POPIA and Employee Data: What South African Employers Must Know

POPIA Applies to Your Staff Too

Most South African businesses focus their POPIA compliance efforts on customer-facing data, but the law applies equally to the personal information of your employees. From CVs collected during recruitment to payroll records and performance reviews, every piece of employee data is protected by the Protection of Personal Information Act.

What Employee Data is Protected?

The following categories of employee information are all classified as personal information under POPIA:

• ID numbers and passport details.
• Bank account and tax information.
• Home addresses and personal contact details.
• Medical records and disability information.
• Performance reviews and disciplinary records.
• Criminal background checks.
• Biometric data (fingerprint scans for access control or attendance).

Notably, medical records and biometric data are classified as "special personal information" under POPIA Section 26, which means they require even stricter protections and can only be processed in very limited circumstances.

Recruitment and CVs

The POPIA obligations begin before someone is even an employee. When you collect CVs and conduct interviews, you are processing personal information. You must:

• Only collect information relevant to the role.
• Securely store and limit access to applicant data.
• Delete CVs and application data of unsuccessful candidates within a reasonable period (typically 6 to 12 months, unless you have consent to keep them longer).

Access Control and "Need to Know"

Not everyone in your business should have access to employee records. Payroll data should only be accessible to the finance team. Disciplinary records should only be accessible to HR and management. POPIA's "minimality" principle requires you to restrict access to personal information strictly to those who need it to perform their duties.

Employee Monitoring

Many employers monitor employee emails, internet usage, and even CCTV footage. POPIA does not outright ban monitoring, but you must:

• Inform employees that monitoring takes place.
• Explain the purpose and extent of the monitoring.
• Ensure monitoring is proportionate and not excessively intrusive.

The best practice is to include a clear monitoring disclosure in your employment contracts and internal HR policies.

Retention of Employee Records

The Basic Conditions of Employment Act requires employers to keep certain employee records for 3 years after the employment relationship ends. SARS requires payroll and tax records to be kept for 5 years. Once these statutory periods expire, you must securely destroy the data. Learn more about data retention under POPIA.

Start with Your Website

While employee data compliance extends beyond your website, ensuring your public-facing Privacy Policy is comprehensive and up to date is the first step. Use POPIA Ready to generate your legal documents today.