Events and Special Reports

ENSafrica unpacks the impact of POPIA on mine health

ENSafrica unpacks the impact of POPIA on mine health
Mining News Pro - Law firm ENSafrica on July 13 unpacked the impact of the Protection of Personal Information Act (POPIA) on mine health and safety.
  Zoom:

POPIA is a South African data protection law that came into effect on July 1, and which applies to websites, companies, organisations and other legal entities who process personal information.

It would bode well for large corporates, such as mining companies, to appoint an information officer, draft a privacy policy, raise awareness among employees, amend contracts with operators, report data breaches to the regulator and data subjects, check that they can lawfully transfer personal information to other countries and only share personal information whey they are lawfully able to, law firm Michalsons suggests.

Michalsons further explains on its website that the penalties for noncompliance on the part of the responsible party vary between imprisonment or a fine of between R1-million and R10-million, or one to ten years in jail; or being liable to pay compensation to data subjects for the damage they have suffered.

ENSafrica dispute resolution executive Nicole Gabryk points out that POPIA applies to the automated or non-automated processing of personal information, meaning records captured on paper also apply.

She explains that processing is any activity concerning personal information, including collection, receipt, recording, organisation, transmission, distribution, linking or destruction of information.

Personal information relates to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, belief and culture. It also includes educational, financial, criminal, medical and employment history.

Particularly, there is special personal information that requires consent before processing. These pertain to peoples’ religious beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information, as well as criminal history.

In certain cases, the law obligates the responsible party - often an employer - to process this kind of information and, therefore, this does not require consent from the data source.

ENSafrica banking and finance executive Era Gunning notes that responsible parties must collect as little personal information as possible and should only obtain that information by lawful justification, with valid purpose, that does not infringe privacy.

When assessing a person’s health, for example, it is not necessary to ask people about their sexual orientation.

She adds that personal information should only be stored as long as you as authorised to keep information – either determined by legislation, lawful business reasons or consent.

Further processing of personal information must be compatible with the purpose for which it is collected. Gunning highlights that data subjects need to be told what will happen with their information and be informed when this will change.

Moreover, companies need to take reasonably practicable steps to ensure personal information is accurate, not misleading and updated.

Companies gathering information need to tell the data subjects who they are, most often the case of third-party data collection; who information will be shared with; whether it will be sent outside of South Africa; and provide details of the information regulator should the data subjects wish to raise concern.

Gabryk says companies need to implement reasonable technical and organisation measures to safeguard information, while data breaches must be reported.

The data subject has certain access rights, including a right to request its deletion.

Gunning says personal information may only be processed if the data subject consents to the processing; if it is necessary to carry out actions for the conclusion of the performance of a contract to which the data subject is party; that processing complies with an obligation imposed by law; and that processing protects a legitimate interest of the data subject or a company itself.

Importantly, a data subject may withdraw his or her consent, but this also depends on contractual terms entered into.

MINE HEALTH AND SAFETY

ENSafrica executive consultant Willem le Roux says existing legislation – the Mine Health and Safety Act (MHSA) and the Promotion of Access to Information Act (PAIA) – disallows the disclosure of private personal information of an employee to a health and safety representative or health and safety committee by an employer, inspector or a person who conducts an inquiry in terms of Section 65, unless the employee consents hereto.

In view of all the legislation impacting on the disclosure of information, he says the scope of every piece of legislation needs to be considered.

“Where the specific Act is silent on a particular issue, then you refer to POPIA or PAIA. In the case of some conflict between the legislation, the one with more extensive conditions (wider in scope but not necessarily stricter) prevail, but this must not be materially inconsistent with POPIA.”

He highlights that the POPIA must prevail over other legislation that regulates the processing of personal information.

The MHSA contains a vast number of provisions that require the disclosure of personal information, such as the compilation of an annual report on health and safety, including the statistics in this regard, the recordal of formal training, the recordal of significant hazards and risks and the conduct of an investigation into a reportable accident, serious illness and health-threatening occurrences.

This recordal may involve particular employees, where POPIA will then apply.

Additionally, mines keep a record of occupational hygiene and medical surveillance, supply records to the Principal Inspector of Mines and deliver reports to the Health and Safety Committee. This necessitates compliance to POPIA in terms of the storage and distribution of records.

Speaking to criminal behaviour and in cases of inquiry where the evidence is that an employee has not taken reasonable care for his or her health and safety, or those of other persons, and injury occurred as a result, Le Roux says employers may, in certain conditions, process “red flag” or special personal information, if necessary, even without consent.

In cases of Covid-19-related deaths and employers needing to undertake contact tracing, POPIA only protects individuals who are living human beings. However, Inspectorate of Mines officials may require that employers get consent from next of kin for the personal information of the diseased being used.

Le Roux says it is important that mining companies know the provisions of POPIA to make prudent and proper objective submissions to the Inspectorate of Mines for them to understand why employers may be able to process information in a certain manner.

Gunning reiterates the importance of lawful justification or lawful purpose for employers to process personal information, particularly special personal information, and following due procedure in getting consent, and creating awareness of how the information will be used, unless an obligatory law applies otherwise to exempt an employer from getting consent.


   Short Link:  
Related News
Esfahan Mobarakeh Steel co.
HOSCO
khuzestan steel
chadormalu Co.
ghadir neiriz co
IranAluminaJaajarm
sangan steel
ahan o fulad golgohar