South Africa website 090624

South Africa’s data protection law is called the ''Protection of Personal Information Act'' 4 of 2013, or ''POPIA''. It came into operation in July 2020 and provides a baseline for workers’ data rights. However, some of these could be improved in line with international best practice through collective bargaining. Throughout this guide, you will be asked to compare the practices in your workplace with your rights as they are protected in POPIA. You will receive tips and inspiration to support your negotiations for stronger workers’ data rights. The first section of this tool looks at ''transparency'': what the law says you should know about how your data is being used. <table> <tr> <td>(button:)[[Next!->Transparency]]</td> </tr> </table> (set: $section to "Introduction")

<div id=head>''Transparency''</div> This section of the guide focuses on transparency. It tries to understand whether management has been transparent about the digital tools and systems they are using, the purpose of these tools, and whether workers have been advised of their rights. Transparency is important because it helps workers to understand how information is being collected about them and how it is used. This empowers workers to exercise control over their information and protect their rights. <table> <tr> <td>(button:)[[Next->Management transparency]]</td> </tr> </table> (set: $section to "Transparency section")

In many (but not all) situations, POPIA requires that management tells workers when and how they collect workers' data, and the tools and software they use to collect it. The sections in the law that regulate this are often called the “Transparency Requirements.” {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>'' TIP'': South Africa’s data protection law, POPIA, includes two sections on transparency: <a href="https://www.workersdatarights.org/popia-section-18/" target="_blank">Section 18</a> and <a href="https://www.workersdatarights.org/popia-section-12/" target="_blank">Section 12</a>. They regulate how information should be collected, and what you should be notified of when information is collected. Take a look at these sections if you aren’t sure.</div< </div> ](modal|} (link-repeat:"ⓘ What are POPIA’s transparency requirements?")[(show:?modal)] To your knowledge, //has management told workers when and how they collect workers’ data, and if so, what tools and systems they are using?// <table> <tr> <td>(button:)[[Yes->Yes, I am sure it does1]]</td> <td>(button:)[[No / not sure->Not sure / no1]]</td> </tr> </table> (set: $section to "Transparency section")

Hmm. POPIA does have two sections relating to transparency: section 18 and section 12. They regulate how information should be collected, and what you should be notified of when information is collected. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span> ''ⓘ What are POPIA’s transparency requirements?'' * <a href="https://www.workersdatarights.org/popia-section-18/" target="_blank">Section 18</a> of POPIA lists the type of information that management should tell workers when it collects personal data. This includes things like the reason for collecting the data, whether or not it is mandatory or voluntary and where it is being collected from if its not directly from a worker. * If you haven’t been notified of all of this information, you can advise management of their non-compliance with the legal requirements, and agree on where and how this information should be shared so all employees are correctly informed. * It is important to think about these notification requirements in relation to the legal basis for processing data, more about this requirement can be found in <a href="https://www.workersdatarights.org/popia-section-11/" target="_blank">Section 11</a> of POPIA. If management is relying on consent, have you been provided with sufficient information to ensure that consent was informed? If not, try to negotiate with management to provide the required information and ensure informed consent. * <a href="https://www.workersdatarights.org/popia-section-12/" target="_blank">Section 12</a> of POPIA requires that information must be collected directly from a worker. But sometimes data is not collected directly, for example; it is collected through the use of a tool, without worker’s even knowing. POPIA says this indirect collection is only okay in certain instances – like the workers have consented to it. Look at section 12 to see how management is complying with these rules. </div< </div> ](modal|} (link-repeat:"ⓘ What are POPIA’s transparency requirements?")[(show:?modal)] <table> <tr> <td>(button:)[[Next->Negotiating]]</td> </tr> </table> (set: $section to "Transparency section")

That’s good to hear. Does the information provided give you a sufficient understanding of why these systems and tools are being used and the data they collect or generate? <table> <tr> <td>(button:)[[Yes->Yes4]]</td> <td>(button:)[[No->No4]]</td> </tr> </table> {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>''ⓘ How much information is management required to give workers?''<br><br><a href="https://www.workersdatarights.org/popia-section-18/" target="_blank">Section 18</a> of POPIA includes a list of all the information management should tell you when collecting data, these are known as the notification requirements. Take a look at this section here. It is important to consider these notification requirements alongside the legal basis for collecting and processing data. POPIA requires that management must have a legal basis for processing your data. It recognises a few different reasons as valid legal bases, including: * Informed consent; * That the processing is necessary to carry out actions for the conclusion or performance of a contract between the worker and the employer; * Processing protects a legitimate interest of the data subject. More of these legal bases can be found in <a href="https://www.workersdatarights.org/popia-section-11/" target="_blank">section 11</a> of POPIA. <p>Check to see which legal basis management is relying on – if it is consent, check whether consent has actually been provided. Have you signed this in your employment contract? Or has management asked you to sign an addendum. If not, speak to them about this lack of consent. If consent was provided, did management provide enough information about it to ensure consent was informed? <p>If management introduces a new tool or system that generates and collects workers data, ensure they have a legal basis for this too. If you do not have codetermination rights, consider negotiating with management on the right to be consulted on new technologies before they are designed or bought and introduced into the workplace.</div> </div> ](modal|} (link-repeat:"ⓘ How much information is management required to give workers?")[(show:?modal)] (set: $section to "Transparency section")

That is not great! let’s look at some provisions in POPIA that could assist you in your negotiations with management. POPIA includes two sections on transparency: section 18 and section 12. They regulate how information should be collected, and what you should be notified of when information is collected. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span> <p> ''ⓘ Transparency provisions in POPIA ''</p> <p>''Section 18'' of POPIA lists the type of information that management should tell workers’ when it collects personal data. This includes things like the reason for collecting the data, whether or not it is mandatory or voluntary and where it is being collected from if it’s not directly from a worker. <p>If you haven’t been notified of all of this information, you can advise management of their non-compliance with the legal requirements, and agree on where and how this information should be shared so all employees are correctly informed. <p> It is important to think about these notification requirements in relation to the legal basis or lawful reasons for processing data. More about these justifications for processing data can be found in ''section 11 of POPIA''. If management is relying on consent, have you been provided with sufficient information to ensure that consent was informed? <p>If not, try to negotiate with management to provide the required information and ensure informed consent. <p><a href="https://www.workersdatarights.org/popia-section-12/" target="_blank">Section 12</a> requires that information must be collected directly from a worker. But sometimes data is not collected directly, for example; it is collected through the use of a tool, without worker’s even knowing. POPIA says this indirect collection is only okay in certain instances – like the workers have consented to it. Look at section 12 to see how management is complying with these rules. </div> </div> ](modal|} (link-repeat:"ⓘ Let’s have a look at them again")[(show:?modal)] Once you have had a chance to consider what POPIA says about transparency, you can approach management to discuss it again. But there may still be more you can do to map out what kind of data collection is happening your workplace. We will explore this in the next section. <table> <tr> <td>(button:)[[Next: Mapping data collection->Mapping data collection]]</td> </tr> </table> (set: $section to "Transparency section")

Great! You have now completed the section on transparency. But there may still be more you can do to map out what kind of data collection is happening your workplace. We will explore this in the next section. <table> <tr> <td>(button:)[[Next: Mapping data collection->Mapping data collection]]</td> </tr> </table> (set: $section to "Transparency section")

Keep negotiating with management to ensure they provide you with enough information on all the tools and systems they are using. You have now finished the section on transparency. But there may still be more you can do to map out what kind of data collection is happening your workplace. We will explore this in the next section. <table> <tr> <td>(button:)[[Next: Mapping data collection->Mapping data collection]]</td> </tr> </table> (set: $section to "Transparency section")

<div id=head>''Data Protection Impact Assessments''</div> In this section, we look at how management should evaluate the risks and impacts of processing your data before they deploy systems. This is typically done by conducting data protection impact assessments (“impact assessments” for short). An impact assessment is a process designed to help identify and minimise the data-protection risks of a project or tool, or the operations of an organisation. <table> <tr> <td>(button:)[[Next->In some countries]]</td> </tr> </table> (set: $section to "section on Data Protection Impact Assessments")

In some countries, employers are obliged to conduct an impact assessment before they deploy a new digital technology. In others, employers have no obligation to do so. Click the ⓘ icon below to learn more about approaches in different countries. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>''ⓘ How do different countries approach the need for impact assessments?''<br><br> Different countries take different approaches. For example: * In the Netherlands, human rights impact assessments are mandatory before any public institutions can make use of an algorithm. * In the United States, federal government agencies are required to conduct Privacy Impact Assessments (PIA) for all new or substantially changed technologies that collect, maintain, or disseminate personally identifiable information. * In the European Union, management must conduct assessments before introducing systems that process employee data. * In South Africa, Information Officers are obliged to conduct an impact assessment to ensure there are adequate measures to comply with POPIA.</div> </div> ](modal|} (link-repeat:"ⓘ How do different countries approach the need for impact assessments?")[(show:?modal)] Unfortunately, while South Africa’s law //does// require that employers do data protection impact assessments, it does not provide much detail on how these impact assessments should be done. <table> <tr> <td>(button:)[[Learn more->Yes5]]</td> </tr> </table> (set: $section to "section on Data Protection Impact Assessments")

