Contact

Comply or be liable for damages: How employers can ensure compliance with POPIA

Back to top

Comply or be liable for damages: How employers can ensure compliance with POPIA

The Personal Protection of Information Act 4 of 2013 (POPIA) came into effect on 1 July 2020, and responsible parties have been granted a grace period of 12 months (30 June 2021), to ensure compliance with POPIA. The nature of the civil liability created in terms of section 99(1) of the POPI Act and the restricted nature of the defences in terms of section 99(2) create significant risk for employers which may not be adequately addressed by the steps typically taken by employers to limit such risk.

28 Apr 2021 3 min read Employment Law Alert Article

At a glance

  • Employers need to comply with the eight conditions outlined in the Personal Protection of Information Act (POPIA) to ensure lawful processing of information, including accountability, processing limitation, purpose specification, and security safeguards.
  • Additional steps for compliance include appointing an Information Officer, reviewing HR policies and contracts, acquiring consent for processing personal information, and providing awareness training for employees.
  • Non-compliance with POPIA can result in criminal penalties of imprisonment and fines, as well as civil actions for damages. The limited defences available to employers in such cases do not include showing reasonable practicability of compliance.

What do employers need to do to ensure compliance with POPIA?

Employers need to ensure that they lawfully process information. This can be achieved through complying with the eight conditions in POPIA, namely:

  • Accountability: Employers need to ensure that the conditions are complied with at the time of determination of the purpose and meaning of processing and processing itself. Employers can do this by appointing a compliance officer.
  • Processing limitation: The processing of personal information must be limited to lawful processing in a reasonable manner that does not infringe the privacy of the employee.
  • Purpose specification: When collecting information, it must be for a specific, defined and lawful purpose, related to the function of the employer in the employment context. The employer must inform the applicant or the employee of the purpose of the required documents.
  • Further processing limitation: Employers require the consent of the employees to put personal information to further use, e.g. passing on information to a Medical Aid or retirement fund.
  • Information quality: An employer must take steps to ensure that the information collected from the employee is complete, accurate and continually updated where necessary.
  • Openness: An employer requesting information must ensure that the employee is aware of the information collected, the source of the information, the name and address of the responsible party, the purpose for which the information is requested and what law if any, prescribes the disclosure of information.
  • Security Safeguards: An employer must take reasonable steps to ensure that the personal information in its possession remains secure. The employer can do this through considering virus programs, back-ups and off-site storage. Should there be reasonable grounds to believe that an employee’s information has been accessed, the employer must notify the regulator and the affected employee.
  • Employee participation: An employee has the right to know what information the employer has pertaining to him / her and may request the records or description of the information the employer holds.

Further steps for employers to ensure compliance with POPIA

Employers must appoint an Information Officer.

  • Employers should review recruitment processes, HR policies and employment contracts, and include provisions on processing of personal information where necessary. Employers should also acquire consent to process personal information and special personal information in this regard.
  • Employers should establish adequate policies to ensure compliance with the 8 conditions (listed above).
  • Employers should host awareness training for employees on compliance with POPIA.

Ensuring adequate safeguards

In terms of section 19 of POPIA, employers are required to implement appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of any personal information in their possession or control. Thus, employers are required to guard against reasonably foreseeable risks in respect of non-compliance with POPIA taking measures to ensure that compliance is developed and implemented effectively.

Consequences of non-compliance

Criminal: POPIA imposes various criminal offences for non-compliance. Non-compliance with POPIA can result in imprisonment not exceeding 10 years and/or a fine not exceeding R10 million.

Civil: In terms of section 99 of POPIA, a data subject or, at the request of the data subject, the Regulator, may institute a civil action for damages in a court having jurisdiction against a responsible party for breach of POPIA.

Possible defences to be raised by an employer

Section 99(2) of the POPI Act sets out the limited defences which an employer may raise in response to a claim in terms of section 99(1). The defences include vis major, consent of the plaintiff, fault on the part of the plaintiff, compliance was not reasonably practicable in the circumstances of the particular case or the Regulator has granted an exemption in terms of section 37.

Of concern to employers will be the fact that the defences do not include circumstances in which the employer is able to show that it did all that was reasonably practicable to ensure that the employee did not breach the POPIA Act.

In conclusion, employers should comply relevant requirements of POPIA. By failing to do so, employers are at the risk of imprisonment of up to 10 years and / or fines of up to R10 million or being liable for damages.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

2 Apr 2024

by Burton Meyer, Gabriella Schafer and Dylan Greenstone

Settlement agreements: Creditors, secure your victory and don’t stop half way, debtors beware

Before a court decides on the outcome of a case, parties involved may agree to settle their dispute. However, it’s important to understand that when a settlement agreement is made an order of court, it holds the same weight and authority as any other ruling issued by acourt.  

Dispute Resolution

4 min read

30 Apr 2024

by Eugene Bester and Serisha Hariram

Considering applications for special leave to appeal

Section 17(3) of the Superior Courts Act 10 of 2013, read with section 16(1)(b), allows for persons dissatisfied with a decision of a full bench, to appeal the decision to the Supreme Court of Appeal (SCA).  

Dispute Resolution

6 min read

23 Aug 2023

by Shameegh Allen and David Thompson

Minority protections against oppressive and/or prejudicial amendments to an MOI

When considering the age-old question of which provisions should be contained in the memorandum of incorporation (MOI) and which provisions should be contained in the shareholders’ agreement (SHA), one important consideration which is often overlooked is the threshold required to amend an MOI as opposed to an SHA.

Corporate & Commercial Law

6 min read

15 Aug 2023

by Lutfiyya Kara

The process for subdivision of conventional property and agricultural land

The term “ subdivision ” means that an owner of land wants to divide the existing piece of land into two or more portions. This results in the portions created being held by separate deeds of title, commonly known as Certificates of Registered Title (CRTs), and each portion can be separately mortgaged, leased or have other rights registered over them once the certificate is issued.

Real Estate Law

4 min read

26 Mar 2024

by Richard Marcus, Katekani Mashamba and Thobeka Dhlamini

Non-compliance with court orders: When is late too late?

In Economic Freedom Fighters and Others v The Chairperson of The Powers and Privileges Committee N.O and Others (23230/2023) Zawchc 16 (30 January 2024) the court had to determine whether to condone non-compliance with a court order that would lead to a delay in finalising a matter of nationalimportance. 

Dispute Resolution

4 min read

27 Sep 2023

by Muzammil Ahmed, David Thompson and Lara Sneddon

Board committees 101

Section 72 of the Companies Act 71 of 2008 (Companies Act) empowers the appointment and operation of board committees (committees), which can play a key role in the operations of the board of directors. For example, specialist knowledge or extended time is required to deal with an important issue such as refinancing, building a new plant, or an office move.

Corporate & Commercial Law

4 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline