Article written by Daniel Maboa (SEESA)
The Protection of Personal Information Act (POPIA) is South Africa’s privacy legislation that came into effect on 1 July 2021. At its heart, the Act seeks to enhance the constitutional right to privacy, give data subjects some form of control over their personal information and ensure that organisations processing information do so in line with POPIA.
The employer must abide to POPIA by ensuring that clear policies and standard operating procedures guide employees on how to deal with personal information.
In terms of Section 99 (1) of POPIA, an employer, in its capacity as a responsible party, would be vicariously liable for non-compliance with the POPIA if its employee is found to be non-compliant when dealing with personal information.
Vicarious liability is a legal principle in terms of which an employer will be liable jointly and severally with an employee whose wrongful conduct causes damage to another if the conduct was done within the scope of that employee’s employment. From this, it is clear that civil action can be brought against an employer based on the principle of vicarious liability[1].
A question that arises is, what would happen if an employer has clear policies and protocols relating to POPIA compliance and ensures that its employees are thoroughly trained on those policies and protocols, but an employee nonetheless, either through negligence or willful contempt, disregard the steps taken by an employer?
When comparing this to other legislations, for example, the European General Data Protection Regulations and local Employment Equity Act, it may be that an employer can escape liability if he can prove the measures taken to comply with POPIA, and where its employee contravenes it[2].
Also, Section 99(2) of POPIA lists defences that are available to a responsible party if a civil action is brought against it. In the event of a breach, the responsible party may raise any of the following defences against an action for damages:
- vis major;
- consent of the plaintiff;
- fault on the part of the plaintiff;
- compliance was not reasonably practicable in the circumstances of the particular case; or
- the Regulator has granted an exemption in terms of section 37.
From the listed defences, the defence of vis major (an act of god), consent of the plaintiff and that non-compliance was the fault of the plaintiff would clearly not apply.
The defence that the Information Regulator provided an exemption in terms of Section 37 would also not apply. This section applies where non-compliance is for the benefit of the data subject, or it is done so in the public interest.
What is left would be the defence that compliance was not reasonably practicable in the circumstances of the particular case. The argument that the employee would have deviated from their scope of employment by intentionally breaching POPIA is not enough to allow the employer to escape liability. As seen from recent case law[3], an employer would still be liable for the intentional wrongful conduct of their employees.
It appears that POPIA places stringent standards on employers in their capacity as responsible parties and puts an employer in a near-impossible position when it comes to ensuring that their employees adhere to the Act. What is clear is that in its current form, POPIA does not expressly allow the employer an escape against a civil action where a contravention of POPIA is committed by its employee even though the employer has taken measures to comply with POPIA.
This means that employers ought to take reasonable steps and ensure it identifies and mitigates risks that POPIA may bear when its employees process personal information[4].
Contact your SEESA Consumer Protection & POPI Legal Advisor to assist your business with any Protection of Personal Information Act related queries you might have. Alternatively, SMS the word “SEESA” to 45776 for an expert legal advisor to contact you.
SEESA is a proud Partner of the NSBC
About the author
Daniel Maboa started his career at SEESA in July of 2021 as a Consumer Protection and POPI Legal Advisor at SEESA’s Head Office. He obtained his LLB in 2019 and was previously a Legal Administrative Intern with the legal division of the S.A Police Service.
Resources
1] K v Minister of Safety and Security 2005 6 SA 419 CC
[2] Millard D and Bascerano EG “Employers’ Statutory Vicarious Liability in Terms of the Protection of Personal Information Act” PER / PELJ 2016(19)
[3] Fujitsu Services Core (Pty) Ltd v Schnenker South Africa (Pty) Ltd (21830/2014) ZAGPJHB 111 (2020)
[4] M Schepers “South Africa: Liability Of Employers Under POPIA” 2020