Let’s unpack what South Africa’s law does say about data protection impact assessments: * The obligation to conduct an impact assessment isn’t in the text of POPIA itself. Instead, this requirement was created through regulations{[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>A regulation is a rule or law that has been created in terms of another law – in this case POPIA.</div> </div> ](modal|} (link-repeat:"ⓘ")[(show:?modal)] issued in 2018. You can find the regulation <a href="https://inforegulator.org.za/wp-content/uploads/2020/07/20181214-gg42110-rg10897-gon1383-POPIA-Regulations.pdf " target="_blank">here</a>. * You will see that section 4(1)(b) says that the Information Officer (the person in management responsible for ensuring the employer is compliant with POPIA) must ensure that //“a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.”// Unfortunately, the regulations do not provide any further detail on how these impact assessments should be done, set any minimum standards to ensure they are meaningful, or require management to consult with workers or union reps before implementing any new system or tool. <table> <tr> <td>(button:)[[Learn more->No6]]</td> </tr> </table> (set: $section to "section on Data Protection Impact Assessments")

It’s not good news that South Africa’s law does not require that management consult with workers when assessing or introducing a new system or tool. But if management does not assess the possible impacts on human rights and workers' rights before deploying new technology they are being highly irresponsible. Many digital tools and systems have been proven to be harmful on workers. These harms include: * Bias and discrimination * Work intensification * Surveillance and monitoring * Deskilling * Loss of autonomy * Loss of jobs. Workers and union reps should therefore push for management to consult with them when conducting impact assessments–to ensure that any new technology upholds workers' rights. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>''ⓘ Lessons from the GDPR'' <br><br>In the European Union’s data protection law, the GDPR, impact assessments are governed by <a href="https://www.workersdatarights.org/when-dpia/" target="_blank">article 35</a>. You will note that the law explicitly states if management uses new technologies, they must conduct an impact assessment. It further requires that where appropriate, they seek the views of data subjects (workers) or their representatives (union reps). <p>It may be useful to refer to these provisions when negotiating with management to consult with you on new technologies. </div> </div> ](modal|} (link-repeat:"ⓘ Lessons from the GDPR")[(show:?modal)] In the next section, we will explore how workers can //challenge invasive systems//. <table> <tr> <td>(button:)[[Next: Challenging invasive systems->Challenging Invasive Systems]]</td> </tr> </table> (set: $section to "section on Data Protection Impact Assessments")

<div id=head>''Challenging invasive systems''</div> Now that you have thought about all the tools and systems that management has deployed, you may want to negotiate for a ban of any systems that are highly invasive. As we'll explore, highly invasive systems might be ones that process very sensitive data, such as biometric information. They can be automated systems that have such a great impact on your rights that management, not the systems, should be held liable for their outcomes. Or they could be systems that introduce some other risk to workers’ interests, like the creation of unfair bias. Let’s find out more about these systems, and which ones you might advocate to ban in your workplace. <table> <tr> <td>(button:)[[Next->If any of these Systems]]</td> </tr> </table> (set: $section to "section on Invasive Systems")

Examples of systems that are often highly invasive include: * Facial recognition * Emotional recognition * Systems processing biometric data * Automated systems aimed at disciplining workers or allocating work or overtime * Automated systems for creating a pool for redundancy * Automated systems calculating redundancy pay If any of these systems are being used by your employer, you may want to negotiate a ban of their use in your workplace. If your employer won’t agree to a ban, you could try get agreements in place so the employer is held liable and responsible for their use. These are just some examples: take a broad view of the data collection that the employer is carrying out and its impacts on workers. Look to challenge the tools and systems if you do not feel the balance is acceptable. <table> <tr> <td>(button:)[[Next->South Africa gives data subjects]]</td> </tr> </table> (set: $section to "section on Invasive Systems")

In South Africa, POPIA gives workers certain rights that may be useful in your negotiations with management about the use of these systems. Let’s take a look at what the law says: * <a href="https://www.workersdatarights.org/popia-section-11/" target="_blank">Section 11(3)</a> gives data subjects the right to object to the processing of their data. This means that in certain circumstances, workers have the right to object to the processing of their data by employers. * <a href="https://www.workersdatarights.org/popia-section-71/" target="_blank">Section 71</a> gives workers the right not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of their information intended to provide a profile of that person. This right may help workers in situations where AI is used to analyse data and profile them. //(We will unpack this right in more detail in the next section, on Automated Decisions.)// Read the law carefully to understand whether these rights apply in your situation, and use them to advocate against invasive systems. Now, let’s move onto the section on Automated Decisions. <table> <tr> <td>(button:)[[Next->Automated decision making and profiling]]</td> </tr> </table> (set: $section to "section on Invasive Systems")

<div id=head>''Mapping Data Collection''</div> The previous sections aimed to inform you about your rights and good practices concerning transparency about the tools and systems that are being deployed. We will now look a little closer at where management gets data from – its sources and categories. <table> <tr> <td>(button:)[[Next->data collection basics]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

Do you know what digital tools or systems management is using, and the data categories they are collecting? <table> <tr> <td>(button:)[[Yes, mostly->Yes, mostly]]</td> <td>(button:)[[No, not fully->No, I am not confident I know it all]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

