Beware of “Catch All” Clauses in Staff Employment Agreements
2020 has given rise to many challenges for Employers. The Protection of Personal Information Act 4 of 2013 (“POPIA”) poses yet another challenge. Employers have a grace period of one year from the 1st of July 2020 within which to ensure their compliance with POPIA. In addition to numerous other compliance requirements, the Act necessitates a review of the personal -and special personal information of employees held by Employers, and by consequence, a review of all employment agreements with current and new employees.
POPIA distinguishes between the collection, storage and processing of personal information and special personal information. Special personal information includes, for example, an employee’s race or ethnic origin, health or sex life, religious or philosophical beliefs and trade union membership. Securing an employee’s consent is one of the bases on which an Employer can lawfully process both the general and special personal information of its employees.
It is crucial for Employers to understand the meaning and interpretation of consent within the context of POPIA. While employers may hope for a “quick fix” to ensure compliance by including a broad, “catch all” consent in employees’ contracts of employment, it may not prove to be adequate in every instance. A general consent may be sufficient to cover some of the personal information that will be processed during the course of an employee’s employment. However, Employers should be aware of the risks associated with relying on blanket consents in every instance.
Section 1 of POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission if given for the processing of personal information”. Written consent is not expressly required. However, it will be for the Employer, in its capacity as the Responsible Party, to show that it has secured an employee’s consent where it is relying on consent. In this instance it is advisable for employees’ written consent to be secured. The requirement that consent be “voluntary, specific and informed” means that employees should not be coerced or obligated to provide consent. Employees should also be sufficiently aware of the processing of their personal and/or special personal information, given the requirement that the consent should be “informed.”
The Information Regulator has yet to give guidance on the interpretation of consent in terms of POPIA. It will, in all likelihood, be similar to the conditions of the EU’s General Data Protection Regulation. Regardless of likely amendments to the definition, obtaining consent from employees to process their personal information is non-negotiable in terms of POPIA.
Both our downloadable CelaPOPI Toolkits, develop by the senior legal and compliance advisors of the Celagenix® Group, include Employee Consent and Confidentiality Clauses that can be used by Employers to ensure compliance with the consent requirement explained in this post. Most important in this regard is for the Employer’s designated Information Officer (or Deputy Information Officer/s, if applicable) to determine whether the Clause can be used as is (e.g. where general personal information of employees are processed), or whether it requires further adaptation (e.g. where special personal information of employees are processed).
