The Protection of Personal Information Bill (the Bill), which deals with data privacy and information protection, is expected to become law later this year. This Bill has significant implications for South African business.
The object of the Bill is to give effect to the constitutional right to privacy in a way that balances the other rights contained in the Bill of Rights by protecting a person's personal information when it is processed by public and private bodies, subject to reasonable limitations.
The Bill defines 'Personal Information' as including information about an identifiable, natural person, and where applicable, an identifiable, juristic person, relating to a person's race, gender, sex, financial status and the like.
The Bill incorporates eight principles relating to the protection of data:
- The first principle deals with processing limitations. Personal Information may only be processed in line with the law and in a way that does not intrude on the privacy of persons.
- The second principle focuses on the purpose for which Personal Information is collected.
- The third principle is aimed at limiting the use of Personal Information to the purpose for which it was collected.
- Principle four requires that Personal Information be kept complete, up to date and it must not be misleading.
- The Information Protection Commission (the Commission) is to be created and will, in terms of Principle five, require an employer to notify the Commission that it has collected Personal Information of its employees.
- Through principle six, the Bill requires employers to take the necessary measures to ensure that Personal Information is protected from loss, damage and destruction by identifying possible threats and implementing safeguards to protect against such threats.
- Employers now have an obligation in terms of principle seven to inform employees about other parties who have accessed their information and employees have the right to correct their Personal Information.
- Finally, principle eight places a measure of accountability on employer's shoulders by ensuring that the provisions of the Bill are complied with.
- Employers will be obliged to treat Personal Information as confidential and they may not process such information without the consent of the employee concerned. Where an employer has compromised the security and safe keeping of an employee's Personal Information, the employer is now under an obligation to immediately alert the Commission and the employee in writing within a reasonable time.
Banking institutions who publish the names of employees dismissed for misconduct may run into some difficulty with this practice because the Bill requires employers to obtain the consent of an employee before publishing Personal Information. Employers are further placed under an obligation to notify employees of the purpose of processing Personal Information and that an employer would not use this information for further processing, unless such information is obtained from a public record.
Where an employee has been involved in criminal behaviour or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct, the employer may process the information where it will be used for assessing the employee in order to make a decision about them.
Notwithstanding these limitations, employers may take some comfort in knowing that the general principles of the Bill will, in due course, be supplemented by codes of conduct which will provide more detailed and practical guidelines on how to use Personal Information. However, it is clear that in terms of this Bill employers should now take a closer look at their policies and procedures.
Senior Associate, Employment