If management is not fully transparent and open about the systems or tools they use and the data they are extracting, a good step is to start mapping the ones you are aware of. Common data-collection systems and digital tools include: * (Semi)-automated hiring/firing systems (e.g. to vet job candidates or assess workers' performance) * Scheduling tools * Workplace sensors * Productivity/efficiency measurements, including real-time tracking * Location tracking devices/wearables * Handheld devices * Software to monitor your keyboard inputs, browsing activity, or other work-from-home surveillance. ''Are there indications that management is using any of these?'' One option could be to ask management what information they use in employee evaluations and how they collect that information. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>''ⓘ Tips for mapping data sources'' * You can use some of the rights given to you in POPIA to access some of this information. (Learn more on the <a href="https://www.workersdatarights.org/your-rights-in-popia/" target="_blank">Know Your Rights page</a>.) POPIA gives workers the right to access information about what information a party has. The Information Regulator has prescribed forms that should be used to make such a request; they can be accessed <a href="https://inforegulator.org.za/wp-content/uploads/2020/07/InfoRegSA-PAIA-Form02-Reg7.pdf">here.</a> * Read the privacy policy of the system/tool carefully. It will include information about the data sources/categories of data extracted. * Do an internet search for any articles or other information about the system. * Consider if there are any logical deductions you could make. For example, an automated hiring system might extract data from a candidate’s CV, or from automated interviews or assessments. (See for example <a href="https://www.hirevue.com/"target="_blank">HireVue</a>). It also might use third-party data from companies (such as <a href="https://fama.io/"target="_blank">this one</a>) who profile people for recruitment processes. </div> </div> ](modal|} (link-repeat:"ⓘ Tips for mapping data sources")[(show:?modal)] <table> <tr> <td>(button:)[[Next->Now you know]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

Now that you have a better understanding of the types of data collection which may be occuring, let’s move onto the next section, which explores whether your employer should assess how their digital systems might affect workers’ rights, in order to minimise any harm. <table> <tr> <td>(button:)[[Next: Data Protection Impact Assessments->Data Protection Impact Assessments]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

<div id=head>''Automated decision-making and profiling''</div> You have already determined what systems and tools are being used; now we are turning our attention to understanding how and why management uses the data. In this section we look specifically at automated decision-making and profiling. Let’s jump in. <table> <tr> <td>(button:)[[Next->Automated and Profiling]]</td> </tr> </table> (set: $section to "section on automated decision-making")

''Automated decision-making'' is the process of making a decision by automated means – in other words, by using AI to analyse large amounts of information in order to reach an outcome. //Solely// automated decision-making means that the decision was made without any meaningful human involvement. ''Profiling'' is any process to classify a person's personality, behaviour, interests, and habits, usually by analysing any kind of information about them, in order to make predictions or decisions about them. (In the context of digitised workplaces, the effects of profiling can include someone being hired, promoted, disciplined, or fired.) For workers and unions seeking to ensure diverse and inclusive labour markets, it is important you get to know these terms well, as they are one of the biggest data-driven threats to workers’ rights. Let’s see what POPIA says on this. <table> <tr> <td>(button:)[[Next->POPIA Provides]]</td> </tr> </table> (set: $section to "section on automated decision-making")

POPIA provides data subjects with a right against automated decision making and profiling. * <a href="https://www.workersdatarights.org/popia-section-5/" target="_blank">Section 5(g)</a> of POPIA notes: that data subjects have the right //“not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such persons provided for in terms of section 71.” // * <a href="hhttps://www.workersdatarights.org/popia-section-71/" target="_blank">Section 71</a> provides more detail on the right. It notes: //“a data subject may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of personal information intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.” // Let’s unpack this right a bit more. <table> <tr> <td>(button:)[[Next->Unfortunately POPIA]]</td> </tr> </table> (set: $section to "section on automated decision-making")

To recap, POPIA says a person may not be subject to a decision which //results in legal consequences// or which affects them //to a substantial degree//, based //solely on the automated processing// of personal information intended //to create a profile of them//. Unfortunately, POPIA does not define or expand on these concepts in more detail, which makes the scope of the right uncertain. Luckily, we can draw on other jurisdictions to get some insight. ''What does this mean?'' A //legal consequence// is something that affects someone’s legal rights. Something that affects someone //to a substantial degree// is more difficult to define but could include, for example, automatic refusal of an online credit application, automated worker assessments which affect your job prospects, or e-recruiting practices without human intervention. It is unclear when a decision has been made that is based //solely// on automated processing. For example, if a system makes an automated decision on who to hire, and that decision is confirmed by a human, there has been some human oversight and it could be argued that it wasn't made solely by a machine. However, a human verifying the decision of a machine may be a tick-box exercise and the person hasn't applied their mind. Let’s see what we can do about this in the workplace. <table> <tr> <td>(button:)[[Next->Informed]]</td> </tr> </table> (set: $section to "section on automated decision-making")

Has management informed employees and prospective employees whether they are subject to significant decisions based solely on automated processing? <table> <tr> <td>(button:)[[Yes->Yes7]]</td> <td>(button:)[[No->No7]]</td> </tr> </table> (set: $section to "section on automated decision-making")

