Briefly, POPIA was enacted to, inter alia, give effect to the right to privacy which emanates from section 14 of the Constitution of the Republic of South Africa, 1996 (“the Constitution”) and to regulate the manner in which personal information is processed.
The following definitions contained in POPIA are noteworthy in unpacking the case discussed below:
- consent “means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information” Emphasis Added
- a responsible party “means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information” Emphasis Added
- record “means any recorded information—
- (a) regardless of form or medium, including any of the following:
- Writing on any material;
- information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- label, marking or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means;
- book, map, plan, graph or drawing;
- photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
- in the possession or under the control of a responsible party;
- whether or not it was created by a responsible party; and
- regardless of when it came into existence”
- personal or household activity is not defined in POPIA and our Courts have not yet provided us with a practical definition of this term. As such, reliance will be placed on the European Union General Data Protection Regulations, 2016/679 (“GDPR”) wherein under item 18 of the Recital it provides that “personal or household activity could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”
- Although the definition for personal or household activity as contained in GDPR provides some guidance, the landmark decision of the European Court of Justice in Bodil Lindqvist case ECLI:EU:C:2003:596 at paragraph 47 assisted in elucidating the interpretation of this definition. The Court held that “exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.” Emphasis Added
Against the above backdrop, POPIA was put to the test in Sheburi v Railway Safety Regulator case number GATW 15200-21. In this case, the employee referred an unfair labour practice dispute to the Commission for Conciliation, Mediation and Arbitration (“CCMA”) alleging that the employer refused to pay her certain benefits. The matter was ultimately set down for arbitration.
During the arbitration, the employer raised a point in limine alleging that the employee breached the provisions of POPIA in that the employee’s bundle contained two confidential offers of employment which disclosed salary levels linked to two other employees’ job profiles (“the documents”). Accordingly, the employer called upon the Commissioner to make a ruling against the employee to remove these documents from her bundle.
The employee argued that POPIA did not find application in this case because of section 6(1)(e) of POPIA which provides that POPIA does not apply to processing of personal information for judicial reasons relating to the function of a court. The employee argued that section 166 of the Constitution identifies the CCMA as a Court.
Furthermore, the employee alleged that the other employees had consented to the use of their documents as part of her bundle as they had voluntarily furnished her with the documents, this argument was supported by emails from the respective employees transmitting the documents to the employee.
The Commissioner rejected the employee’s argument that POPIA did not apply to the CCMA finding that the CCMA did not perform the functions of a Court.
Before considering the employee’s argument that she had secured the consent of other employees to use their personal information, the Commissioner considered another exception of POPIA under section 6(1)(a) which states that the Act does not apply to purely personal or household activity. To this end, the Commissioner held that the presentation of a case at the CCMA constitutes purely personal activity and therefore POPIA did not apply.
The Commissioner then considered the issue of consent and found that the other employees had given their consent to use their confidential documents even though they had not given their express consent. He reasoned that the mere fact that the other employees had voluntarily made these documents available to the employee was sufficient proof of consent.
The Commissioner acknowledged that it was an established practice in employment disputes for a party to require such documents to conduct a comparison exercise in order to prove inconsistency on the part of the employer. Accordingly, the employer’s point in limine was dismissed.
Unfortunately, the Commissioner does not provide much elaboration or explanation which would have assisted us in understanding his reasoning in reaching the conclusions that he did.
It is surprising that producing confidential documents relating to a third party’s personal information during a CCMA arbitration, which is a dispute resolution tribunal, could be regarded as a personal or household activity.
It is clear from POPIA that consent must be informed, specific and voluntary. It may be arguable that the requirement of consent, in casu, lacked the element of being specific because the emails from the other employees did not specifically stipulate that the employee could utilise their confidential documents during the employee’s arbitration. Furthermore, the employee falls squarely within the definition of a responsible party as defined in POPIA.
Hopefully over time and as more cases are put to the test, it will assist in elucidating this piece of legislation, its interpretation and application.