Data Protection & Privacy
On 2 March 2022, South Africa saw one of the first findings relating to POPIA being adjudicated on a formal platform. Whilst the Commission for Conciliation, Mediation and Arbitration (“CCMA”) is not a court of law and does not follow a system of binding precedents, this article depicts many aspects of our data privacy legislation which beg for certainty of interpretation.
An applicant referred an unfair labour practice dispute to the CCMA which related to the refusal by her employer to pay over certain benefits. The respondent contended that the applicant’s papers contained copies of confidential employment offers made to certain employees and that the inclusion of these offers was prohibited and constituted a contravention of the Protection of Personal Information Act ("POPIA").
The CCMA discusses two critical issues in relation to POPIA:
In relation to the first issue, the CCMA considers the fact that the evidence "will neither form part of any filing system, nor would it be intended to form part of any filing system" makes it debatable whether the applicant is a “responsible party” and therefore whether POPIA applies in the circumstances. This is because section 3(1)(a) of POPIA states that POPIA only applies to the processing of personal information entered in a record by, or for a responsible party by making use of automated or non-automated means, provided that recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof. Where the personal information will not form part of a “filing system” (as defined ), POPIA will not find application.
The commissioner correctly finds that the CCMA is not a court of law and that section 6(1)(e) of POPIA, which provides that POPIA does not apply to the processing of personal information relating to the judicial functions of a court, would not find application. However, the commissioner finds section 6(1)(a) to be applicable. This section excludes the application of POPIA when personal information is processed in the course of purely personal or household activity.
Whilst this decision is not binding, it is arguable whether the interpretation provided will find judicial favour when considering the following:
Although section 11(1)(f) of POPIA was not argued in this particular case, it begs the question whether the applicant should have rather relied on the justification of “legitimate interest” for her processing activities. This particular provision justifies processing activities by responsible parties where the processing is necessary for pursuing the legitimate interest of the responsible party. There is a compelling argument that this ground would appear more attractive in the face of the current facts. Another consideration that comes into play is the processing activities of the CCMA in relation to confidential information contained in the applicant’s papers. Section 11(1)(f) could equally find relevance if it was found that POPIA did in fact apply.
Whilst the ruling is one of the first attempts at interpreting South Africa’s data privacy regime, it may be seen as a missed opportunity to interrogate POPIA more fully. It is likely that we will soon see the legislation taking centre stage in our courts as stakeholders continue to grapple with POPIA compliance as part of their daily operations.
Should you wish to discuss your POPIA compliance concerns, please feel free to reach out to us.