This is not great. Bring the right to the attention of management and ask whether decisions are being made based solely on automated processing. If they say it doesn’t take place, ask who is responsible for evaluating whether a system’s processing outcomes should be followed. Management must be able to explain who is involved, and how they are qualified and empowered to do more than just 'rubber stamp' automated decisions. If they can’t, the decision-making might be in violation of section 71 of POPIA, and they should stop. Unfortunately POPIA doesn’t include a clear obligation on management to notify you when this is happening, which makes it difficult to know if your right is being violated. Compare the right in <a href="https://www.workersdatarights.org/popia-section-71/" target="_blank">section 71</a> of POPIA with the rights in the GDPR to see if you can advocate for greater protection. Once you are ready, let’s move onto the next section: third-party data access. <table> <tr> <td>(button:)[[Next: Third-party data access->Third party access to data]]</td> </tr> </table> (set: $section to "section on automated decision-making")

Good. Check section 71 of POPIA again carefully to ensure that your rights aren’t being undermined. Once you are ready, let’s move onto the next section: third-party data access. <table> <tr> <td>(button:)[[Next: Third-party data access->Third party access to data]]</td> </tr> </table> (set: $section to "section on automated decision-making")

Welcome to our tool for'' Negotiating Data Rights in South African'' workplaces! It aims to give step-by-step help for workers and union representatives to negotiate for stronger data rights in South African workplaces. For more information about the tool that was created by <a href="https://www.thewhynotlab.com/" target="_blank">The Why Not Lab</a> and <a href="https://www.altadvisory.africa/" target="_blank">ALT Advisory</a> click the ''ⓘ'' below. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>''ⓘ About this tool ''<br><br> This tool consists of 7 sections. Each of them relates to important data protection rights you have, or don't have, as management processes workers’ data. For example, if they are analysing it using AI, using particularly invasive or harmful systems to track workers, or using your personal information in other ways they didn’t tell you about. Each section brings your legal rights to you and offers tips for how to discuss these with management. <p>For further details about the tool and the team that created, check our <a href="https://www.workersdatarights.org/about/" target="_blank">About page</a>.</div< </div> ](modal|} (link-repeat:"ⓘ About this tool")[(show:?modal)] When you're ready to get started, click the button below! <table> <tr> <td>(button:)[[Next->Let's begin]]</td> </tr> </table> (set: $section to "Introduction")

<div id=head>''Third-party data access ''</div> Before digging into the question of third party data access, let’s briefly look at why this is important. One of the largest threats to diverse and inclusive labour markets is the datafication of work and workers. Datafication refers to turning aspects of human life into data. This data can be shared, re-purposed and used in different ways. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>''ⓘ Datafication and surveillance capitalism?''<br><br> Professor Shoshana Zuboff, who wrote the book //The Age of Surveillance Capitalism// (read review <a href="https://blogs.lse.ac.uk/lsereviewofbooks/2019/11/04/book-review-the-age-of-surveillance-capitalism-the-fight-for-the-future-at-the-new-frontier-of-power-by-shoshana-zuboff/" target="_blank">here</a>) is a leading critic of this. She calls for a ban of what she calls “markets in human futures” – the buying and selling of profiles, inferences and datasets that ultimately are profiting from and shaping our lives and career opportunities.</div> </div> ](modal|}[(link-repeat:"ⓘ Datafication and surveillance capitalism?")[(show:?modal)]] This new market incentivises mass data generation and leads to increased data sharing. One of the problems of sharing data with multiple third parties is that it becomes harder for workers to know and control how their information is being used. There are now more people with access to your data, and third-parties are often less accountable to you. Although there may be valid reasons for employers to share workers’ information with thrid parties, it is important to have firm agreements between your employer and any eventual third-party data processers to prevent your data from being reused, bundled, sold and traded. Let’s dive in! <table> <tr> <td>(button:)[[What POPIA says about third parties->POPIA]]</td> </tr> </table>(set: $section to "section on third party access")

POPIA doesn’t explicitly say that information cannot be shared with a third party. But there are certain rules that apply when sharing information with a third party, and other rules when sharing information with a third party in a foreign country. Do you have concerns about third-party access to data and want to explore this in more detail? <table> <tr> <td>(button:)[[Yes, tell me more->Yes9]]</td> <td>(button:)[[No, skip this section->No9]]</td> </tr> </table>(set: $section to "section on third party access")

Do you know if management shares information with third parties? In other words: have they notified you of this? <table> <tr> <td>(button:)[[Yes->Yes10]]</td> <td>(button:)[[No->No10]]</td> </tr> </table>(set: $section to "section on third party access")

Okay. You can skip to the section on further processing. <table> <tr> <td>(button:)[[Next section->Further Processing]]</td> </tr> </table>(set: $section to "section on third party access")

That is good to hear. In terms of <a href="https://www.workersdatarights.org/popia-section-18/" target="_blank">section 18</a> of POPIA, the employer must tell workers if any third parties will receive their information, or at the very least, the categories of recipients – for example, auditors. In terms of POPIA, an employer may use a third party to process information on their behalf. For example, they may use an external service to manage payroll. Such third parties, called ‘Operators’, may only process information if authorised to do so by management, and they have to treat the information as confidential. Knowing the identity of the third parties makes it easier to find out more about how they are processing information. <a href="https://www.workersdatarights.org/popia-section-23/" target="_blank">Section 23</a> of POPIA gives workers the right to access information about what information a party has. The Information Regulator{[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>The Information Regulator is an independent body that has been established to monitor and enforce compliance with POPIA. It is the body that you can lodge a complaint with if you suspect that your employer is not complying with the requirements in POPIA. The Information Regulator's website provides useful guidance on certain aspects of POPIA, and includes all the prescribed forms you may need in order to lodge a complaint or exercise your rights.</div> </div> ](modal|}(link-repeat:"ⓘ")[(show:?modal)] has prescribed forms that should be used to make such a request, available <a href="https://inforegulator.org.za/complaints/" target="_blank">here</a>. The next section explores what the law says if the third party is based in a foreign country. <table> <tr> <td>(button:)[[Next->3.3 Foreign transfers]]</td> </tr> </table> (set: $section to "section on third party access")

That is not great. Here are a few things that you could do to try to get that information. 1. Ask management or look at the employment contract–it may list the third parties who receive the information, or process it on behalf of the employer. This is particularly likely if they require consent to do so. 2. There may be a few rights you could rely on to obtain the information, these are discussed in more detail below: a) ''The right of notification:'' In terms of <a href="hhttps://www.workersdatarights.org/popia-section-18/" target="_blank">section 18</a> of POPIA, when they collect information, the employer must notify workers of “the recipient or category of recipients of the information.” If this was not done, you could leverage this right to try get the employer to disclose this information. This is particularly useful if you are not aware of the identity of the third party, and therefore cannot use your section 23 right of access, unpacked below. b) ''Access to personal information:'' In terms of <a href="https://www.workersdatarights.org/popia-section-23/" target="_blank">section 23</a> of POPIA a person has the right to request a responsible party (such as the employer, or the third party you think has access to the data) to confirm, free of charge, whether or not they hold personal information about a data subject. If you are aware of the identity of the third party, you can approach them directly and enforce this right. The Information Regulator{[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>The Information Regulator is an independent body that has been established to monitor and enforce compliance with POPIA. It is the body that you can lodge a complaint with if you suspect that your employer is not complying with the requirements in POPIA. The Information Regulator's website provides useful guidance on certain aspects of POPIA, and includes all the prescribed forms you may need in order to lodge a complaint or exercise your rights.</div> </div> ](modal|}(link-repeat:"ⓘ")[(show:?modal)] has prescribed forms that should be used to make such a request, they can be accessed <a href="https://inforegulator.org.za/complaints/" target="_blank">here</a>. Continue through the tool to understand what you can do next. <table> <tr> <td>(button:)[[Next->3.3 Foreign transfers]]</td> </tr> </table> (set: $section to "section on 3.3 Foreign transfers")(set: $section to "section on third party access")

Does the employer transfer workers’ data to any third parties in a foreign country? <table> <tr> <td>(button:)[[Yes->Yes11]]</td> <td>(button:)[[No / Not sure->No / I am not sure11]]</td> </tr> </table>(set: $section to "section on third party access")

Data may only be transferred to a third party in a foreign country in certain circumstances. These are outlined in <a href="https://www.workersdatarights.org/popia-section-72/" target="_blank">section 72</a>. Accordingly, management can only transfer it if one of the following applies: 1. ''Consent: ''The data subject consents to the transfer. 2. ''Adequate level of protection: ''the third party is bound to a law, corporate rules, or an agreement that provides an adequate level of protection over the data that upholds the principles for reasonable processing (i.e. the country is bound to protect the data in a similar way as required by POPIA). 3. ''Contractual performance: ''the transfer is necessary to perform a contract concluded between the responsible party and the data subject. 4. ''Contractual performance in the interest of the data subject: ''the transfer is necessary to perform a contract that has been concluded between the responsible party and the third party, but is in the interests of the data subject. 5. ''Benefit to the data subject: ''the transfer is for the benefit of the data subject //and// it is either not reasonably practical to obtain the data subject’s consent// or// it is probable that the data subject would provide their consent. Do you know if management is relying on one of the above instances to transfer the information? <table> <tr> <td>(button:)[[Yes->Yes12]]</td> <td>(button:)[[No / Not sure->No / I am not sure12]]</td> </tr> </table>(set: $section to "section on third party access")

If you don’t know whether information is transferred to a foreign country but you would like to find out, there are a few things that could assist you: 1. You can ask management to disclose this information, including whether some of the digital tools they use store information in a foreign country; 2. You can rely on <a href="https://www.workersdatarights.org/popia-section-18/" target="_blank">section 18</a> of POPIA which requires management to disclose whether they intend to transfer information to a third party in a foreign country, and the level of protection that will be afforded to the information. This should be done at the time of collection, but there are a few exceptions, so look carefully at section 18 to understand if you can rely on it. 3. Management may be relying on workers' consent to transfer the information – check the employment contract to see if this is the case. Remember that in terms of POPIA, consent should be specific and informed, so they should have provided sufficient information on this to ensure that is the case. Next, you can either choose to find out more about foreign transfers, or proceed to the next section? <table> <tr> <td>(button:)[[Learn more about foreign transfers->Yes11]]</td> <td>(button:)[[Skip to the next section->Further Processing]]</td> </tr> </table>(set: $section to "section on third party access")

It’s great that you are aware of the provision that they are relying on to justify the transfer. Below are a few points to consider with regards to their reliance. In terms of POPIA, consent has to be voluntary, specific and informed. Has management provided enough information about the transfer to inform the consent? If management is relying on the performance of the employment contract, consider whether the transfer is really necessary for the performance of the contract. If they are relying on a contract between management and a third-party, ensure that the contract is in the interest of the data subject. In South Africa, our Information Regulator hasn’t provided a list of countries that it considers to automatically provide the same level of protection as POPIA. This is important to bear in mind if management says the third party is bound by an instrument that provides the same level of protection as POPIA. Proceed to the next section to explore whether the data is being used for new purposes. <table> <tr> <td>(button:)[[Next->Further Processing]]</td> </tr> </table> (set: $section to "section on third party access")

Oh dear! That’s not great – management should be transparent about this. There are a few sections in POPIA which may help you obtain this information. 1. You can rely on <a href="https://www.workersdatarights.org/popia-section-18/" target="_blank">section 18</a> of POPIA which requires management to disclose whether they intend to transfer information to a third party in a foreign country, and the level of protection that will be afforded to the information. This should be done at the time of collection, so management may be non-compliant with this section. There are a few exceptions, so look carefully at section 18 to understand if you can rely on it. 2. Management may be relying on workers' consent to transfer the information – check the employment contract to see if this is the case. Remember that in terms of POPIA, consent should be specific and informed, so they should have provided sufficient information on this to ensure that is the case. Continue to the next section that explores instances where data is processed in new ways. <table> <tr> <td>(button:)[[Next->Further Processing]]</td> </tr> </table> (set: $section to "section on third party access")

<div id=head>''Further processing''</div> When someone has collected your data, or when data is transferred to a third party – either in South Africa or a foreign country – they might start using your information in new ways. This is called “further processing”: when someone has collected information for one reason, but then uses it for something else. This section explores what the law says about further processing, and what you can do about it. <table> <tr> <td>(button:)[[Next->In South Africa]]</td> </tr> </table>(set: $section to "section on Further processing")

In South Africa, our law requires that information must be collected for a specific, //''explicitly defined''// and lawful purpose that relates to a function or activity of the responsible party (the person or organisation collecting and using the information i.e an employer). This means that an employer has to tell you the purpose for processing information. This requirement is provided in <a href="https://www.workersdatarights.org/popia-section-13/" target="_blank">section 13</a>. South African law also says that information can’t be further processed for new purposes that are incompatible with the original purpose. This requirement is included in <a href="https://www.workersdatarights.org/popia-section-15/" target="_blank">section 15</a>. Determining whether the new purpose for processing is compatible with the original purpose depends on the specific situation. As a rule of thumb, if the new processing is unexpected or surprising, it is unlikely to be compatible with the original purpose. In section 15, POPIA lists several factors that should be taken into account when assessing the compatibility of further processing. POPIA also lists a few instances where further processing will be considered compatible. These are detailed in section 15(3) and includes consent. Do you suspect information is being processed for new, incompatible purposes? <table> <tr> <td>(button:)[[Yes->Yes13]]</td> <td>(button:)[[No->No13]]</td> </tr> </table> (set: $section to "section on Further processing")

Oh dear! If you think data is being processed in new, incompatible ways, it could be challenged. Let’s look at what can be done: 1. You may want to have a discussion with the employer / third party to understand the extent of the further processing and assess it against the compatibility factors in <a href="https://www.workersdatarights.org/popia-section-15/" target="_blank">section 15</a> of POPIA. 2. If you are struggling to understand why the data is being processed, you can rely on <a href="https://www.workersdatarights.org/popia-section-13/" target="_blank">section 13</a> and <a href="https://www.workersdatarights.org/popia-section-18/" target="_blank">section 18</a> of POPIA to ensure the disclosure of this information. 3. If it is clear that the further processing is unlawful, you can bring the employer’s non-compliance to their attention, and their non-compliance with section 15 of POPIA. This may enable you to negotiate for changes to ensure all further processing is compatible with the original purpose. 4. You can lodge a complaint with the Information Regulator. More information about this process is available on the Information Regulator’s website <a href="https://inforegulator.org.za/complaints/" target="_blank">here</a>. <table> <tr> <td>(button:)[[Finish->Congratulations]]</td> </tr> </table>(set: $section to "section on Further processing")

