POPIA: What employers need to know

The Protection of Personal Information Act 4 of 2013 (POPIA), which came into force on 1 July 2020, places several obligations on employers in terms of managing employees' personal information. It also gives certain rights to privacy to employees.

Employers need to be fully complaint with POPIA by 30 June 2021 or you can face significant penalties: up to 10 years' imprisonment or R10-million in administrative fines.

We set out below the key things you ought to know as an employer.

Employers must bear in mind that many employees process high volumes of personal information both internally and externally. A good example of this in practice is the human resources function of any employer.

POPIA applies to personal information and special personal information that is subject to processing or further processing. Processing includes such things as initially obtaining personal information, and using and retaining that information, as well as who has access to, makes disclosures about, and finally disposes of that information.

For a worker, POPIA applies to:

information such as identity numbers, contact details, employment history, psychometric assessment results, references, qualifications, disciplinary records, union membership, grievances, health and biometric information; and
the life cycle of the employment relationship from recruitment to post-termination, and continues to apply for five years after the relationship has ended (and still applies where the employer is approached as a reference).

Employers must ensure that they lawfully process the personal information of job applicants, employees, retired employees and dismissed employees. If employers process the personal information of independent contractors and other service providers, they must also ensure that they process that lawfully. You must comply with eight conditions:

  1. Accountability
  2. Processing limitations
  3. Purpose specifications
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security safeguards
  8. Data subject participation


POPIA prohibits the processing of special personal information, which includes information on race, health, criminal behaviour and trade union membership, unless:

  • an employer obtains express consent to do so from the relevant employee,
  • the information is required by law – (a legal necessity),
  • the information is for historical, statistical or research purposes, or
  • the information was deliberately made public by the data subject.

Civil claims against employers

Section 99(1) of POPIA provides that a data subject or the Regulator (at the request of the data subject) may institute a civil action for damages against a responsible party for breach of POPIA. Action may be instituted irrespective of whether or not there is intent or negligence on the part of the "responsible party". "Responsible party" includes employers.

Employers must bear in mind that many employees process high volumes of personal information both internally and externally. A good example of this in practice is the human resources function of any employer.

Employers will need to ensure that they follow the steps listed above to limit the risk of employees processing information unlawfully and in contravention of POPIA.

Employers should bear this section in mind as it creates significant legal risk for employers if employees do not process information lawfully and in compliance with POPIA.

By: Kirsten Eiser, partner, and Shane Johnson, professional support lawyer at Webber Wentzel

This infographic unpacks POPIA and outlines what you may need to know at a glance.