section 8;
Processing limitation as referred to in sections 9 to 12;
Purpose specification as referred to in sections 13 and 14;
Further processing limitation as referred to in section 15;
Information quality as referred to in section 16;
Openness as referred to in sections 17 and 18;
Security safeguards as referred to in sections 19 to 22; and
Data subject participation as referred to in sections 23 to 25.
16
PROCESSING OF SPECIAL PERSONAL INFORMATION
• • • • • •
Special Personal Information = religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sexual life, biometric information, criminal behaviour – Prohibition on processing special personal information UNLESS there is : CONSENT or Processing is necessary for the establishment, exercise or defence of a right or obligation in law; Cannot disclose any special personal info without consent
17
AUTHORISATION FOR PROCESSING SPECIAL PERSONAL INFO
data subject’s
religious or philosophical beliefs
race or ethnic origin
trade union membership
political persuasion
health or sex life
criminal behaviour
18
RECRUITMENT
advertising who is receiving the information specify the purpose of the information only relevant personal information =recruitment decision
criminal convictions? Only if relevant to the job offered
collection of information from other sources? Disclose
collection of special personal information? Ensure that it is relevant and that all conditions necessary satisfied
provide a secure method for sending applications
19
VERIFICATION OF DATA
•
Explain that verification will take place
•
Use credible 3 rd party verification agencies
•
Consent for disclosure from 3 rd parties
•
Facebook?
•
Provide applicant with an opportunity to make representations on any of the checks should discrepancies arise
20
SHORTLISTING AND SELECTION
Automated shortlisting? Appeal?
Interviewee’s right to access interview notes Pre-employment vetting – only where particular and significant risks involved at the latest stage possible Disclose vetting procedure Retention of recruitment records: how long?
Destruction of interview notes after a period of time
21
EMPLOYMENT RECORDS
distinguish between records that include special personal information and those that do not
disclosure of records kept to employee access rights up-to-date and accurate security sickness and injury records pension and Provident fund schemes references third-party disclosure requests mergers and acquisitions
22
RETENTION OF EMPLOYMENMT RECORDS
• •
records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected unless –
o
required or authorised by law;
o
required by a contract between the parties
o
consent
o
historical, statistical or research purposes
o
personal information has been used to make a decision about the date subject thereafter destruction or deletion
23
THANK YOU PAMELA STEIN: [email protected]
24