Human Resources functions sit at the epicentre of personal information processing within most organisations. HR handles hiring, contracts, payroll, benefits, performance management, disciplinary proceedings, health and wellness, and offboarding — each of which involves personal information that requires careful governance. In many cases, HR also processes special personal information as defined by POPIA, which requires a higher standard of protection.
What Makes HR Data Different
POPIA defines specific categories of information as “special personal information” that cannot be processed without explicit consent or another specific legal basis. HR departments routinely deal with several of these categories:
- Health information — Sick leave records, medical aids, incapacity proceedings, accommodation requests
- Trade union membership — Payroll deductions, collective bargaining information
- Criminal record information — Background checks, disciplinary records involving criminal conduct
- Biometric information — Fingerprint access systems, facial recognition time and attendance
- Employment information — While not itself a special category, salary information is commercially sensitive and its exposure creates significant employment relations risk
The Employee Data Lifecycle
Effective HR information governance requires managing personal information across the full employee lifecycle:
- Recruitment: CVs contain personal information. Unsuccessful candidates have rights under POPIA. How long do you retain CV data, and do you tell candidates?
- Onboarding: ID documents, bank details, tax certificates, qualification certificates — all personal information that must be secured.
- Employment: Performance records, disciplinary correspondence, remuneration adjustments, leave records.
- Wellness programmes: Any health or wellbeing data collected requires explicit consent and must be strictly separated from performance and disciplinary records.
- Offboarding: What do you retain and for how long? POPIA requires deletion once the purpose of processing is complete.
Common HR Governance Failures
- Storing sensitive employee information in shared drives accessible to most HR staff (rather than on a need-to-know basis)
- Using personal email to send payslips, employment letters or disciplinary documentation
- Retaining CVs of unsuccessful candidates indefinitely
- Using WhatsApp to communicate HR decisions or share HR documents
- Using AI tools to process disciplinary notes, performance review content or medical information
- No formal agreement with payroll service providers specifying POPIA obligations
- Background check providers not subject to data processing agreements
AI Tools and HR Data: A High-Risk Combination
The use of AI tools in HR is growing rapidly — for drafting job adverts, shortlisting CVs, generating performance review templates, and even analysing team engagement surveys. The POPIA risks are significant:
- Uploading a candidate’s CV to ChatGPT for summarisation — processes personal information without consent for an unintended purpose
- Using AI to analyse an employee’s performance history — may constitute automated profiling, which has specific POPIA implications
- Inputting medical information into any AI tool — high risk, special category information, explicit consent required
HR teams using AI tools need specific guidance, not just a general AI policy. Training should use realistic HR scenarios.
HR Consulting Firms: Additional Obligations
HR consulting firms that process personal information on behalf of client organisations are operators under POPIA. They must:
- Have written data processing agreements with all client organisations
- Process personal information only on documented instructions from the client (responsible party)
- Implement security measures at least equivalent to those required of the client
- Report any data breaches to the client promptly
- Delete or return all personal information at the end of the engagement
Practical Steps for HR Governance
- Conduct a data mapping exercise across all HR processes
- Implement strict access controls — payroll and medical data should be on a strict need-to-know basis
- Develop a recruitment data retention policy (most practices retain unsuccessful CVs for 6–12 months)
- Review all HR system providers and ensure data processing agreements are in place
- Implement HR-specific training on POPIA and AI tool risks
- Develop an employee privacy notice that clearly explains what personal information is collected and why
- Create a procedure for handling employee subject access requests
Find out where your business stands on this risk.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.