That’s good to hear! <table> <tr> <td>(button:)[[Finish->Congratulations]]</td> </tr> </table>(set: $section to "section on Further processing")

Congratulations! You have now completed this tool. Hopefully it has highlighted entry points for your negotiations with management to strengthen data protection in the workplace. In solidarity! (set: $section to "end of the tool")

[__________________________________________________________________________________________ This is the $section. Navigate sections: [[Introduction->Introduction]] | [[Transparency]] | [[Mapping Data Collection->Mapping data collection]] | [[Impact Assessments->Data Protection Impact Assessments]] | [[Invasive Systems->Challenging Invasive Systems]] | [[Automated Decisions->Automated decision making and profiling]] | [[Third Party Access->Third party access to data]] | [[Further Processing]]]

(replace: ?modalhooks)[{ (css:" position: fixed; display:block; z-index: 1; left: 0; top: 0; width: 100%; /* Full width */ height: 100%; /* Full height */ overflow: auto; /* Enable scroll if needed */ background-color: rgba(0,0,0,0.4); ")[ (css:" display:block; margin: 15% auto; padding: 20px; width: 80%; border: 1px solid white; ")|modal>[ (css:"float:right")+(link-repeat:"x")[(replace: ?modalhooks)[]] ] ] }]

|modalhooks>[]

{ <!– Create a variable to track the position within the $typewriterText string –> (set: $typewriterPos to 1) <!– Create a hook to hold the typed text –> |typewriterOutput>[] <!– Set a delay of 0.1 seconds per loop –> (live: 5ms)[ <!– Add the next character to the hook –> (append: ?typewriterOutput)[(print: $typewriterText’s $typewriterPos)] <!– Update the position –> (set: $typewriterPos to it + 1) <!– If it’s gone past the end, stop –> (if: $typewriterPos is $typewriterText’s length + 1)[ (stop:) ] ] }

In some cases, it may be clear when data is collected -- for example, when you submit your banking details and basic contact information when you sign an employment contract. In other cases, it is less clear -- for example, when an employer uses a system or tool that generates and collects information. For example, an employer may use an automated clock-in system that requires workers to use their fingerprint to access a building. This system enables an employer to collect biometric information (a fingerprint) and information about when an employee enters and exists a building. <table> <tr> <td>(button:)[[Next->Do you feel you now know what]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

That’s great! Common data-collection systems and digital tools include: * (Semi)-automated hiring/firing systems (e.g. to vet job candidates or assess workers' performance) * Scheduling tools * Workplace sensors * Productivity/efficiency measurements, including real-time tracking * Location tracking devices/wearables * Handheld devices * Software to monitor your keyboard inputs, browsing activity, or other work-from-home surveillance. {[ <div class="modal"> <div class="modal-content"> <span class="close"> {(link-repeat: "x")[(hide: ?modal)]} </span>''ⓘ Tips for mapping data sources'' * You can use some of the rights given to you in POPIA to access some of this information. (Read more on the <a href="https://www.workersdatarights.org/your-rights-in-popia/" target="_blank">Know Your Rights page</a>.) Section 23 of POPIA gives workers the right to access information about what information a party has. The Information Regulator has prescribed forms that should be used to make such a request, they can be accessed <a href="https://inforegulator.org.za/wp-content/uploads/2020/07/InfoRegSA-PAIA-Form02-Reg7.pdf">here.</a> * Read the privacy policy of the system/tool carefully. It will include information about the data sources/categories of data extracted. * Do an internet search for any articles or other information about the system. * Consider if there are any logical deductions you could make. For example, an automated hiring system might extract data from a candidate’s CV, or from automated interviews or assessments. (See for example <a href="https://www.hirevue.com/"target="_blank">HireVue</a>). It also might use third-party data from companies (such as <a href="https://fama.io/"target="_blank">this one</a>) who profile people for recruitment processes. </div> </div> ](modal|} (link-repeat:"ⓘ Tips for mapping data sources")[(show:?modal)] <table> <tr> <td>(button:)[[Next->Now you know]]</td> </tr> </table> (set: $section to "section on Mapping data collection")

''Let's dig in '' '' ''To explore how management is using workers’ data, you first need to know what data employers have, how they collect it and how they are using it. If you already know this information, keep it at hand as you work through the tool. If you //don’t //have this information yet, don’t worry: the first two sections – Transparency and Mapping Data Collection – aim to help you get these details. These sections are also useful if you want to confirm whether management has fully complied with the legal requirements relating to transparency and collection.'' When you're ready to get started, click the button below! <table> <tr> <td>(button:)[[Next->South Africa]]</td> </tr> </table> (set: $section to "Introduction")