POPI and payroll: What you need to know?

The final regulations for the Protection of Personal Information (POPI) were published in December 2018. This means that the Act is now in force. Most people only have a vague outline of what POPI means, but what exactly does it mean for Payroll and HR departments and procedures?

What is POPI?

POPI is a regulatory framework that governs the collection, storage and use of private information. As the world has become digital, more information about all of us can be more easily shared and distributed electronically. For this reason, good governance is necessary. Personal information has a value for both legitimate and illegitimate reasons. Accordingly, the requirement to secure and control its use—in a controlled and prescribed manner—now rests with the organisation and its HR and Payroll departments.

One of the primary purposes of the POPI Act is to protect the right to privacy of an individual in respect of any personal information held by an organisation such as an employer. It is now considered a right to have private information stored in a manner that cannot be breached.

What Payroll and HR information falls under POPI?

Essentially, anything of a personal nature falls under POPI. In all companies the following information relating to an individual as captured in the payroll or HR systems must meet regulatory requirements:

• Race / nationality / ethnic / social origin / colour
• Gender / sex
• Pregnancy
• Marital status
• Sexual orientation
• Age
• Physical or mental health / well-being / disability
• Religion / conscience / belief
• Culture/language
• Birth

In addition to the information above, any educational, medical, criminal, employment or financial information is subject to the same protection as provided in the act. Furthermore, any identifying information such as addresses, phone numbers, online user names or emails must also be stored and used accordingly.

Who is covered under POPI?

Many companies are unsure as to whom and what falls under POPI. For this reason, it makes sense to highlight the three main categories that may (or may not) be managed by a payroll or HR department. The three categories of people whose information is governed by POPI are:

• Clients/Consumers – information such as buying habits, historic transactions and activity
• Suppliers – price lists, contracts and contacts
• Employees – HR info, Payroll records, CV’s, applications for employment, CCTV records, time and attendance details, performance reviews

How does POPI affect the Payroll Department?

In recent months, this published article on POPI discusses what POPI means for HR and Payroll departments. Primarily, however, POPI requires a company to implement measures to control the information gathered about employees in a safe and secure environment. Using an your company’s own inhouse developed payroll solution is not necessarily going to meet stringent POPI Act requirements. For this reason, opting for Paymaster’s Payroll Outsourcing solution would be a great alternative: either installed at the company or in the cloud is ideally required. Therefore, should an organisation’s existing systems not be robust and flexible enough to meet POPI regulations, then the very first way that the POPI Act might affect a payroll department is through a change to its payroll solution

Internal procedures and records

Internal procedures and controls must be reviewed and processes adopted by business owners, employers and payroll departments alike so to ensure compliance is attained at all times and at all levels as prescribed by the Act. For example, the following procedures will need to be reviewed and/or implemented:

• Recruitment
• Consent from Employees
• Consent from suppliers

Accurate record keeping is a further prerequisite of the POPI Act. Companies and systems must adhere to tight controls surrounding information technology (IT) access relating to tax records. Special personal information is also governed by the POPI Act: information under this section of the Act means that proper measures must be taken when storing information such as political, sexual orientation and any other religious persuasion and beliefs.

In summary: ensuring that payroll systems are compliant with the POPI Act, stringent regulations prescribed by the Act will affect a payroll or HR department. It makes sense therefore, to seek professional advice from a company such as Paymaster People Solutions.

POPI Act: 8 Key conditions for a company and HR department

There are 8 key conditions that govern POPI and any entity that processes, stores or controls personal information must comply with each. The 8 key conditions are:

1. Processing limitation

Personal information must be processed in accordance with the law. It must be managed in a secure and careful manner and may not intrude on the privacy of the person whose information is being processed.

2. Purpose specific

The information should be collected for a specific purpose, which is properly and clearly defined and for legitimate reasons. The information may not be kept for longer than is necessary (i.e. must suit the purpose).

3. Further process limitation

Information may not be processed beyond the initial purpose that would make it incompatible with the original purpose.

4. Information quality

The person collecting the data must take steps to ensure that the data is complete, accurate, current and not misleading in any way.

5. Openness

Personal information may only be collected by someone who has given notice to or disclosed the requirements, the purpose of, and the reason to the person concerned. Consent must be obtained.

6. Security safeguards

Security safeguarding ensures the appropriate technical and organisational measures are in place to ensure integrity of the information as well as protecting it from unauthorised access.

7. Individual participation

Details of what data and information is being collected must be made available to the subject, free of charge. They must understand what data is being collected, why such data is being collected, and that they have the right to request that it be discarded after its initial purpose usage.

 8. Accountability

The responsible party will be held accountable for the management and implementation of the items mentioned above.

Penalties for non-compliance

Directors of any company must take a leading role in the implementation of measures that ensure POPI Act compliance.  Penalties for non-compliance are severe and can result in fines of up to R10 million, or a jail sentence of up to 10 years. To avoid non-compliance, it is recommended that professional advice be taken.

Paymaster People Solutions have the required expertise and can assist your organisation today.

Paymaster People Solutions has a team of experts on hand to assist you with and advise you on the best way to get a handle on POPI for your company.

You are welcome to email Ian Hurst, for more information.