Special categories & people

Biometrics, criminal records and background checks

Fingerprint access control, vetting and screening — lawful within section 33, with a prior-authorisation trap for third-party screeners.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Biometric and criminal-behaviour information are special personal information, but section 33(1) authorises processing by responsible parties who have obtained that information in accordance with the law, and section 33(2) routes employee vetting through labour legislation. Employers running their own fingerprint access control or candidate checks operate within those rules. The trap is for businesses screening on behalf of third parties: processing criminal-conduct information for others is a section 57 prior-authorisation trigger.

On this page

The section 33 framework

What the Act provides

Criminal-behaviour and biometric information may be processed by responsible parties “who have obtained that information in accordance with the law”, with employee vetting governed by labour legislation.

Protection of Personal Information Act 4 of 2013, s 33(1)–(2) (effect)Read it on Dept of JusticePDF

Both categories sit inside the special-information regime — prohibited by section 26, permitted through the gateways — and section 33 is their sector authorisation. The phrase doing the work is “in accordance with the law”: a SAPS clearance certificate the candidate obtained and tendered, an AFISwitch check run through the authorised channel, biometric data collected openly for a defined purpose. Information that reaches you sideways — a leaked docket, a tip-off database — fails at the threshold.

Biometric clocking and access control

Fingerprint clocking, facial-recognition entry, voice authentication — all biometric processing, all lawful when built properly: a real purpose (payroll fraud was costing money; the server room needs strong access control), proportionality (would a card have done? — answer the question honestly and record the answer), hardened storage (templates, hashed, segregated — a biometric can’t be reissued after a breach), and openness with the people enrolled. What the system must not become is a general surveillance asset repurposed at will — the purpose limitation binds biometrics hardest of all.

Background checks — and the section 57 trap

The critical distinction is whose processing it is. An employer vetting its own candidates processes under section 33 and labour law. A business whose service is screening — running criminal and conduct checks on behalf of client companies — processes “information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties”, which is one of the four prior-authorisation triggers in section 57(1). Such businesses must apply to the Regulator once-off before processing — and since 1 February 2022, section 58(2) bars proceeding until the Regulator has responded. Clients of screening firms should ask to see the authorisation: an unauthorised screener is itself processing unlawfully, with your candidates’ data.

Frequently asked questions

Can my employees be required to clock in with fingerprints?

Biometric time-and-attendance is processing special personal information, lawful where obtained and used in accordance with the law — proportionate purpose, secure storage, and honest assessment of alternatives. Blanket "consent" from employees is weak (power imbalance); the justification should stand on the system’s necessity.

May I run a criminal record check on a job candidate?

Employer-side vetting is contemplated by section 33(2), which subjects employee checks to labour legislation — relevance to the role is the touchstone. The candidate’s informed participation (they supply fingerprints for an AFISwitch check) is part of obtaining the information in accordance with the law.

Does a background-screening company need the Regulator’s permission?

Processing information about criminal behaviour or unlawful conduct ON BEHALF OF THIRD PARTIES is a section 57(1) prior-authorisation trigger — screening businesses must apply once-off before processing. Credit-reporting processing is a separate trigger in the same section.

Can I check a candidate’s qualifications and credit record?

Qualification verification is ordinary personal information processing on legitimate-interest grounds. Credit checks for employment are restricted by the NCA and labour law to roles where trust with finances is inherent — POPIA rides on top of those restrictions, not instead of them.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Special categories & people

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub