SHEBURI V RAIL SAFETY REGULATOR – APPLICATION OF POPIA

On 2 March 2022, the CCMA handed down a ruling relating to an unfair labour practices dispute. The applicant, an employee of the Rail Safety Regulator (the respondent), alleged that she was excluded from receiving benefits that were due to her which other employees were entitled to.

The respondent raised a point in limine objecting that the applicant’s bundle of documents contained confidential offers of employment of other employees that contained personal information that she was not entitled to access and present to the commission.

The respondent submitted that the offers of employment were confidential information protected under the Protection of Personal information Act, 2013 (“POPIA”).  In responding to the point raised in limine, the applicant contended that POPIA was not applicable as the Act does not apply to the processing of personal information relating to the judicial functions of a court and that the confidential documents were voluntarily made available to the applicant by the employees to which they related.  Therefore, the applicant contended that there was valid consent to the processing of the personal information.  The respondent stated that POPIA was not applicable and that there was no proof that the employees had consented to the use of their personal information.

In making a ruling on the point in limine, the arbitrator held that the CCMA is not a court of law and therefore the exclusion in POPIA did not apply.  Furthermore, the arbitrator held that the Act does not apply to the processing of personal information in the course of a purely personal or household activity and that the presentation of a case by the party at the CCMA arbitration arguably constitutes a purely personal activity.  In deciding whether POPIA was applicable to the dissemination of the information by the applicant, it was held that the POPIA will only apply to the processing of personal information “entered in a record by or for a responsible party…” and that the applicant was not a responsible party as per the definition of the Act.

With regards to the question of consent, the arbitrator held that the applicant must have obtained consent from the two employees despite the fact that there was no explicit consent in the evidence presented to the CCMA.  Furthermore, the arbitrator held that the respondent could not have been so concerned about the protection of the personal information of the two employees and that it may just be an ingenious ploy to prevent the applicant from presenting evidence which could be damaging to the respondent’s case.  Thus based on the circumstances above, the arbitrator dismissed the respondent’s point in limine.

Analysis of the ruling in terms of POPIA

We have considered the arbitrator’s rulings on the POPIA aspects of the matter and, it is our view that the ruling is problematic in a few respects.  Firstly and despite the fact that the applicant was successful, had she relied on the ground of legitimate interest,((Section 11(1)(d).)) she would have been in an even stronger and more solid position.  Section 11(1)(d) states that personal information may only be processed if – “processing protects a legitimate interest of the data subject…”.  Legitimate interests include the interests of an individual and she could have argued that the offers of employment were indeed necessary to support her case.

We believe that using consent as a basis for permitting the documents to be used, is problematic as no explicit consent was granted.  Had the arbitrator examined the ground of consent carefully, it would not have passed muster as it requires “a voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.  If the evidence presented at the Commission did not fulfil these requirements,  then the arbitrator may have been wrong to rule that there was consent.  Even if the consent was given for the applicant to view the information, the arbitrator may have needed to consider whether that consent extended to further processing, such as for purposes of the CCMA hearing.  The arbitrator cannot simply assume that consent was obtained without more substantial facts to support this view.

Furthermore, it is our view that the arbitrator was incorrect in deciding that the applicant’s legal proceedings before the CCMA constituted a purely personal or household activity.((Section 6(1)(a).))  Although the Act does not provide any guidance on what constitutes a personal or household activity, legal proceedings do not constitute personal or household activity.  An ordinary meaning must be given to the words “personal” or “household activity”.  Under the EU GDPR, personal or household activity is any activity that has no connection to a professional or commercial activity.  Therefore, a similar meaning should be ascribed to the applicant’s use in this case.  CCMA arbitration may fall under the category of commercial activity as it relates to employee and employer disputes involving commercial and business entities.

Lastly, and despite the motive of the respondent to prevent the applicant from presenting damaging evidence, the privacy rights of the two other employees should still be determined in terms of POPIA.  Making assumptions regarding the issue of consent is not justified as POPIA enshrines the right to privacy in our Constitution.

Contact us for more good, clear, precise advice.

Filter By

Must Reads

Subscribe to receive our latest articles

Follow Us

Related Posts

Imitation is the greatest form of flattery, but we don’t think so in this case.

We are aware of the phishing email that has been circulated to many people. Although we are not the firm mentioned in the phishing email you may have received, we’ve received several calls because of the similarity to our firm name so, unless you’d like to have a chat about other technology law matters, please don’t call us as we won’t be able to help. 

We know the firm in the phishing email is a genuine law firm, based in Cape Town, and we’ve alerted them to what is likely an impersonation scam.

If you’d like to learn more about phishing, click on the following link (we promise this is a legitimate link ) to watch this entertaining video we did eight years ago.