This section provides some guidance in respect of applying the principles and requirements of POPI to human resources.

HR departments are often overlooked in the compliance exercise, because employee personal information is seen as less important and risky than customer personal information.


One or more persons should be identified and appointed to take responsibility for ensuring POPI compliance in respect of Human Resources matters. The nature and size of the organisation will influence where responsibility should rest.

Business processes in respect of HR functions should be recorded which provide an overview of:

Who does what (start at the beginning and then create a process flow, identifying each step, who is involved/ responsible, as well as what personal information is being collected, processed, stored, backed up or deleted.

One of the biggest risks to any organisation when it comes to data protection is its employees. It is therefore important to identify the risks of each role and implement a screening procedure to ensure that the organisation is not exposed, especially in terms of roles who work with sensitive or confidential personal information.

Drawing up a person specification allows the organisation to profile the ideal person to fill the job. A person specification includes any criteria relating to personal qualities or circumstances which are essential and directly related to the job. It is very important that all the skills, experience, qualifications or aptitudes included in the specification are related precisely to the needs of the job. It is also important to properly screen high-risk role candidates for any history of data breach, terrorist or criminal activity related to the role. If not, there is a greater chance that someone will be employed who is not suited for the role.

It is recommended that you review the roles in your organisation and identify those which require screening, as well as the level of screening which is required, and ensure this is regularly done.


Personal information of staff is still personal information and must be processed compliantly.

It is important to identify the flow of information, from staff recruitment, appointment and induction, to leave, performance management and discipline. Once the process flow is complete, identify all persons who have access to staff personal information at every step.

This could include:

  1. HR manager
  2. Clerical staff
  3. IT staff

Ensure that business areas and individual line managers who process information about staff understand their own responsibility for data protection compliance and if necessary, amend their working practices in the light of this.

Apply the processing principles.


Consent is of utmost importance

  • Eliminate the collection of personal information that is irrelevant or excessive to the employment relationship. If sensitive data is collected ensure that a sensitive data condition is
  • Consider each type of personal information that is held and decide whether any information could be deleted or not collected in the first
  • Determine whether all questions are relevant for all
  • Consider customising application forms where posts justify the collection of more intrusive personal
  • Remove or amend any questions which require the applicant to provide information extraneous/ unnecessary to the recruitment
  • Ensure that where you process the personal information of for example, next of kin, that you have the necessary consent. The onus of proof rests with you to prove that consent was received from the next of

If you use a recruitment agency check that it identifies itself in any advertisement, and that it informs applicants if the information requested is to be used for any purpose of which the applicant is unlikely to be aware. If you do not wish to be identified at an early stage in the recruitment process, ensure the agency only sends anonymised information.


It is important to have procedures and policies to deal with matters should things go wrong. One such area is where discrepancies may arise when screening staff, or potential staff. It is recommended that you implement a policy and procedure on how to handle this type of situation. You should look at implementing measures such as:

  • Do not place reliance on information collected from possibly unreliable
  • Allow applicants to make representations regarding information that will affect the decision to finally appoint
  • Allow staff to make representation on discrepancies and prejudicial information
  • Ensure that staff who are involved in verification in your organisation are aware what to do should inconsistencies emerge
  • Make sure that in this situation, you inform the person and allow them the opportunity to provide an explanation of the
  • Ensure proper feedback of any actions or measures which you will be taking, and why
  • Keep full records of all


  • Ensure that a secure method of transmission is used for sending applications online (e.g. encryption-based software).
  • Ensure that once electronic applications are received, they are saved in a directory or drive which has access limited to those involved in the recruitment
  • Ensure that postal applications are given directly to the person or people processing the applications and that these are stored in a restricted
  • Ensure that faxed applications are given directly to the person or people processing the applications and that these are stored in a restricted area.
  • If applications are processed by line managers, make sure line managers are aware of how to gather and store


Storing personal information of staff must be done correctly and compliantly. These records often contain highly sensitive information, such as health records, criminal records, and bank account details, which require extra care and security. Access must be limited to only those persons who are necessary, and the right level of security implemented.


A Guidance Note has been issued by the Information Regulator to protect the privacy rights of staff. The Guidance Note outlines the conditions for processing personal information in order to comply with your responsibilities to detect, contain and prevent the spread of COVID- 19.

You are allowed to request specific information on health status so that you can comply with your obligation in respect of the Occupational Health and Safety Act 85 of 1993. You don’t need your staff’s consent for this.

You can further process this personal information if it necessary to prevent a serious and imminent threat to public safety or public health, or the life or health of another person.


Using software to create a personal profile in respect of performance, attendance, or reliability etc. may form part of automated decision-making. You are not allowed to make decisions which result in legal consequences for or to a substantial degree affects the employee if the decision is based solely on this profiling.


Procedures must be implemented to deal with the information of staff and any related persons where employment is terminated.

You need to consider how to deal with requests for references, possible debarments in financial services or any other processing which may be needed once a staff member leaves.