Johannesburg, 05 Nov 2014
After many years of discussion, the Protection of Personal Information Act (POPI) has been signed into law by the president of South Africa, and was gazetted on 26 November 2013. The country is awaiting the official announcement of the effective date of the new law. "Responsible parties" have one year to implement and to ensure their employees' information is secure, and those who don't face steep penalties.
Warren van Wyk, Director of PaySpace, says: "As a client of PaySpace and due to the cloud-based nature of PaySpace, the POPI Act has obligations on both the 'responsible party' being you, the client, as well as the 'operator' of the personal information, being PaySpace, who processes and stores the information on behalf of the responsible party. The good news is, as the operator, PaySpace complies with the POPI Act 100% in that our primary obligation is to take reasonable technical and operational steps to secure our computing environment. We have gone beyond reasonable steps, all of which are detailed on our security overview page on our Web site. As per our standard terms and conditions, we also undertake to never sell or share any information with any other company, user and/or third party unless obliged to do so by law."
The POPI Act specifies eight conditions that must all be complied with for any processing, namely; administration or dissemination to be legally compliant, accountability (of the employer), processing limitations (various criteria for legal processing), purpose specific (the data must be held for a purpose), further processing limitation (data can only be used for its purpose and not beyond that), information quality (the data must be accurate), openness (individual must be informed, processes must be transparent), security safeguards (reasonable steps to keep the information secure must be taken) and data subject participation (individual can request/discuss information with employer).
Van Wyk says: "With regards to processing limitations, while all the other conditions must be met, the personal information held and processed by a payroll and HR system, such as PaySpace, is in compliance with the POPI Act if the employee consents to his information being processed; the processing is necessary for the performance of a contract; the processing is required by law such as tax and labour laws; and the processing protects a 'legitimate interest' of the employee, including training history, career history and so forth. Instances where the processing is necessary for the performance of a contract, the contract must detail tasks, working conditions, pay, performance and benefits. The 'processing required by law' makes it clear that the processing of any personal information by the employer that is necessary to enable the employer to be able to comply with any of the employment laws, will not be an infringement."
The POPI Act seeks to safeguard the integrity of sensitive personal data, and as such, employers must list the data kept (payroll/HR system fields), clearly specify why the employer needs the data - ie, SARS requirement, Stats SA, company stats, EE reports etc.
Get permission or consent from the employee to store their personal information as requested (typically through their employment contract) - where the data will be stored (ie, Metrofile, HR system, hard copies); how often and how the information will be updated (ie, manual forms, employee self-service, once a year, etc); what happens to historical information after the employee leaves the company (ie, SARS-related information for five years, etc).
Get permission or consent from the employee to supply information to a third party - where payroll has to submit, for example, information to medical, pension, provident schemes or to any another financial institution, there should be some contract in place which covers the confidentiality and movement of data. Employers must identify these third parties for audit purposes (SARS, Department of Labour, time and attendance vendor, life and disability administrators, medical scheme administrators, etc).
Agreements must be put in place to ensure integrity and secure data protocols. Get permission or consent from the external third party who submits employee information to the employer or payroll vendor - employers who receive data from external parties for payroll input (time and attendance or deductions) have to know from which vendor it is received, know what is in the file and keep backups thereof.
Van Wyk adds: "If the personal information is processed with the knowledge of the employee, is linked to a reasonable purpose (tax and labour law requirements) and it is carefully managed, the processing of the data will be legal. To put it in another way, personal information can be processed if it is adequate, relevant and not excessive. PaySpace serves as the 'operator' of personal information and as such cannot confirm work and salary confirmations, banking details confirmations and work references for any third party. The third party must contact the employer directly for this information."
PaySpace summary
PaySpace is a product brand of the Insight IT Group. The company was established in 2000 in Johannesburg, South Africa and has grown PaySpace into a leader in online payroll and HR solutions, and now a leader in the African space.
PaySpace is a product with a culture of constant innovation, efficiency, ease of use and friendly, professional support. With thousands of clients and decades of experience in the industry across various types of payroll and HR environments, the founders have built a benchmark product that services organisations, regardless of size, by allowing them to conduct business more dynamically and more intelligently than ever before, while giving access to relevant and valuable information at any time, anywhere and with significantly less burden than legacy payroll and HR systems.
Share