Liability of employers under POPIA


POPIA gives a broad definition of ‘responsible party’ but ultimately this is any person who determines the purpose of and means for the processing of the personal information of data subjects, which will include all employers.

Most employees, whether they are aware of it or not, process personal information on a daily basis as contemplated in the Protection of Personal Information Act, 4 of 2013 (“POPIA”). This then begs the question - can an employer be held liable for the actions of one of their employees should the employee infringe upon a person’s privacy rights in terms of POPIA? The harsh reality, by virtue of POPIA, is yes. The employer can be held vicariously liable in terms of POPIA.

Vicarious liability is a well-established common law principle in which an employer can be held liable for the acts committed by its employee if those acts were committed in the course and scope of that employee’s employment.

Section 99(1) of POPIA states that a person (a “data subject”) or, at the request of the data subject, the Information Regulator, may institute a civil action for damages against a responsible party for breach of any provision of POPIA, whether or not there is intent or negligence on the part of the responsible party. POPIA gives a broad definition of ‘responsible party’ but ultimately this is any person who determines the purpose of and means for the processing of the personal information of data subjects, which will include all employers. Therefore, the wording of section 99(1) makes it very clear that POPIA creates a form of statutory vicarious liability for holding an employer (as the responsible party) liable for its employees' actions should they unlawfully process a data subject's personal information.

Section 99(2) of POPIA does however set out defences which an employer may utilise against an action brought in terms of section 99(1).

These defences are however very limited and leave an employer extremely vulnerable from a suitable defence perspective.

The defences include: vis major (i.e. acts of God), consent of the plaintiff, fault on the part of the plaintiff, compliance was not reasonably practicable in the circumstances of the particular case or the Information Regulator has granted an exemption in terms of section 37.

Unfortunately, what POPIA does not offer employers is the ability to raise a defence to prove that it did all that was reasonably practicable in the circumstances to avoid non-compliance with POPIA by its employees. This would, for example, include instances where an employer has taken steps to raise awareness with its employees, train its employees or conduct workshops, issued instructions and mandates and developed specific policies to ensure compliance with POPIA.

This is a glaring and unfortunate omission by the legislature. Without this available statutory defence, even those employers who take steps to promote compliance with POPIA may be held accountable and liable under section 99(1) for the actions of its employees.

This is because section 99(1), as it stands, does not require intent or negligence on the part of the employer specifically for the employer to be held accountable. Although this may leave most employers with a sour taste in their mouths, all that employers can do for now, in order to mitigate their risks as best as possible in terms of POPIA, is to actively identify possible risks which POPIA may pose when their employees process personal information and ensure that their employees process personal information lawfully in terms of POPIA at all times.