POPIA for HR: How South African Employers Should Handle Employee Personal Information

POPIA for HR: How South African Employers Should Handle Employee Personal Information

The Protection of Personal Information Act (POPIA) does not stop at your customer database. It extends to every piece of personal information your business holds about its employees — from ID numbers and payslips to disciplinary records and medical details. For HR managers and small business employers, understanding how POPIA applies to the employment relationship is an essential part of running a compliant operation.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including HR policies, employment contracts, and data-processing practices — consult a qualified attorney.

---

What Counts as Employee Personal Information?

Under POPIA, personal information is broadly defined as any information that can identify a living natural person (or an identifiable juristic person). In the HR context, this includes:

• Full names, ID numbers, and contact details
• Salary, banking details, and payroll records
• Employment history, performance reviews, and disciplinary records
• Leave records, attendance data, and time-tracking information
• Photographs and biometric data (such as fingerprint clock-in systems)
• Medical certificates, sick-leave records, and any health-related information
• Information about trade union membership

Several of these categories — health information, biometric data, and trade union membership — qualify as special personal information under POPIA. The Act imposes a general prohibition on processing special personal information, and processing is only permitted in limited, specific circumstances.

---

The Eight Conditions for Lawful Processing

POPIA's eight conditions for lawful processing (s8) apply to every instance of processing employee data — collecting it, storing it, sharing it with a payroll bureau, or deleting it. In practical HR terms the most relevant conditions are:

1. Processing must have a lawful basis (s11) For employees, the most common bases are that processing is necessary to perform the employment contract, that the employee has given consent, or that processing is required to comply with a legal obligation (for example, SARS reporting requirements). Consent in an employment relationship deserves special care: because of the inherent power imbalance, freely given consent can be difficult to establish. Where another lawful basis exists — such as contractual necessity — it is generally preferable to rely on that.

2. Collect only for a specific, defined purpose (s13) POPIA requires that personal information be collected for a specific, explicitly defined, and lawful purpose. Collecting an employee's medical history "just in case" when it is not relevant to the role would sit uncomfortably with this condition.

3. Limit retention (s14) Records may only be kept for as long as is necessary for the purpose for which they were collected, or as required by law. Once an employee leaves and the legally required retention period has passed, their records should be securely deleted or de-identified. Note that other legislation — such as the Basic Conditions of Employment Act and SARS requirements — may prescribe minimum retention periods; POPIA does not override those obligations.

4. Notify employees when collecting their information (s18) When you collect personal information from an employee (or about them from a third party, such as a reference check), POPIA generally requires you to notify them of: the identity of the responsible party, the purpose of collection, whether supply is voluntary or mandatory, and their rights of access and correction.

5. Implement reasonable security safeguards (s19) HR files — whether physical or digital — must be protected against unauthorised access, loss, or damage. Reasonable measures include access controls on HR systems, locked physical filing, and staff awareness training.

6. Respect the right of access and correction (s23, s24) Employees have the right to request access to their own personal information held by the employer, and to request correction of inaccurate data. A clear internal process for handling these requests is good practice.

---

Special Personal Information: Handle with Extra Care

Health and medical information about employees is special personal information. POPIA imposes a general prohibition on processing it (s26). Limited authorisations exist (s27) — for example, where processing is necessary to comply with an obligation of international public law, or where the employee has given explicit consent. Practically, this means:

• A medical certificate confirming incapacity for a specific leave period is generally defensible; retaining a full medical history without a specific, justified purpose is not.
• Biometric time-and-attendance systems involve biometric data, which is also special personal information. Before deploying such a system, consider whether less intrusive alternatives exist and ensure you have a lawful basis.
• Trade union membership records should be treated with the same heightened care.

---

Transfers of Employee Data Outside South Africa

If your business uses a cloud-based HR or payroll system whose servers are located outside South Africa, or if you share employee data with a foreign parent company or outsourced processor, POPIA's cross-border transfer provisions are relevant (s72). The Act generally requires that the recipient country provides an adequate level of protection, or that one of the listed alternative safeguards applies. Review your contracts with any offshore processors against this requirement.

---

The Information Officer's Role

Every private body that processes personal information must designate an Information Officer (s55). In a small business the owner or a senior manager typically fills this role. The Information Officer is responsible for ensuring the organisation complies with POPIA — including in the HR function — and for handling requests from employees and the Information Regulator. Registration of the Information Officer with the Information Regulator is required. Guidance on registration is available at inforegulator.org.za.

---

Breach Notification

If HR records are compromised — for example, a payroll file is sent to the wrong recipient, or an HR system is accessed without authorisation — POPIA's breach-notification requirements (s22) are triggered. The Information Regulator and, where the breach poses a serious risk, the affected employees must be notified as soon as reasonably possible.

---

Practical Steps for HR Compliance

1. Audit what you collect. Map every category of employee personal information your business holds, why you hold it, and who has access.
2. Review your employment contracts and HR policies. Ensure they reflect a lawful basis for each processing activity and include appropriate notification.
3. Establish a retention schedule. Know how long each category of record must — and may — be kept, and implement a secure deletion process.
4. Secure your HR data. Apply access controls, encrypt sensitive files, and train anyone with access to HR records.
5. Create a process for employee requests. Employees have the right to access and correct their data; a documented process makes compliance easier.
6. Designate and register your Information Officer. If you have not done so, this is a foundational step.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. The steps and considerations described here cannot substitute for professional legal advice tailored to your business and workforce. Consult a qualified attorney before implementing or changing HR data-processing practices.