27 Oct 2015

The Protection of Personal Information Act 2013: The Dangers of Employees and their Devices

by Verlie Oosthuizen, Partner, Durban,
Practice Area(s): Employment |

In order to increase efficiency and productivity as well as to take advantage of developments in technology in the workplace, it is prudent for employers to provide certain of their employees with various mobile and hand held devices such as smart phones, tablets, laptop computers and the like.  This allows employees to have access to their work email accounts and even the employer's network through such devices, enables work to happen remotely and ensures that employees are not strictly confined to the office space.  However, as with everything in life, the potential pitfalls of this need to be anticipated and safeguards put in place. 

This is particularly important with the recent legislation passed which should be at the forefront of every company's future risk planning. The Protection of Personal Information Act 4 of 2013 ("the POPI") is an Act which has been developed in order to bring South Africa in line with international jurisdictions which requires the protection of the personal information of persons with whom companies do business.  In fact, certain foreign jurisdictions require that  transactions with businesses in South Africa are subject to information protection measures so that the legislative obligations of the foreign entity can be met. 

However, the legislative requirements of POPI go even further than this and require that the personal information of any person which is retained by a company for any reason, such as that of employees, applicants, clients and service providers is dealt with in accordance with its procedures. Personal information is a valuable commodity, especially on the "black market", where it can be used to commit fraud, among other things.

On a practical level it is obvious that any mobile or hand held electronic device that an employee uses outside of the (hopefully) secure environment of the company premises will contain an inordinate amount of information that would be subject to the protections of POPI.  Client information, telephone numbers, emails and email addresses, documents and the like are "floating" around in cars, hand bags, briefcases and other insecure locations where the officers of POPI cannot police them.  A 2013 survey in the United States of America found that 60% of businesses had experienced the loss or theft of smartphones and 43% had experienced the loss of theft of tablets.  When any of those devices fall into the hands of an outsider, , the information is in the possession of someone who may potentially access it and use it for the nefarious purposes that POPI is trying to prevent.

A sensible step to try and manage this risk would be for the employer to develop a standard electronic device policy to include better protection of the personal information of clients or customers of the employer, fellow employees and associates which would be applicable to all employees.  Perhaps the most important aspect of that policy would be the enforcement of a password protection provision which compels the employee to have a unique password or fingerprint access to the device at all times.  If the device is stolen it cannot be opened by someone that does not know the password or cannot bypass the fingerprint access.  This provision should be regularly monitored by management and devices checked for compliance.  Passwords on cell phones are inconvenient and can be switched off.  If an employee transgresses the clause it should be a disciplinary offence. 

The importance of policies such as this in the landscape of POPI cannot be underestimated.  Companies that do not safeguard their information properly may be liable for fines in certain instances, or expose them to the embarrassment of having to inform their customers or clients that their information has been compromised.   A failure to develop policies that inform and educate employees of the importance of maintaining the integrity of personal information may expose the business to risk.

Our suggestion is that before the  legislation becomes fully applicable a culture of compliance is developed at the employee level.  Companies would be well advised to get legal assistance with their policies and procedures to ensure that they are POPI compliant as soon as possible.

Share this article