You probably ensured POPIA was covered for your clients, but what about protecting personal information of employees?
POPIA has been a buzz word for number of months and businesses have been inundated with information on how to ensure they are compliant by the deadline. Much of this information has been centered around how to ensure that you have implemented the proper processes that comply with the legislative requirements and protect all personal information of your clients. In all the chaos of implementing these processes, it is important to ensure that you have not forgotten about handling your employee personal information in line with legislative requirements too.
If you have not yet done this, this article will make it super simple for you to ensure you can get this done ASAP in just 5 easy steps!
Before we start, let’s just remember the purpose of POPIA: The purpose of the POPI Act (Act 4 of 2013) is to protect a data subject’s personal information and regulate the way it is processed. Importantly, a responsible party may only use the personal information for its intended purpose, and protect the integrity and confidentiality of such information by implementing key processes and measures company-wide. The POPI Act applies to anyone who processes any type of records that contain personal information and defines the minimum requirements for the processing of such personal information.
Important words to understand:
- What is defined as ‘processing’? Any activity or any set of operations concerning personal information. Examples include collection, receipt, recording, organisation, updating and dissemination.
- What is ‘personal information’? Personal information is any information relating to an identifiable individual. This includes not only obvious data like names, contact details, identity numbers, location, images, bank details, gender and age, but also less obvious items like online identifiers (such as IP addresses).
We hope that by now you know all of this already, but just as this would apply to your clients, it applies to your employees since you collect data from them in the same way you would for clients. So how do you protect your employees personal information?
1. Consent is Key
It is important that you notify your employees of what information that pertains to them you have access to and what you need it for. For example, you would collect their full names and ID numbers and addresses to create their contracts, their banking details to pay their salaries and their cell phone numbers so you can contact them if they are not at work.
You also need to think about what other information you would obtain from them that might be a little out of the ordinary. For example, do you get their children’s names and birth dates from your employees so you can send birthday messages to them?
Once you have identified all the types of data you collect from your employees, you would need to get their written consent to allow you to process their information in the way in which you have explained you will. For your current employees, they should each sign a consent form in line with this and you need to ensure that you put a POPIA consent clause into your employment contracts so you do not need to get future employees to sign an additional form.
2. Ponder your Partners
Do you have any partners with whom you work that would need access to your employee information? For example, do you have an outsourced HR team (like us at Ferva) that would need your employees’ personal information? Do you work with IT professionals or software developers who run your systems and need your employee information to create login details for them? Do you outsource the payroll function whereby you would have to provide employee banking details and personal information to another company so that they can process your payroll for you? Take time to think about where exactly you are sending your employee information and keep the following in mind: You need to ensure you have your employees’ consent to do so and hence this should be included in the consent form and employment contracts going forward too. Over and above this, it is your responsibility to ensure that your partners are POPIA compliant when it comes to the processing your employees’ information so do not forget to sign an agreement with them along these lines! This would look like an ‘Operator Agreement’ where you as a business would will engage the Operator for services which may require the Operator to process personal information relating to personal information of your employees which they commit to protect.
3. Security Measures are Not Just for Clients
Don’t forget that you need to protect that data you obtain from your employees, just as you have to do so for your clients. You need to store their data in a safe and secure place and limit access to that data wherever possible. For example, ensure that hard copy contracts are locked away with limited access, that digital copies are saved on servers with access granted to only specified approved people, and that spreadsheets being sent out with employee information in them are password protected in case they land up in the wrong hands.
4. Policies Protect People
It is important that you implement a POPIA policy within your organisation and that it is uploaded to a place where all employees can access it. Your policy should cover aspects like what personal information is processed and by whom, how it is protected, how to address information breaches and what happens if the rules are not followed. The policy should be broken down into training material and all your employees should receive POPIA training so that they understand what their own obligation is in relation to the policies, and how to protect your clients’ personal information. Remember, your employees are the ones on the ‘front lines’ so to speak – they are the ones obtaining the information from your clients and engaging with them so they need to know how to approach this with your clients, especially if a client asks them how your organisation is POPIA compliant.
5. Recruitment Counts, Too
If you are doing your own internal recruitment, you are, in effect, processing personal information of potential applicants. This is important and relevant to internal employees because one day soon after the selection process they might be an internal employee too and ensuring that from day 1 you protect their information will go a long way in building a relationship with them. As such, there are a number of things you should do to let them know you are POPIA compliant. These include putting a disclaimer on any recruitment adverts that you post that tells them that by applying for the role, they are consenting to you processing their information and ensuring that you are protecting their data once you collect it in the same way you would do so for your clients. It is recommended that you create a POPIA for recruitment policy that you can share with potential candidates which outlines exactly what you do with their information, who you share it with, how you share it and so forth. This is especially helpful if you have a group of companies and tend to share information across these.
With these 5 easy steps outlined, you should have a better understanding of the key things that you need to do from an employee POPIA perspective. We hope that this short guide has allayed your fears and enables you to get this across the line quickly and effectively!