Thursday, May 25, 2006

Data Protection Laws Are Coming To SA – Are Employers Ready?
By Jessica Calcott
Data protection legislation for South Africa has been in the pipeline for a couple of years but many employers are unaware that the draft Protection of Personal Information Bill was published for consultation last October.  The deadline for comments has now passed and final draft legislation is anticipated later this year.
Some employers, and especially those with international offices, will be familiar with the concept of data protection because legislation already exists in many countries around the world.  Indeed, the need to conform to international norms regarding the protection of personal information is one of the drivers behind the introduction of domestic legislation in South Africa.  The European Union Data Protection Directive of 1995 prohibits the transfer of personal data regarding EU citizens to any country outside the EU unless that country can guarantee “an adequate level of protection” for that information.  As a result, the absence of comprehensive data protection legislation in South Africa is perceived to be a potential barrier to international trade and the participation of South African businesses in the global marketplace.
Data protection is an important aspect of the protection of an individual’s right to privacy.  Both the common law in South Africa and the Constitution recognise a right to privacy but that right is limited in certain circumstances and does not provide “an adequate level of protection” of personal information in terms of prevailing international standards.
When it comes into force, the new Protection of Personal Information Act will provide for comprehensive regulation of all aspects of the collection, use, disclosure, storage of and access to “personal information” (the definition of which is extremely broad).  The implications of the new Act will be extremely wide-ranging in all areas but especially in the context of employment and even before an employee is appointed. 
Recruitment and selection procedures including the giving and obtaining of references, application forms and pre-employment vetting, will all need to comply with the Act.  Employers will need to audit all records held on job applicants as well as current and former employees for compliance with the Act.  The Act will also have a bearing on the extent to which employers will be able to monitor employees’ communications and carry out medical testing. 
Although, at first sight, the new obligations on employers may seem onerous, the good news is that the principles embodied in the draft legislation largely reflect common sense and existing good practice.  It may, therefore, not be unduly optimistic to assume that many employers’ practices are already compliant and that the new legislation will require only relatively minor changes to their employment contracts, policies and procedures. 
Among other things, the draft bill provides that the data subject should be informed of the purposes for which their personal information is required.  Furthermore, the information collected must be relevant to the specified purposes and may not be used in any way that is inconsistent with those purposes. 
In most cases, express consent is not necessarily required from the data subject for the processing of personal information.  However, except where certain limited exceptions apply, explicit consent from the data subject is required for the processing of special (or sensitive) personal information regarding an individual’s religious or philosophical beliefs, race, political persuasion, health, sex life, trade union membership, or criminal record.  Employers should, therefore, review their application forms and contracts of employment to ensure that some appropriate wording is included specifying the purposes for which recruitment and employment records may be kept and, where necessary, providing that the employee consents to this. 
An important new requirement in the draft bill which employers need to be aware of is that all employers will be required to notify certain details to the Information Protection Commission (the new body to be established which will be responsible for monitoring and enforcing compliance with the Act) including the employer’s name and address, the purposes for which personal information may be processed, a description of the categories of data subjects, the categories of recipients to whom information may be supplied, any planned cross-border transfers of information, and a general description of the security measures in place to safeguard the confidentiality, integrity and availability of the information.  The contents of the notification will need to be carefully drafted to ensure that all potential processing of personal information by an employer is covered. 
Employers can take comfort from the fact that the general principles espoused in the new legislation will, in due course, be supplemented by codes of conduct which will provide more detailed, practical guidance.  In the meantime, it is not too soon to commence a review of existing contracts, policies and procedures and employers would be well advised to familiarise themselves with the principles set out in the South African Law Reform Commission discussion paper and draft legislation, both of which are available on the internet at