Under the common law an employer may be held vicariously liable for a wrong committed by an employee during the course and scope of his or her employment. The fact that an employer has taken steps to train its employees, issued instructions and developed policies to ensure that its employees conduct themselves in a certain manner when performing their work and do not engage in certain forms of conduct, often serves as a competent defence in a claim of statutorily created vicarious liability. These steps limit the risk to the employer. However, the nature of the civil liability created in terms of section 99(1) of the POPI Act and the restricted nature of the defences in terms of section 99(2) create significant risk for employers which may not be adequately addressed by the steps typically taken by employers to limit such risk.
Section 99(1) provides that a data subject, or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court against a responsible party for breach of the POPI Act, whether or not there is intent or negligence on the part of the responsible party. Responsible party includes an employer. In terms of section 99(1) an employer may be held liable for the conduct of its employees, regardless of whether there is any willful or negligent conduct on the part of the employer.
Most employees process personal information as contemplated in the POPI Act. For example, employees employed in human resources are continuously engaged in the processing of personal and special personal information. The following HR related processes involve the processing of personal information:
- The recruitment and selection process starting with application forms, the sorting and storing of CVs, the shortlisting process, conducting interviews, vetting and verifying of references,
- Processing payment of remuneration and recording bank account details,
- Receiving and storing of leave applications and records, sick leave and medical records,
- Monitoring performance, conducting written performance assessments, and
- Investigating possible misconduct and conducting disciplinary processes.
Many employees engage in the process of significant volumes of varied personal information, both internal and external to a business, on a daily basis.
Measures which employers can implement to limit the risk of employees processing information in breach of the POPI Act include the implementation of internal policies relating to the processing of personal information and compliance with the conditions for lawful processing in terms of the POPI Act and compulsory training sessions, workshops and awareness campaigns. Application forms for employment and employment contracts should also include consents to the processing of information.
But, as already stated, these measures may not always be sufficient to limit the risk. Section 99(2) of the POPI Act sets out the limited defences which an employer may raise in response to a claim in terms of section 99(1). The defences include vis major, consent of the plaintiff, fault on the part of the plaintiff, compliance was not reasonably practicable in the circumstances of the particular case or the Regulator has granted an exemption in terms of section 37.
Of concern to employers will be the fact that the defences do not include circumstances in which the employer is able to show that it did all that was reasonably practicable to ensure that the employee did not breach the POPI Act.
While steps taken by an employer to limit the risk of a breach by one of its employees may not serve as a defence to a breach of the POPI Act by one of its employees, such steps on the part of an employer may serve to limit the quantum of the award. In terms of section 99(3) a court is empowered to award an amount that is just and equitable.
Having regard to the provisions of section 99, employers will be well advised to take steps over the next year to limit the risks created by the section in particular ensuring that their employees do not process information unlawfully and that they are aware of the conditions for lawful processing and act in accordance with these conditions at all times.