Etienne Pretorius is a candidate attorney with Bev Loubser Attorneys, and has provided the content in this article in response to a question raised within the legal fraternity in South Africa | 5th May 2020.
For more information, contact:
Tel: +27 (0) 82 513 6150
LinkedIn: Andries Etienne Pretorius
Photo by Cytonn Photography on https://unsplash.com/
Photo by Tim Mossholder on https://unsplash.com/
Photo by Scott Graham on https://unsplash.com/
© Andries Etienne Pretorius 2020 | South Africa
Please Note: Specific queries should be directed to Bev Loubser Attorneys in order to obtain relevant specific and/or appropriate legal advice.
This article addresses a question of law whether a non-disclosure agreement adequately protects an employee’s personal information. A company with employees may need to sign a non-disclosure agreement, or confidentiality agreement (hereon NDA) with a third-party whose offering requires access to its employee information. If the employee’s information is personal, legislation would protect it. The Protection of Personal Information Act 4 of 2013 (hereon POPI) sets out eight conditions for processing of personal information. The NDA makes up a legally binding agreement in South Africa, and therefore begs the question, whether it allows automatic access, or access under exclusions, to the employee’s personal information.
The intention and aim of the legislator is that POPI regulate and formalise how companies collect, store, protect, access and distribute personal information and to protect the ongoing integrity and sensitivity of that private information. Section 5 of POPI states that “a data subject has the right to have [their] personal information processed in accordance with the conditions” as they apply to legislation.  Section 11(1)(b) provides that an employee’s personal information may be processed if “processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.” So, here we think of group life insurance or medical aid insurance where personal details are communicated to the insurer with the specific intention of underwriting or keeping records of a life assured. However, an alternative situation where the outsourcing of tasks to a consultant may be a different matter, and since the employee may object (at any time) it could undermine the consultant’s performance and function. 
Condition 2 of POPI covers processing limitations and provides that the personal information must be collected directly from the employee, except where the collection from another source is necessary to maintain the legitimate interests of the company (responsible party) or of the consultant (third party) to whom the information is supplied.  The information may be used to make a decision regarding the employee and should be retained only under certain conditions.  The consultant may take possession of the information as an “operator or person acting under authority”, but must then process the information only with the knowledge or authorisation of the company and treat any personal information as confidential. 
An NDA is a legally binding contract that requires parties to keep confidentiality for a defined period. It’s up to the parties to decide what would be considered confidential and what is not. It is possible that contracts are void because their conclusion is contrary to a statutory provision, good morals, or public policy. The legislator doesn’t always state expressly whether legislation prohibits a contract or is void if it falls foul of a prohibition. The task then becomes one of determining whether the legislator has impliedly provided for nullity. If the NDA were prohibited by legislation, or is void because it falls foul of a prohibition, the task becomes one of determining whether the legislator has impliedly provided for nullity.  A confidentiality undertaking would address several issues within the NDA, these being 
- Restrictions on the disclosure and use of information;
- Security precautions to be taken by the recipient of the information (third party);
- The extent to which disclosure to employees and consultants is allowed;
- Exceptions to the confidentiality obligations;
- The duty to disclose if so ordered by the court;
- Duration of the obligations and whether they survive termination of the agreement; and
- The right to have information and copies returned on request.
These areas of protection within the NDA would protect the company information and not specifically address the right of privacy in terms of the data subject (employee). There are a couple of things which should take place before any personal information can be communicated with a third party. The company needs to draft and publish a PAIA Manual and make policy in that regard, which becomes a document inserted in addendum to the NDA.  An Employee Handbook should be drafted and presented when each employee contract is signed at the inception of the relationship. This provides proof that the employee has given permission for personal information to be shared under certain conditions, assuming a third party is involved. Sometimes information might need to be provided directly from the employee, therefore the company would need to facilitate a certain amount of interaction between the employee and the third party. The handling of personal information needs to be covered with a relevant policy, which needs to be drafted and signed and then inserted in addendum to the NDA. POPI requires a company to update existing policies and create new ones. The company would need documents to support the management of service level agreements (hereon SLA) and NDA’s such as:
- Privacy Policies
- Information Security Procedures
- Incident Response
- Information Manuals
- Reporting Procedures
The company must also share these policies with employee’s and third-party partners so that everyone knows what to do to comply with POPI. Compliance should be viewed as an ongoing and active process which requires management, rather than as a single event. If the company processes data fairly, ethically, and safely, then POPI is unlikely to require dramatic changes to the business. However, a gap and risk assessment will highlight whether there are policies which need to be written or amended.
Hutchison D Pretorius C Du Plessis J Eiselen S Floyd T Hawthorne L Kuschke B Maxwell C Naude T and De Stadler E The Law of Contract in South Africa Second Edition (Oxford University Press 2012)
The Promotion of Access to Information Act 2 of 2000
The Protection of Personal Information Act 4 of 2013
of Personal Information Act: Regulations: Information register, GG 42110, RG
10897, GN 1383, 14 Dec 2018
 Emphasis and amendment by the author – replacing “his, her or its”
 Section 11(3) of The Protection of Personal Information Act 4 of 2013;
Section 2 of The Protection of Personal Information Act: Regulations: Information register, GG 42110, RG 10897, GN 1383, 14 Dec 2018
 Section 12(2)(d)(v) of POPI
 Section 14(3)(a) of POPI
 Section 20(a) and (b) of POPI
 Hutchison D Pretorius C Du Plessis J Eiselen S Floyd T Hawthorne L Kuschke B Maxwell C Naude T and De Stadler E The Law of Contract in South Africa Second Edition (Oxford University Press 2012) p181
 Hutchison et al The Law of Contract (2012) p414
 The PAIA Manual is compiled in terms of Section 14 & 51 of the Promotion of Access to Information Act 2 of 2000 (hereon PAIA)