South Africa 'woke up' to POPIA (the Protection of Personal Information Act) in a big way on 1 July 2021 - mostly because of the many, many emails and social media messages that did the rounds that day, claiming that this new law requires consent for direct marketing or to be part of a WhatsApp / Facebook group, and that a failure to unsubscribe will imply that such consent has been given going forward.
Well, not quite. POPIA is quite specific and strict when it comes to the issue of consent (in general) and consent for direct marketing (specifically). Whilst the Act does not apply retrospectively, the continuous processing of personal information obtained historically, is subject to the Act and its enforcement provisions as from 1 July 2021.
However, POPIA does not apply to all activities and communications involving personal information.
The Labour Court, in a recent case, has confirmed that dismissing an employee who came to work knowing that he had been exposed to the virus, was fair in the circumstances of this case.
The facts in Eskort Limited v Stuurman Mogotsi and Others (JR1644/20)  ZALCJHB 53, were that the employee (Mogotsi) was an assistant manager and a member of the in-house “Coronavirus Site Committee” at work - which, amongst other things, was tasked with informing employees about the risks of COVID-19, what symptoms to look out for and what to do in the event of exposure.
Mogotsi usually travelled to and from work with a colleague. The colleague started feeling unwell, was booked off from work and subsequently tested positive for COVID-19. Mogotsi also started experiencing symptoms associated with COVID-19. Despite him being booked off and his employer advising him to stay at home, he however persisted in coming to work. During the period when he was awaiting the...
Although data breaches are nothing new, this topic has received more focus recently with stricter data protection laws and regulations. It is more important than ever that organisations prepare for such an occurrence and have formal procedures and protocols in place to deal with the fallout. Here are some pointers and reminders of aspects to think about.
What is a data breach or security compromise?
In terms of the Protection of Personal Information Act (POPIA), this is not defined. Under the new Cyber Crimes Bill, there are descriptions of types of actions that would constitute criminal offences. However, for the purposes of being prepared, this could entail any type of data breach or security compromise (digital or physical) that would expose the organisation to potential risk.
Apart from the obvious things around cyber security such as hacking, malware, ransomware attacks, etc. we also need to consider other vulnerabilities in the protection of the (personal)...
The Labour appeal Court confirmed a number of important principles around misconduct and workplace discipline in the case of Pick ’n Pay Retailers (Pty) Ltd v JAMAFO obo Maluleke and others (2020) 29 LAC.
The employee was a trainer of cashiers. She and a colleague were gifted boxes of chocolates by a customer of the store, which she did not declare and then attempted to exchange for cash. In doing so, she breached a number of company protocols and policies (which she had been well aware of as the trainer) and when she could not succeed, tried to reverse the transactions to try and cover up her activities - involving names and passwords of other employees. She was dismissed by the company on the basis of breaching company policies and attempted fraud, despite her service of 24 years and clean disciplinary record.
The employee did not deny what she had done, but tried to justify her actions by saying that she had not wanted to siphon money from the store, but just...
An employee is pushing the boundaries. You get complaints about performance and client service. You call him/her in, express your discontent and tell them to do better. This happens a few times, but you just do not get around to formalising these little chats (who has the time, and who needs the conflict?). Then something happens that gets the attention of senior management / the Board / social media..........and all eyes are on you to address this issue once and for all. What do you do?
Famously, in our experience, a disciplinary hearing is called. This latest incident is taken and dissected to see how many of the boxes in the company's disciplinary code can be ticked in order to formulate as many charges as possible from this one incident - because this was now the last straw and the pressure is on to dismiss the employee.
So, the bulked-up disciplinary charges for the hearing include added charges like dereliction of duties; bringing the company's name into disrepute; and...
Employers and recruitment agencies as a general practice ask for a job applicant’s current (or past) payslip when they apply for a new position. This has always been a contentious issue, but most job applicants disclose it if a prospective employer insists upon it, for fear of been side-lined if they challenge this request.
With the advent of POPIA, it seems that the shoe will be on the other foot, since such information constitutes personal information and at a minimum, the eight conditions for lawful processing must be complied with by the employer as the responsible party if it wishes to collect and use this information of a job applicant as the data subject.
The eight processing principles / conditions include –
In South Africa, the Information Officer (IO) is the person within an organisation (as the responsible party) who is responsible for compliance with PAIA (Promotion of Access to Information Act) and now also POPIA.
Who is the Information Officer?
This position is automatically assigned to the head of the organisation (such as the CEO, or a partner, or a sole proprietor in the private sector), who will be the Information Officer by default. There is however provision for designating and officially appointing someone in this position and for the appointment of Deputy Information officers to whom such powers and responsibilities can be delegated. The accountability however will remain with the Head of the organisation, regardless of a delegation of responsibilities.
It is also interesting to note that, different from the GDPR, POPIA does not make provision for the outsourcing of this position – i.e. appointing or contracting an external Information Officer. The position of...
Many organisations use agencies / consultants / service providers for a range of activities – which in all likelihood include the processing of personal information and/or special personal information. Think about recruitment agencies, IT service providers, security providers, payroll management, marketing agencies, external auditors – to name just a few. These would, for the purposes of POPIA, be regarded as third-party operators and YOU have to ensure that they comply with the Act when they process personal information on your behalf.
The Responsible Party under POPIA is a public or private body or any other person who, alone or in conjunction with others, determines the purpose of and means for the processing of personal information in their possession.
An Operator is the person (or entity) doing the actual processing.
The responsibilities, rights and obligations of operators are not the same as those of responsible parties. However, the distinction...
There is a disturbing trend that seems to be raising its head in workplaces these days – employees who are called to meetings by their managers (or HR) and then simply….. well…… refuse to attend. Or demanding a detailed agenda for the meeting before considering whether to attend. Or objecting to other attendees to the meeting. Or…….
Not to put too fine a point on it, but this would typically be justified by some perceived infringement of their rights, should they attend said meeting – and hence pre-empting and avoiding the expected unfair treatment by not attending. This especially happens when the subject matter pertains to matters about the employee personally – such as performance or conduct issues.
A recent example of such a scenario was the matter of Gold One Limited v Madalani and Others (JR 1109/15)  ZALCJHB 180 (9 September 2020), where the employee went so far as to resign and claim constructive dismissal,...