Mine and occupational health and safety executive Pieter Colyn opened a webinar on July 13 during which law firm ENSafrica unpacked the impact of the Protection of Personal Information Act (POPIA) on mine health and safety.
POPIA is a South African data protection and privacy law that (largely) came into effect on July 1, and which applies to responsible parties, including companies, organisations and other legal entities who process personal information, including through their websites.
The penalties for noncompliance on the part of the responsible party vary between a fine or imprisonment not exceeding R10-million and/or ten years in jail; and being liable to pay compensation to data subjects for the damage they have suffered.
ENSafrica dispute resolution executive Nicole Gabryk points out that POPIA applies to the automated or non-automated processing of personal information, meaning records captured on paper are also subject to the Act.
She explains that processing is any activity concerning personal information, including collection, receipt, recording, organisation, transmission, distribution, linking or destruction of personal information.
Personal information is information of an identifiable human being or juristic person, such as race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, belief and culture of identifiable living natural and existing juristic persons. It also includes educational, financial, criminal, medical and employment history.
Particularly, the act categorises some types of personal information as special personal information which – as a general rule - requires consent before processing. These types of information pertain to peoples’ religious beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, as well as alleged criminal behaviour.
In certain cases, the law obligates the responsible party - often an employer - to process this kind of information and, therefore, this does not require consent from the data subject.
ENSafrica banking and finance executive Era Gunning notes that responsible parties must collect as little personal information as possible and should only obtain that information for a specific purpose, and use it in terms of a lawful justification that does not unduly infringe privacy.
When assessing a person’s health, for example, it is not necessary to ask people about their sexual orientation.
She adds that personal information should only be stored as long as you are authorised to keep information – either determined by law, lawful business reasons, contract or consent.
Further processing of personal information must be compatible with the purpose for which it is collected. Gunning highlights that data subjects must usually be told what will happen with their information and be informed (and provide consent) of this changes.
Moreover, companies need to take reasonably practicable steps to ensure personal information is accurate, not misleading and up to date.
Companies gathering personal information need to tell the data subjects, among other things, who they are; who information will be shared with; whether it will be sent outside of South Africa; and provide details of the information regulator should the data subjects wish to raise concern, unless, for example, it is not reasonable practicable to do so.
Gabryk says companies need to implement reasonable technical and organisational measures to safeguard personal information, while data breaches must be reported.
The data subject has certain access rights, including a right to request its deletion.
Gunning says personal information may only be processed if the data subject consents to the processing; if it is necessary to carry out actions for the conclusion of the performance of a contract to which the data subject is party; that processing complies with an obligation imposed by law; and that processing protects a legitimate interest of the data subject, a third party or the company itself.
Importantly, a data subject may withdraw his or her consent, but the processing of the relevant personal information may still continue, if, say, it is necessary based on contractual terms between the parties.
MINE HEALTH AND SAFETY
ENSafrica mine and occupational health and safety executive consultant Willem le Roux says existing legislation – the Mine Health and Safety Act (MHSA) disallows the disclosure of private personal information of an employee to a health and safety representative or health and safety committee by an employer, inspector or a person who conducts an inquiry in terms of Section 65, unless the employee consents thereto.
In turn, the Promotion of Access to Information Act (PAIA) provides that a record consisting of the personal information of a deceased must be provided to a requester if the next- of- kin has given written consent thereto.
In view of all the legislation impacting on the disclosure of information, he says the scope of every piece of legislation needs to be considered.
“Where the MHSA is silent on a particular issue, then you refer to POPIA or PAIA. A provision of the MHSA will apply unless it is materially inconsistent with POPIA or PAIA. POPIA provides that if the other legislation provides for conditions for the lawful processing of personal information that are more extensive than those set out in POPIA, then the more extensive conditions must prevail.
The MHSA contains a vast number of provisions that require the disclosure of personal information, such as the compilation of an annual report on health and safety, including the statistics in this regard, the recordal of formal training, the recordal of significant hazards and risks and the conduct of an investigation into a reportable accident, serious illness and health-threatening occurrences.
This recordal may involve particular employees, where POPIA will apply where the MHSA is silent on the disclosure of personal information.
Additionally, mines keep a record of occupational hygiene and medical surveillance, supply records to the Principal Inspector of Mines and deliver reports to the Health and Safety Committee. This necessitates compliance to POPIA in terms of the distribution of records.
Speaking to criminal behaviour and in cases of an inquiry where the evidence is that an employee has not taken reasonable care for his or her health and safety, or those of other persons, and injury occurred as a result, Le Roux says employers may, subject to certain conditions, process “red flag” or special personal information, even without consent.
For example, where it is appropriate in an enquiry to put it to an employee that by failing to take reasonable care for his or her own safety, he or she committed an offence.
Such a statement would be intended to show that the employer complied with its obligation to operate its mine safely by requiring employees to take reasonable care for their safety and the safety of others.
In such a case the processing of the special personal information would be necessary for the establishment of the employer’s obligation in law to ensure mining operations which are safe as far as reasonably practicable.
In cases of Covid-19-related deaths and employers needing to undertake contact tracing, POPIA only protects individuals who are living human beings. However, Inspectorate of Mines officials may require that employers get consent from next of kin for the personal information of the diseased being used.
Le Roux says it is important that mining companies know the provisions of POPIA to make prudent and proper objective submissions to the Inspectorate of Mines for them to understand why employers may be able to process information in a certain manner.
Gunning reiterates the importance of lawful justification or lawful purpose for employers to process personal information, particularly special personal information, and following due procedure in getting consent, and creating awareness of how the information will be used, unless an obligatory law applies otherwise to exempt an employer from getting consent.