POPI and Human Resources
The bulk of personal information in a particular business is often found in Human Resources (HR) departments. Yet, HR departments are often overlooked in the compliance exercise – partly because employee personal information is seen as less important and risky than customer personal information and because of the enormity of the task.
This article from the Consumer Law Review offers valuable guidelines and important information regarding POPI compliance by the HR Department in your business.
Read the full article below, but remember to subscribe to this informative newsletter here – it’s free!
The bulk of personal information in a particular business is often found in Human Resources (HR) departments. In addition to the volume of the information, it is of a very sensitive nature (like medical and financial information). Yet, HR departments are often overlooked in the compliance exercise – partly because employee personal information is seen as less important and risky than customer personal information and because of the enormity of the task. However, a breach of employee personal information can be just as expensive and embarrassing for an organisation.
* In addition to the harm that the employee can suffer, employee data breaches (particularly when username and passwords are compromised) can lead to further access to confidential information.
In the course of a couple of compliance programmes the following has become clear:
- HR over-collects information. Forms often ask for information that HR already has. This is problematic because each copy of the information has to be protected. Sometimes this is easy to remedy by just amending the forms and making sure that information is pulled through to different HR areas and systems.
- Often HR departments still rely on paper files as their primary records despite having sophisticated systems. This is important, because generally speaking paper files are much harder to secure than electronic information. Ask yourself why a system is not being used? Do people have the right access? Does the system have the right functionality? Have people received enough training on how to use the system?
- POPI compliance is impossible if HR does not have proper records management. What do we mean by that? Do you have a list of all the types of information and documents HR collects? Are there policies and procedures on how and for how long different types of records must be retained and how they must be destroyed?
- POPI compliance in HR often leads to other operational wins. It leads to improvements to existing procedures and increases efficiency. It reduces the amount of paper that is retained (storage costs money!). It gives momentum to becoming paperless. It ensures that existing systems are used to their full potential. This can help compliance officers to motivate why spending money on POPI in the HR department is worthwhile for any business.
Wondering where to start? The UK Information Commissioner’s Office has drafted The employment practices code. It contains good practice recommendations on a very wide range of topics relating to the processing of employee personal information. The UK legislation is very similar to POPI but it is not 100% identical (it comes very close), but the practice code can be used for guidance.
*Recent examples include breaches of employee personal information at Sony, Morrisons (a large UK retailer) and the United States Office of Personnel Management. See this article on the International Association of Privacy Professionals’ website.
Elizabeth de Stadler is the editor of the Consumer Law Review and a senior associate at Esselaar Attorneys in Long Street in Cape Town (http://www.esselaar.co.za). The firm specialises in consumer law. She is also a founding director of Novation Consulting (www.novcon.co.za or @NovConSA), a company which specialises in providing regulatory compliance solutions and designing innovative and effective ways to communicate ‘legal’ documents to consumers. Her book, Consumer Law Unlocked (Siber Ink), was published recently. She is the author of a consumer law textbook and a guide to plain language legal drafting, both of which are to be published by Juta Law. She is also the co-author of chapters on the Consumer Protection Act in The Law of Contract in South Africa and The Law of Commerce in South Africa (Oxford University Press).
Look Elizabeth up on our website as one of our subject matter experts.