POPIA-compliant recruiting: what you need to know

As of 1st July 2021, all South African organisations needed to be fully POPIA (Protection of Personal Information Act) compliant. What does this mean for recruitment and HR?

Do you collect personal information?

First, let’s look at the definition of personal information.

"personal information” means information relating to an identifiable, living, natural persons (or juristic persons in certain cases)

This includes race, gender, national origin, physical or mental health, disability, language, education, criminal or employment history, any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, biometric information, the views or opinions of another individual about the person, or the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

This type of data is routinely collected during the recruitment process and stored by HR teams.

What does POPIA require?

POPIA is legislation that governs all aspects of the use of a person’s private information. It is a wide-ranging law, stipulating that all organisations - public and private - manage the data capture and storage process of personal information within the Act’s legal framework. Those who fail to do so may face punitive fines (up to R10m) or prison sentences (up to 10 years).

Three parties are involved:

1. The individual whose data is being handled (called a data subject)
2. The group that decides how and why the data is collected and used, such as organisations or governments (called the responsible party)
3. The person or team that stores or processes the data on behalf of the organisation, such as an IT vendor (called an operator)

The main aims of the Act are to protect an individual’s right to privacy and to regulate the information economy. Organisations need to meet the following 8 conditions in order to be considered POPIA-compliant:

• Accountability - the responsible party must ensure that the conditions and all the measures set out in the Act ... are complied with
• Processing limitations - personal information may only be processed in a fair and lawful manner and only with the consent of the data subject
• Purpose specific - personal information may only be processed for specific, explicitly defined and legitimate reasons
• Further processing limitation - personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose
• Information quality - the responsible party must take reasonable steps to ensure that the personal information collected is complete, accurate, not misleading and updated where necessary
• Openness - the data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used
• Security safeguards - personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure
• Data subject participation - Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them

How HR Technology can help

Recruiting software helps you maintain a database of applicant and job information. Data protection is a critical obligation, although it must be balanced against the need to comply with other legislation, such as access to information. Although businesses are ultimately responsible for their own POPIA compliance, it makes sense to leverage reliable technology that supports you in the process. As operators of personal information, recruitment software providers also have a responsibility to adhere to international and local personal data protection laws.

Opting for Graylink’s recruitment solutions can help organisations minimise compliance risks. Our different platforms offer sophisticated controls to ensure that responsible parties are able to meet the requirements of their own data protection policies, while leveraging AWS (Amazon Web Services) infrastructure to secure data. AWS has tailored their technical infrastructure and protocols to meet the most stringent data privacy requirements worldwide, including GDPR and POPIA standards.

The bottom line

How personal data is handled by an organisation impacts the level of governance risk. Implementing the right policies, procedures and software can help mitigate risks, improve efficiencies, and reduce costs. Speak to us to find out how.