What personal information does POPIA cover in the employment context?

As an employer, you process significant volumes of personal information every day: employee identity numbers, salaries, bank details, health records (sick notes, medical certificates), disciplinary records, performance information, contact details, and more.

All of this is regulated personal information under POPIA. It must be collected lawfully, processed only for the purpose for which it was collected, kept secure, and deleted when it is no longer needed.

Appoint an Information Officer

Under POPIA, every private body (including every business) must have an Information Officer responsible for POPIA compliance. This is typically the CEO or MD of the business, but the role can be delegated to a deputy Information Officer by written appointment.

The Information Officer must be registered with the Information Regulator. Failure to register is a compliance deficiency.

Conduct a POPIA audit

You cannot comply with a law you do not understand in the context of your own business. A POPIA audit maps every category of personal information you process, identifies the lawful basis for processing, assesses current security measures, and identifies gaps.

For employers, the audit typically covers HR records, payroll data, recruitment data, client and supplier information, and website data collection.

Update your HR policies and employment contracts

Employment contracts should include a POPIA consent clause or privacy notice informing employees of what personal information is collected, why, for how long it will be retained, and with whom it may be shared.

HR policies should address how disciplinary records are retained and when they are deleted, the security of employee files (physical and digital), and procedures for data breaches.

Prepare a data breach response plan

POPIA requires you to notify the Information Regulator and affected data subjects of a data breach 'as soon as reasonably possible'. You cannot notify promptly if you do not have a plan. A data breach response plan identifies who is responsible, what steps to take, and how to communicate.

What happens if you do not comply?

The Information Regulator has enforcement powers. It can issue compliance notices, conduct investigations, and impose administrative fines of up to R10 million. Repeated or wilful non-compliance can result in imprisonment of up to 10 years.

Beyond regulatory risk, a data breach or POPIA violation that becomes public can cause lasting reputational damage — particularly for businesses that handle sensitive client or employee information.