Special categories & people

Employee information: POPIA in the HR file

Payroll, leave, discipline, monitoring — most HR processing rests on contract and legal obligation, not consent.

Published Last reviewed 7 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
Almost nothing in the HR file runs on consent. Employment-contract performance (s 11(1)(b)) and legal obligations — tax, UIF, BCEA record-keeping (s 11(1)(c)) — carry payroll, leave and discipline; the rights-and-obligations gateway carries sick notes; section 29(b) carries employment-equity race data; and section 33 carries vetting and biometrics. Employee “consent” is structurally suspect anyway: a person who needs the job cannot consent freely.

On this page

HR purposes mapped to their grounds

HR processing purposes mapped to POPIA lawful grounds
HR purposeGround / gateway
Payroll, leave, benefits administrationContract (s 11(1)(b)) + legal obligation (s 11(1)(c) — tax, UIF, BCEA records)
Disciplinary records and grievance filesContract + rights/obligations gateway for any special information (s 27(1)(b))
Sick notes and medical certificatesRights and obligations in law (s 27(1)(b)); employer health-status laws (s 32(1)(f))
Race and ethnicity for EE / B-BBEE reportingSection 29(b) — laws protecting or advancing persons disadvantaged by unfair discrimination
Biometric clocking / access controlSection 33 — obtained and used in accordance with the law, proportionately
References for departing staffLegitimate interests of the prospective employer (s 11(1)(f))

Notice the column that never appears: consent. The architecture is deliberate — employment processing is necessary processing, carried by the contract and the statutes that regulate work.

Workplace monitoring

Email and internet monitoring, vehicle tracking, and workplace cameras can rest on legitimate interests — security, productivity, asset protection — subject to the balancing test and openness: a monitoring policy employees have actually seen. Intercepting the content of communications is a separate statutory world (RICA), with its own consent and business-purpose rules that POPIA does not displace. The reliable pattern: monitor transparently, proportionately, and per a written policy; covert monitoring is exceptional-circumstances territory needing advice.

The employee-data lifecycle

Recruitment: collect what the role decision needs; vetting within section 33 and labour law; tell unsuccessful candidates how long you keep their CVs. Employment: the mapping above, plus a staff privacy notice. Exit: references on legitimate interests, file retention per your schedule, then deletion or de-identification — an ex-employee file kept forever is the commonest retention failure in South African business.

Frequently asked questions

Do employment contracts need a POPIA consent clause?

A consent clause is the wrong instrument — employment processing rests on contract and legal obligation, and a coerced "consent" adds nothing. What the contract should contain is information: a notice of what is processed, why, and the employee’s rights (s 18).

May payslips go to a bond originator or landlord the employee nominated?

Yes — the employee requesting it supplies the purpose, and the recipient is a third party with a legitimate interest. Confirm the request came from the employee; then it is routine disclosure.

How long do we keep ex-employee files?

Per record type: statutory periods (BCEA, tax) plus the prescription window for potential disputes — then delete or de-identify per your retention schedule. "Forever, in a box" fails section 14.

Can employees demand to see their own HR file?

Yes — section 23 access rights apply to employers like anyone else. Third-party information inside the file (a complainant’s statement) may need redaction; the employee’s own information must be produced.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Special categories & people

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub