SciELO - Scientific Electronic Library Online

 
vol.19 número1Parallel planning mechanisms as a "recipe for disaster" índice de autoresíndice de materiabúsqueda de artículos
Home Pagelista alfabética de revistas  

Servicios Personalizados

Articulo

Indicadores

Links relacionados

  • En proceso de indezaciónCitado por Google
  • En proceso de indezaciónSimilares en Google

Compartir


Potchefstroom Electronic Law Journal (PELJ)

versión On-line ISSN 1727-3781

PER vol.19 no.1 Potchefstroom  2016

http://dx.doi.org/10.17159/1727-3781/2016/v19i0a555 

ARTICLES

 

Employers' statutory vicarious liability in terms of the Protection of Personal Information Act

 

 

Daleen MillardI, * ; Eugene Gustav BasceranoII, **

IDaleen Millard and Eugene Gustav Bascerano. dmillard@uj.ac.za
IIUniversity of Johannesburg, South Africa. eugeneb@uj.ac.za

 

 


ABSTRACT

A person whose privacy has been infringed upon through the unlawful, culpable processing of his or her personal information can sue the infringer's employer based on vicarious liability or institute action based on the Protection of Personal Information Act 4 of 2013 (POPI). Section 99(1) of POPI provides a person (a "data subject") whose privacy has been infringed upon with the right to institute a civil action against the responsible party. POPI defines the responsible party as the person who determines the purpose of and means for the processing of the personal information of data subjects. Although POPI does not equate a responsible party to an employer, the term "responsible party" is undoubtedly a synonym for "employer" in this context. By holding an employer accountable for its employees' unlawful processing of a data subject's personal information, POPI creates a form of statutory vicarious liability.
Since the defences available to an employer at common law and developed by case law differ from the statutory defences available to an employer in terms of POPI, it is necessary to compare the impact this new statute has on employers. From a risk perspective, employers must be aware of the serious implications of POPI. The question that arises is whether the Act perhaps takes matters too far.
This article takes a critical look at the statutory defences available to an employer in vindication of a vicarious liability action brought by a data subject in terms of section 99(1) of POPI. It compares the defences found in section 99(2) of POPI and the common-law defences available to an employer fending off a delictual claim founded on the doctrine of vicarious liability. To support the argument that the statutory vicarious liability created by POPI is too harsh, the defences contained in section 99(2) of POPI are further analogised with those available to an employer in terms of section 60(4) of the Employment Equity Act 55 of 1998 (EEA) and other comparable foreign data protection statutes.

Keywords: Vicarious liability; Protection of Personal Information Act; defences; comparison with Employment Equity Act; United Kingdom's Data Protection Act of 1998; New Zealand's Privacy Act 28 of 1993; Australian Privacy Act 119 of 1988


 

 

1 Introduction

No good deed goes unpunished.1

The common-law doctrine of vicarious liability, in terms of which an employer is held accountable for the wrongful acts or omissions committed by an employee, is controversial and much-discussed.2 The same holds true for employers' statutory vicarious liability.3 However, one area of vicarious liability which remains available for deliberation is the statutory vicarious liability in terms of the Protection of Personal Information Act 4 of 2013 (POPI).4

The purpose of POPI is inter alia to promote the protection of data subjects' personal information.5 Moreover, POPI aims to provide data subjects with some degree of control over their personal information,6 thereby giving effect to the constitutional right to privacy.7 To ensure the safeguarding of data subjects' personal information held by so-called responsible parties, personal information must be processed in a responsible and lawful manner.8 POPI also provides data subjects with rights and remedies to protect their personal information from unlawful and irresponsible processing.9 Where a responsible party fails to process personal information in a lawful manner (in other words, in accordance with POPI), it may face the sanctions created by POPI to promote compliance.10

Inevitably, in any organisation that consists of an employer and employees, the employer will be held liable for contraventions of POPI by its employees, because POPI regards the employer as the responsible party.11 Therefore, where an aggrieved party would traditionally have sued the employer for the infringement of privacy based on the common-law vicarious liability doctrine, there is now also the possibility to litigate based on the stipulations of POPI.12 In terms of section 99(1) of POPI, the data subject may institute civil action against an employer as the responsible party. Section 99(2) in turn lists the very limited defences which an employer may raise against an action brought in terms of section 99(1). 5

From a risk perspective, an employer as the responsible party is extremely vulnerable, and this article argues that the defences envisaged by section 99(2) are too limited. In order to prove this point, this article contrasts the defences listed in section 99(2) of POPI with the defences to vicarious liability claims in three other contexts, namely the common-law defences to vicarious liability, the defence created in terms of section 60(4) of the Employment Equity Act 55 of 1998 (EEA), and the defences provided for in foreign data protection statutes.13 It is necessary to juxtapose the common-law defences to vicarious liability with the defences available to an employer in terms of POPI, because a data subject may elect to base his or her claim against an employer either on the common law or on POPI. The reason for the comparison is to illustrate that an employer may in certain circumstances, escape liability for the delicts committed by its employee, while the limited defences available to an employer in terms of section 9(2) of POPI would make this virtually impossible.

The article compares section 99 of POPI to section 60 of the EEA as both sections regulate the statutory vicarious liability of employers and outline possible defences. At the outset it can be said that there is a significant difference between the two statutes insofar as the EEA contains a mechanism for the employer to escape liability, which is not found in POPI. This is contained in section 60(4) of the EEA, which determines that an employer will not be held vicariously liable for the conduct of its employees if the employer is able to prove that it did all that was reasonably practicable to ensure that the employee would not act in contravention of the EEA. The fact that POPI does not contain a similar provision demonstrates that the accountability of the employer is too severe in the case of POPI.

The comparative study uses foreign data protection statutes that contain a defence akin to that found in the EEA. In terms of these, an employer will be able to escape liability if the employer is able to show that it proactively took such steps as were necessary and practically achievable to prevent employees from contravening the law. POPI therefore surprises for the reason that it does not contain a similar defence. This is surprising, since POPI's provisions are to a large extent a replica of the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.14 This naturally raises the question of whether the failure by the legislature to include a similar defence was intentional or simply a laxity.

To highlight the problems with POPI, this article uses an illustrative case to show the practical application of strict liability.15

 

2 The concept of privacy

2.1 Introduction

The concept of privacy lies at the very heart of this discussion.16 Privacy has been defined as the right to be forgotten,17 the right to keep personal information private,18 and the right to be free from intrusions and interference in one's personal life.19 Neethling defines the concept of privacy as follows:

Privacy is a human (or corporate) sphere of seclusion from the public, embracing all those personal facts or information which the person concerned has excluded from the knowledge of others and with regard to which he has the will that they be kept private.20

Privacy evidently encompasses the right to determine the destiny of personal facts21 and the right not to have personal facts disclosed unlawfully.22 All persons have a fundamental need for some degree of privacy.23 A lack of privacy, or an infringement of privacy, may have negative effects on a person, whether mentally or otherwise.24 Therefore individuals have an interest in the protection of their privacy.25

2.2 The common-law right to privacy

Privacy is protected by the common-law principles of the law of delict.26Here, a delict would be "an intentional and wrongful interference with another's right to seclusion in his [or her] private life".27 In O'Keeffe v Argus Printing and Publishing Co Ltd28the court recognised the right to privacy as an independent right of personality worthy of being protected.29 But how to determine which information about a person is private in nature?30 It is up to each person to determine for himself or herself which information about himself or herself is to be excluded from the knowledge of others.31 Before the enactment of POPI, scholars held that information privacy was a sub-category of the right to privacy.32

A person may inhibit access to his or her personal information and may prevent others from disclosing such personal information to third parties.33The right to privacy may be enforced by the actio iniuriarum, the actio legis Aquiliae or an interdict.34 The actio iniuriarum is used to claim satisfaction for the wrongful, intentional interference with the right to privacy, whereas the actio legis Aquiliae is used to claim patrimonial loss occasioned by the wrongful and negligent infringement upon privacy.35 To prevent an imminent interference with one's privacy, or to avert an on-going wrongful infringement, the aggrieved party may obtain an interdict against the offender.36

2.3 The constitutional right to privacy

The common law right to privacy is reinforced by section 14 of the Constitution of the Republic of South Africa, 1996.37 Public policy and society's convictions and beliefs that everyone is entitled to his or her privacy are deeply rooted in the Constitution and the values that underlie it.38 Common law, insofar as it is reflected in public policy, is determined by constitutional values.39 Despite the fact that the Constitution reinforced the common-law right to privacy, traditional remedies afford only limited protection for an individual's personal information because they do not provide the data subject with active control over his or her personal information.40 Roos points out that the common-law principles cannot ensure, for example, that the data subject receives notification of the fact that his or her personal information has been collected or is being processed, or that he or she has the right to access the information, or that he or she has the right to update and correct incorrect information.41

Prior to POPI, the Law Reform Commission deliberated whether data-protection measures ought to be legislated or whether the regulation of the right to privacy should be developed by the courts.42 Four fundamental reasons spurred the Commission to enact POPI. Firstly, the conservatism of the courts, their aversion to developing and adapting the common law, and the infrequency of case law relating to privacy infringement meant that the development of the common law and the right to privacy would occur only incrementally. Secondly, drastic law reform can be best achieved not through the judiciary but through the legislature. Thirdly, many countries, especially European countries, possess adequate data-protection legislation. And fourthly, the common law does not make provision for the cross-border flow of personal information.43

Privacy has therefore always been respected and entrenched in South African law. In addition, the Constitution places a duty on the legislature to create legislation that protects personal data.44 Personal data, as a specific aspect of privacy, is now protected by POPI.

 

3 The Protection of Personal Information Act (POPI)

3.1 The purpose of POPI

As was indicated in paragraph 2.3, the Constitution affords everyone the right to privacy.45 POPI's preamble recognises that section 14 of the Constitution provides that everyone has the right to privacy. Each person's right to control access to and the use of his or her private information conforms with the objective of POPI to promote the protection of data subjects' personal information when it is processed by other parties and to provide data subjects with some degree of control over their private and personal information.46 The right to privacy includes the data subject's right to have his or her personal information processed in a lawful manner.47 The notion that information privacy is a sub-category of the right to privacy is echoed in the definition of personal information as contained in section 1 of POPI, which determines that personal information means any information relating to an identifiable, living, natural person.48

POPI's preamble states further that POPI's purpose is "to promote the protection of personal information processed by public and private bodies" while, according to section 2 of POPI, the purpose thereof is, inter alia, to (i) "give effect to the constitutional right to privacy, by safeguarding personal information (ii) "balancing the right to privacy against other rights, particularly the right to access information"; (iii) "regulate the manner in which personal information may be processed and (iv) "provide persons with rights and remedies" if POPI is contravened.

3.2 Responsibility for compliance

The first condition for lawful processing determines that the responsible party must ensure that the conditions, and all the measures that give effect to such conditions, are complied with.49 POPI specifically assigns accountability for lawful data processing to the employer (as the responsible party)50 and holds an employer accountable for non-compliance with POPI.51 It is thus the duty of the employer, as the responsible party, to ensure compliance with POPI.

Remember, although POPI does not directly refer to the responsible party as an employer, POPI does provide sufficient clues which allow the reader to arrive at this logical and inferential conclusion, such as the definition of responsible party.52 POPI defines a responsible party as

... a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.53

Or the responsible party is the person who requires personal information of data subjects for a specific purpose and who determines how such personal information will be processed.

In order to bring across a pivotal point upon which this article turns, it is reasonable to surmise that the responsible party to whom POPI refers will be an employer, since it is usually the employer who determines the reason for the processing of personal information. The decision-making authority associated with the responsible party's right to determine the purpose of and means for processing points to the authority which is inherent in the position of an employer.54 Furthermore, section 3(1)(a) determines that POPI "applies to the processing of personal information entered into a record by or for a responsible party". Employers would be more inclined to keep records of personal information and may even be obliged by law to do so.55 Therefore it is apparent, or at least conceivable, that in most instances the responsible party will be an employer.56 Personal information processed by individuals for personal reasons or for household activity57 and which does not form part of the responsible party's records or filing system58 is excluded from the ambit of POPI. Finally, the said accountability condition, which holds the responsible party accountable and responsible for compliance with POPI, strengthens this argument.59 This familiar concept, in terms of which the accountability ultimately falls on the shoulders of the employer, is known as the doctrine of vicarious liability. By ascribing accountability to the employer, POPI creates a form of strict liability.60Moreover, POPI permits an affected data subject to institute a civil claim against the responsible party.61

3.3 Lawful processing of personal information

Personal information must be processed lawfully and reasonably so as not to infringe upon the privacy of a data subject.62 To this end, POPI requires that certain conditions or minimum requirements must be met.63 POPI also stipulates various sanctions, notably penalties,64 administrative fines,65 and civil remedies.66

Section 73 of POPI specifically deals with interference with the protection of the personal information of a data subject and determines, among other things, that a breach of the conditions for the lawful processing of personal information will constitute a violation of a data subject's right to privacy. Failure to comply with the conditions of lawful processing will thus render the processing of personal information unlawful, thus providing the aggrieved data subject with a civil action for damages against a responsible party.67

3.4 Security safeguards

POPI forces the employer to secure the integrity and confidentiality of the personal information in its possession and under its control by taking appropriate, reasonable technical and organisational measures to prevent the loss of, damage to, or unauthorised destruction of personal information or the unlawful access to or processing of personal information.68 This exercise is intended to be cyclical as opposed to once-off.69 The duty to establish and maintain sufficient security safeguards entails more than just technical and technological measures. It includes the duty to educate staff and others who are responsible for the day-to-day processing of personal information on behalf of their employer.70 Deciding on what is appropriate and reasonable is, however, dubious and dependant on the size and nature of the organisation.71

3.5 Remarks

Unfortunately, no security safeguard can ever be perfect.72 An employer may, for example, implement stringent security safeguards, constantly train its staff and implement compulsory security policies but still find itself accountable for the deliberate and obstructive breach of POPI by a mischievous or careless employee. Although the employer will be able to argue that it complied with its duty to implement appropriate and reasonable security safeguards as required by section 19 of POPI, it appears as if this will not protect an employer against a civil action brought by a data subject whose privacy had been unlawfully infringed upon, for the reason that section 99(2) does not list it as a distinct and separate defence. Despite the statutory defences available to the employer, no provision is made in POPI for the employer to avert the statutory vicarious liability in cases where the employer has made every effort to entice its employees to comply with POPI.73 The fact that an employer has discharged the onus placed on it by section 19 may perhaps be taken into account by the court as mitigating circumstances when determining a just and equitable amount as damages.74 The next paragraph illustrates the deficiencies in POPI and shows that it leaves employees in an unenviable position.

 

4 Illustrative case study: setting the scene

4.1 Introduction

For the purpose of argument the following fictional scenario will be used. The facts of this fictional case study will be applied to the common law, contrasted with the EEA, and compared to foreign data-protection statutes to illustrate the glaring inadequacy of the statutory defences available to the employer when faced with a civil claim brought by a data subject in relation to an infringement caused by an employee in contravention of POPI.

Consider the following: Mrs A is an administrative assistant at a university. She processes personal information on students, such as grades, subjects and modules passed, etc. Since the inception of the first draft of the Protection of Personal Information Bill the university has proactively educated its employees on the impact of the pending Act, and in particular, the conditions for lawful processing and the general prohibition against the processing of personal information that does not comply with these conditions. Ever since, the university has been committed to complying with POPI. Efforts included frequently conducting educational and informative workshops, circulating newsletters and emailing circulars containing tips, instructions and guidelines on compliance. The employer also prepared a policy and a standard operating procedure setting out the institution's formal stance in relation to the lawful collection, processing, storage, retention and destruction of students' personal information. Moreover, the employer conducts thorough, continuous training of all employees. Despite Mrs A's familiarity with POPI, her employer's policy and standard operating procedure, and notwithstanding her training and her having frequent sight of an aide-mémoire of the level of compliance required of her, she is induced by a third party, company B, to divulge to it the academic records and contact details of the university's top students. One evening, while attending to her personal emails at home, she decides to accept company B's hefty bribe. The affected students consequently receive unsolicited calls and emails from company B, which mentions to the students that it received their information from a university employee. One particular student is outraged at the flagrant infringement upon her privacy and decides to institute action against the university.

The dissemination of the students' personal information by Mrs A to company B is in flagrant contravention of POPI and does not constitute lawful processing, as several conditions for the lawful processing of personal information have been contravened.

4.2 Consent and justification

Neither the student nor a competent person acting in the interest of the student provided the consent required for Mrs A to disclose the student's academic record to the company B.75 Consent is defined in POPI as the "voluntary, specific, informed expression of will in terms of which permission is given for the processing of personal information".76 The definition implies that the student's prior consent should have been obtained for the purpose of divulging her information to company B. It further entails that the student, in order to provide such specific consent, should have been duly informed of the purpose for which Mrs A intended to process it. The processing of the student's personal information was not necessary to carry out actions for the conclusion or performance of a contract between the university and the student,77 neither was it necessary to comply with an obligation imposed by law.78 The processing was also not done in order to protect a legitimate interest of the student,79 the university or company B.80 Finally, the processing was not necessary for the performance of a public law duty.81

4.3 Compatibility with the function or activity of the employer

Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.82"Explicit" is defined as "stated clearly and in detail, leaving no room for confusion or doubt".83 Assuming that the university clearly informed the student of the purposes for which her academic record will be used (ie to confer a degree), the purpose for which Mrs A processed the student's personal information was completely removed from any function or activity of the university.

4.4 Compatibility of further processing with the original purpose

"Further processing" involves the secondary processing of personal information for reasons other than the original purpose for which it was collected, but which nonetheless are related to the original purpose. It must therefore be in accordance or compatible with the purpose for which it was originally collected.84 Section 15(2) provides five factors which must be considered to determine whether further processing is compatible with the original purpose for which the personal information was obtained and collected. These are:

(i) the relationship between the new processing activity and the original activity;

(ii) the nature of the personal information concerned;

(iii) the consequences of the new processing activity;

(iv) the way in which the personal information was collected; and

(v) the contractual rights and obligations between the parties.

The purpose for which the personal information of the students was used by Mrs A is not compatible with the purpose for which it was originally collected by the university.85

4.5 Authorisation

Section 20 of POPI determines that:

... anyone processing personal information on behalf of a responsible party... must-

(a) process such information only with the knowledge or authorisation of the responsible party; and

(b) treat personal information which comes to their knowledge as confidential and must not disclose it,

unless required by law or in the course of the proper performance of their duties.

Authorisation by the employer differs from consent by the data subject and forms part of the employer's duty to implement sufficient security safeguards to secure the integrity and confidentiality of personal information.86 Only employees who are duly authorised by their employers to do so may process personal information on behalf of their employers. They should process personal information confidentially and only for official purposes.87

4.6 Remarks

Mrs A clearly contravened section 20. Her employer neither authorised the dissemination of the students' personal information to the company nor had any knowledge of its being disclosed to company B. Mrs A deliberately disregarded the obligation to treat the information as confidential.

 

5 Common law action

5.1 Introduction

The common-law notions of privacy have not become redundant.88 The student whose right to privacy has been infringed may either base her claim against the university on her common-law right to privacy or on her statutory right as confirmed by POPI. This is evident from two cases which dealt with sexual harassment in the workplace, and although POPI is not concerned with the issue of sexual harassment the principle that a complainant has "two roads" to an employer's vicarious liability (one in terms of the common-law vicarious liability for delicts committed by an employee and the other in terms of section 99 of POPI) is evident from the Grobler v Naspers and Ntsabo v Real Security CC cases.89 In Grobler90 the claim against the employer was based on the common-law doctrine of vicarious liability while in Ntsabo91the claim was based on the statutory vehicle which provided for the statutory liability of the employer for wrongful dismissal.92

At common law, a party who suffers damage can claim only against the perpetrator and only if he or she can prove a wilful or negligent wrongful act or omission on the part of the perpetrator that is causally linked to the damage or personal injury. One exception to this rule is found in the doctrine of vicarious liability, in terms of which a third party is held accountable for the delicts committed by another.93 The party who suffers damage or injury need not prove that the employer acted wilfully or negligently.94 For this reason the employer's vicarious liability for the wrongs committed by its employees is regarded as strict liability since the employer cannot be said to be the perpetrator whose actions or omissions caused the damage complained of.95 There is also no causal link between the damages suffered and the actions or omissions of the employer. Consequently, both the employee and the employer are held liable, although only the employee might have been at fault and although the employer was entirely removed from the event.96

5.2 Vicarious liability and the deviation cases

The doctrine of vicarious liability, in its modern form, is motivated by considerations of public policy.97 Public policy demands that a person whose rights have been wrongfully infringed upon should not be left without a claim.98 Since employers, through their activities, not only create the risk of harm to others but also enjoy the profits resulting from the labour of their employees, employers should be held liable for the wrongful acts of their employees.99 For an employer to be held vicariously liable for the wrongful acts of its employees, certain requirements have to be satisfied, namely:100

the existence of an employer-employee relationship;101 the commission of a delict by the employee;102 and the fact that the employee acted within the scope and course of his or her employment.103

Whether or not the employee acted within the scope and course of his or her employment has been the most contentious and at times most difficult question to answer.104 An abundance of cases has illustrated the conundrum of differentiating between acts falling within or outside of the employees' course and scope of employment.105 No hard and fast rule exists.106 Generally speaking, employees act within the scope and course of their employment when they carry out instructions authorised by their employer, even when they perform the instructions in an unlawful manner.107 The problem occurs when employees do things that are contrary to, or deviate from, the tasks for which they were appointed. The true challenge in the correct application of the doctrine of vicarious liability is evident in the deviation cases.108 Despite criticism, the courts have recognised the possibility that one act may fall both within and without the course and scope of an employee's employment.109 In Feldman (Pty) Ltd v Mall the court held that the employer "may or may not, according to the circumstances, be liable for harm which [its employee] causes to third parties."110 The court made a clear distinction between deviations that would amount to the employer's liability and deviations that would not.111

In Minister of Police v Rabie112 the court applied the so-called standard test, which consists of a subjective and objective enquiry. The subjective enquiry considers the employee's intentions while the objective enquiry considers whether or not there is a sufficiently close link between the employee's independent acts for his or her own interests and purposes and the business of the employer.113 The employer will be held accountable for the unauthorised deeds of its employees provided that there is a sufficiently close link between the unauthorised deeds and the authorised deeds.114

5.2.1 The disobedient employee

An employee who acts in defiance of an express instruction, acts outside of the course and scope of his or her duties.115 In Bezuidenhout v Eskom116the court held that the employer was not liable where the employee, in the negligent performance of his tasks, caused severe injuries to another because the employee ignored express instructions. In this case the employee was employed to carry out repairs to electrical equipment. To enable him to perform his duties he was supplied with the use of a truck. The truck was clearly marked as the property of Eskom. The employee was expressly prohibited from giving lifts to anyone without permission from his superiors but he did exactly this and then caused a collision during which his passenger sustained severe injuries. In reaching its decision that Eskom was not liable the court relied on the dictum in SA Railways & Harbours v Marais117 that an instruction not to give lifts to passengers limits the scope of employment vis-à-vis the employer. Also, the subjective state of mind of the employee, in addition to the absence of an objective link between the employee's interests and that of the employer, could indicate that the employee's deed which caused the damage fell outside of the scope of his or her employment.118 Moreover, the court considered that the passenger was fully aware that the driver of the vehicle was prohibited from giving lifts to passengers and noted that where subsequent negligence in completing tasks within the course and scope of the duties causes damage to a passenger who has associated himself or herself with an action taken in defiance of an express instruction, the employer will not be held liable.

5.2.2 Frolic of his or her own

Employers often attempt to escape vicarious liability by alleging that the offending employee was on a frolic of his or her own.119 If the employee was engaged in a frolic of his or her own or did something which he or she was prohibited from doing for the purposes of employment, but which he or she may have been permitted to do for his or her own personal purposes, the employer will not be liable120 unless the act was incidental to the employment.121

The problem cases relate to cases where the employee made use of the employer's equipment or property, but for the advancement of his or her own interests.122 In Ess Kay Electronics (Pty) Ltd v First National Bank of Southern Africa Ltd123the bank was found not liable where an employee unlawfully appropriated bank drafts for himself. The court found that the employee exploited his position and opportunities to promote his own interests and "has also completely disengaged himself from the duties of his contract of employment ...".124

Equally, in Absa Bank v Bond Equipment Pretoria (Pty) Ltd'125an employee paid cheques payable to his employer into a cheque account of his own. Despite the fact that it was the duty of the employee to collect and deposit cheques on behalf of his employer, the court found that the stealing of cheques could not be said to form part of his duties. The employee went on a frolic of his own in order to promote his own interests.126 In Costa da Oura Restaurant (Pty) Ltd t/a Umdloti Bush Tavern v Reddy127the SCA held that the employer was not liable where the employee, a barman, assaulted and injured a patron outside the employer's establishment. The employee was specifically required to treat customers with courtesy and respect and to refrain from getting involved in any incidents. Furthermore, the employee followed the patron outside the establishment after a disagreement had occurred. Although the assault was provoked by a disagreement which took place inside the workplace and while the employee was performing his duties, the court held that:

[the assault] was a personal act of aggression done neither in furtherance of the employer's interests, nor under the express or implied authority, nor as an incident to or in consequence of anything [the employee] was employed to do.128

In K v Minister of Safety and Security129 the applicant was brutally raped by three uniformed policemen. The Constitutional Court found that the doctrine of vicarious liability and its application conformed to constitutional norms and the state was held to be vicariously liable for the unlawful acts of rape by the policemen. Subjectively seen, the policemen pursued their own interests but, objectively seen, their actions were sufficiently closely linked to their employment because members of the public are likely to trust policemen with their safety.

In F v Minister of Safety and Security130 a police officer on standby duty assaulted and raped a young woman.131 The Constitutional Court applied the two-pronged test as in K above, and found that the actions of the police officer were sufficiently closely linked to the operations of the South African Police Service (SAPS).132 On this basis the majority of the Constitutional Court held that the SAPS was vicariously liable for the delicts of the police officer despite the fact that the police officer pursued his own selfish interests and despite the fact that he was on standby duty at the time of the commission of the delict.133

5.3 Remarks

In determining whether the employee acted within or without the course and scope of employment, the subjective intention of the employee is of relevance.134 If, however, objectively seen, there is a sufficiently close link between the employee's conduct and the employer's business, the employer may nevertheless be held liable even though the unlawful act may have been committed solely for the employee's own personal interests and purposes.135 Or, theoretically, the employer should be able to escape liability if the employee, subjectively viewed, promoted only his or her own interests and, objectively viewed, entirely disengaged himself from his or her contractual duties.136

To return to the case study: Mrs A's subjective intentions were completely divorced from her employment duties at the time of the breach and she acted solely for the purpose of personal benefit and gain.137 The actions of Mrs A could be described as deliberate, self-directed, disobedient behaviour, and as a frolic of her own. At common law her employer could be held vicariously liable for her actions although they were committed outside of Mrs A's normal scope of duties since they could potentially be sufficiently linked to her employment.138

However, in K v Minister of Safety and Security the court held that vicarious liability serves two functions, namely "affording claimants efficacious remedies for harm suffered" and to "incite employers to take active steps" to ensure that employees do not cause harm to others.139 This second function presupposes that an employer who is able to prove that it did in fact take proactive measures to motivate and incite its employees to act properly and honourably should be able to escape a claim based on vicarious liability. If there were no vicarious liability, employers would not be encouraged to minimise risks created in the course of business.

Vicarious liability therefore incites employers to take proactive steps to ensure that their employees refrain from infringing the rights of others. An employer should therefore be able to escape liability if it proactively promoted and demanded the lawful processing of personal information.140Furthermore, if the employer is able to prove that Mrs A ignored an express instruction141 not to breach the conditions of lawful processing, and that her actions were of a personal nature committed solely in her own interests, done neither in the furtherance of the employer's interests nor under express or implied authority nor incidental to nor in consequence of anything Mrs A was employed to do,142 the university should be able to effectively defend a common-law claim of vicarious liability. As stated in Minister of Police v Rabie:

[A]n employer cannot be held liable if his employee performed an independent act, or acted for a purpose personal to the employee, or was motivated entirely by personal reasons such as spite or malice.143

Apart from disproving the elements of a delict, the employer may, at common law, offer the following defences to a claim founded on vicarious liability:

(i) that its employee deliberately defied an express instruction and acted outside the course and scope of his duties;144 or

(ii) that the employee deliberately committed a dishonest act solely for the employee's own interests and purposes and such self-directed conduct is not sufficiently linked to the employer's business, thus falling outside the ambit of conduct that renders the employer liable;145or

(iii) that the employee abandoned his or her work and engaged in a frolic of his or her own, doing something that that he or she was not permitted to do for the employer.146

 

6 Action based on POPI

6.1 Introduction

As stated before, POPI provides data subjects with rights and remedies to protect their personal information from processing that is unlawful.147Although POPI does not constitute labour legislation, it has far-reaching consequences for responsible parties who are employers, and just as certain labour legislation such as the Employment Equity Act (EEA)148 and the Occupational Health and Safety Act (OHSA)149 creates strict liability on the part of employers, so too does POPI create strict liability on the part of the responsible party who is an employer.150 By ascribing accountability to the employer POPI creates a form of statutory vicarious liability. This is so because section 99(1) of POPI, which deals with civil remedies, determines that a civil action for damages may be instituted against the responsible party whether or not there is intent or negligence on the part of the responsible party. The employer must ensure that its employees comply with POPI and failure by its employees to comply will render the employer accountable.

Unless a data subject consents thereto, the selling of personal information is unlawful. Both the seller and the buyer of the personal information will be in breach of POPI: the seller for failing to obtain the data subject's express prior consent151 and the buyer for failing to collect the information from the data subject directly152 (and from failing to obtain the data subject's express prior consent). Where the responsible party is an employer, the situation may arise where, despite such employer's efforts to educate its staff in relation to the requirements of POPI and despite its attempts to regulate the lawful processing of personal information by way of policies, regulations, codes or standard operating procedures, it could still nevertheless face civil action where an employee wrongfully and culpably interferes with or infringes upon a data subject's right to privacy. In casu the student may elect to institute a civil action in terms of section 99 of POPI against the university on the ground that Mrs A, who is an employee of the university, unlawfully sold her personal information to company B. Any breach of POPI or any unlawful interference with a data subject's privacy will result in the employer being held accountable. According to Neethling:

... this principle is really-self-evident and in line with the common law position that the person processing personal data can be ... held liable - and thus accountable - for the wrongful infringement of privacy... .153

It is therefore clear that POPI creates a form of statutory vicarious liability on the part of an employer in respect of contraventions of POPI by its employees.

The responsible party must ensure that the conditions for the lawful processing of personal information and all the measures that give effect to such conditions are complied with at the time of the determination of the purpose and means of the processing and during the processing itself. Any unlawful interference with a data subject's privacy will render the employer, as the responsible party, civilly liable for the acts of its employees.154 The defences that the employer may raise are set out in section 99(2)(a) to (d) of POPI:

(2) In the event of a breach the responsible party may raise any of the following defences against an action for damages:

(a) Vis major;

(b) consent of the plaintiff;

(c) compliance was not reasonably practicable in the circumstances of the particular case; or

(d) the Regulator has granted an exemption... .

Applied to the case study, the defences contained in section 99(2) would not enable the employer to escape liability. The disclosure of the student's personal information by Mrs A could hardly be regarded as an act of God.155It is also clear that the student never gave permission for her academic records to be disclosed to random third parties with whom she has no relations.156 It could neither be said that compliance was not reasonably practicable nor that the Regulator granted an exemption.157 Apart from the above defences, the employer will be unable to avert a claim for damages brought by a data subject whose privacy has been infringed by the said employer's employee. To the employer's detriment, POPI does not recognise good deeds, intentions or aspirations as defences to a civil claim brought in terms of section 99.

6.2 Comparison with analogous statutes: POPI defences inadequate

An employer who took reasonable proactive precautions to avoid non-compliance with POPI by its employees should be able to escape liability. Neethling agrees with this contention when he states that:

... the wrongfulness of [an employer's] processing should be set aside if he took all reasonable steps to comply with the data protection principles.158

There are in fact several other domestic statutes that determine that an employer who otherwise would have been held vicariously liable could escape liability by proving that it took reasonable steps to prevent a contravention of such statutes.159 It is the absence of the employer's effort to anticipate and prevent contravention of a statute that creates the employer's liability.160 Conversely then, it follows that an employer who constantly and proactively strives to eliminate infringement upon legislation should be able to escape liability.

As alluded to earlier, comparable data protection laws of other jurisdictions contain similar provisions which allow an employer to avoid liability by proving that it took reasonable steps to prevent the contravention of such statutes. The fact that other domestic and foreign statutes make provision for such a defence while POPI does not supports the view that the liability created by POPI is too harsh and practically inescapable.

6.2.1 South African legislation

Both the EEA and the OHSA are examples of statutes that create vicarious liability on the part of an indifferent employer and also set out a number of defences. Section 60(3) of the EEA, for example, determines that an employer must be deemed to have contravened a provision of POPI if the employer has failed to take the steps necessary to eliminate conduct which does not comply with the EEA. However, if the employer is able to prove that it did all that was reasonably practicable to ensure that the employee would not act in contravention of the EEA, the employer will be able to avoid being held vicariously liable for the contraventions by its employees.161 The notion here is that employers should have taken reasonably practicable precautionary actions prior to the incident.162 A claimant must also prove, at a minimum, that the employee, whilst at work, had contravened the provisions of the EEA.163 The enquiry is whether the employee, at the time of the contravention, busied himself or herself with the affairs or business of the employer while at work.164

The OHSA equally determines that the employer shall be held liable whenever an employee of such an employer does or omits to do any act which would be an offence for the employer to do or omit to do, unless the employer is able to prove that all reasonable steps were taken to prevent a contravention of the OHSA.165

6.2.2 Brief survey of selected Commonwealth legislation

6.2.2.1 The United Kingdom's Data Protection Act

Although POPI is comparable to the United Kingdom's Data Protection Act of 1998 (UKDPA),166 it parts from the UKDPA with respect to the limitation of the accountability of the responsible party. The UKDPA (and other counterpart foreign statutes) contains a mechanism for the employer to escape liability if the employer is able to show that it took proactive measures to prevent the contravention of the statute, whereas POPI contains no such provision.167

The UKDPA affords an individual who suffered damage by reason of any contravention by a data controller of any of the requirements of the Act entitlement to compensation from the data controller for that damage.168However, the employer is not liable if it had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.169 Moreover, section 55A of the UKDPA determines that the Information Commissioner has the power to impose monetary penalties against a data controller (the responsible party) if there has been a serious contravention of the UKDPA which the data controller knew or ought to have known could occur and failed to take reasonable steps to prevent the contravention. This presupposes that no penalty would be imposed if the employer proactively took reasonable steps to prevent the contravention. The employer's reasonable steps would aid in defending a claim in terms of the UKDPA.

The vicarious liability created in terms of the UKDPA and the defences thereto are informed by EU Directive 95/46/EC. Article 23 of the Directive provides as follows:

Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.

The vicarious liability of data controllers is limited, however, by sub-article (2), which determines that:

[t]he controller may be exempted from liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.

6.2.2.2 New Zealand's Privacy Act

Section 126(1) of New Zealand's Privacy Act 28 of 1993 (NZPA) determines that:

[s]ubject to subsection (4), anything done or omitted by a person as the employee of another person shall, for the purposes of this Act, be treated as done or omitted by that other person as well as by the first-mentioned person, whether or not it was done with that other person's knowledge or approval.

By virtue of subjection 4 the employer may be exempted from being held vicariously liable for the acts of its employees in a particular circumstance

[i]n proceedings under this Act against any person in respect of an act alleged to have been done by an employee of that person, it shall be a defence for that person to prove that he or she or it took such steps as were reasonably practicable to prevent the employee from doing that act, or from doing as an employee of that person acts of that description.

It is not unusual for the New Zealand Privacy Commissioner (NZPC) to exempt employers from being held vicariously liable for the deeds of their employees by applying the exemption passage found in section 126(4). In one particular case before the NZPC,170 an insurance company manager followed the complainant into a retail store, following a near accident between their cars. In the presence of other customers, the insurance company manager threatened to endorse the complainant's file and made reference to and disclosed sensitive personal information regarding the complainant's past accident record. The NZPC considered inter alia whether the insurance company had security safeguards (including rules and procedures) to guard against the unauthorised processing of information and whether such safeguards were reasonable and practicable. The NZPC found that the company provided intensive training and resources on the NZPA to its employees, including an instruction manual. Moreover, the manager had not only taken part in the training but had facilitated discussions in some sessions. The NZPC concluded that the insurance company had not breached the NZPA since it had taken reasonable steps to ensure that the personal information it held was not disclosed unnecessarily or without authority of the company or data subject. In the light of the conclusion reached, the NZPC went on to consider the impact of section 126. Section 126(1) places the responsibility on the employer for any act or omission by the employee. However, section 126(4) recognises that there are limits on employers' liability for employees' actions. The NZPC regarded the defence contained in section 126(4) to be available to the employer under the circumstances.

It seems peculiar that the South African legislature failed to make provision for a similar exemption clause in POPI. Just as in the case described above, Mrs A's employer regarded the training of its employees on POPI as a serious matter. The intensive training of employees, its policies, standard operating procedures, circulars and frequent newsletters would have, under New Zealand law (and the laws of other Commonwealth jurisdictions), constituted a sufficient defence for the university to escape liability.

6.2.2.3 The Australian Privacy Act

Section 99A(2) of the Australian Privacy Act 119 of 1988 (as amended) determines that:

[a]ny conduct engaged in on behalf of a body corporate by a director, employee or agent of the body corporate within the scope of his or her actual or apparent authority is to be taken, for the purposes of a prosecution for an offence against this Act or proceedings for a civil penalty order, to have been engaged in also by the body corporate unless the body corporate establishes that the body corporate took reasonable precautions and exercised due diligence to avoid the conduct.

Once again, the Australian legislature here recognises the importance of limiting an employer's liability for wrongful actions performed by its employees.

6.3 Critical observations and remarks

Considering the fact that Mrs A blatantly and intentionally contravened POPI (and clear instructions from her employer) despite being au fait with the lawful conditions of processing and the consequences of a breach, and bearing in mind that she did so for her own personal gain, outside the course and scope of her employment, one would imagine that her employer would be able to escape liability on these grounds. This is, however, not the case, since POPI does not recognise these realities as defences available to the employer.

An employer who is determined to steer clear of expensive litigation will implement comprehensive policies and rules, offer constant training, pilot workshops and awareness campaigns, monitor the attitude of employees and the effect of the training, etcetera, in order to ensure that all employees are well informed of the employer's expectation of them. It is trite that in terms of the EEA (and foreign data protection statutes) an employer should be able to escape statutory vicarious liability if the employer is able to prove that it proactively took all reasonable and practicable steps to prevent a contravention of POPI. Such steps may include the identification and assessment of risks, the development of policies and the incorporation of rules into the employer's conditions of employment, to name but a few. The courts have recognised that employers, who do in fact act proactively, should not be held liable for the delict caused by their employees. Why this principle was not extended to POPI is dumbfounding.

 

7 Conclusion

7.1 POPI's glaring deficiencies

POPI seems progressive and flawless. It gives credence to the constitutional right to privacy and provides mechanisms for holding those responsible for breaching the fundamental right to privacy, liable and accountable. It is widely accepted that POPI was based on the UKDPA and the EU Directive on Data Protection 1995,171 which strengthens the initial supposition that POPI is the product of careful consideration. This initial inference is further strengthened by the preamble to POPI, which recognises that the legislature enacted POPI in order to regulate,

... in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.172

The reference to international standards implies that the legislature had considered international conventions and precepts. However, upon closer inspection it is clear that unlike the UKDPA (and other equivalent foreign statutes) and the EEA, POPI does not provide for the protection of an employer who has done everything reasonably and practicable in its power to ensure that its employees comply with the requirements of the protection of personal information. The omission is so glaring that it seems to be deliberate. Nevertheless, one cannot help but wonder whether this omission was simply an oversight on the part of the legislature and whether, in time, the legislature will address the shortcoming.

It does seem as if Mrs A's employer would have been able to escape liability had the student's action been brought in terms of the common law. Common-law defences might have aided the employer in proving that the actions of Mrs A were for personal gain and completely removed from her duties.

As a result of the existence of POPI (and the limited defences available to the employer), the employer will not be able to avoid liability. There is thus a clear disjuncture between the statutory defences to a claim based on vicarious liability in POPI and those in other domestic statutes, and a pronounced disjuncture between the statutory defences to a claim based on vicarious liability in POPI and those in its foreign counterparts.

The fictional transgression took place after hours, at the home of Mrs A. For the statutory vicarious liability to apply in terms of the EEA, the act or omission in question should have been committed "while at work".173 Had POPI contained a similar escape clause to that contained in the EEA, Mrs A's employer would have been able to escape liability for her contravention of POPI.

7.2 Conclusion and recommendations

The expression "no good deed goes unpunished" has never seemed more appropriate than in the case of POPI. POPI does not require intent or negligence on the part of the employer for the employer to be held accountable. Even employers who actively promote compliance with POPI and who campaign for absolute and unqualified observance of the conditions for lawful processing may be held accountable and liable. Neither the fact that the employee was expressly prohibited from committing an unlawful transgression in contravention of POPI not the fact that the employer proactively sought to avoid such contraventions, nor the fact that the contravention did not occur "while at work"174 would aid the employer in evading liability. It appears then that, as a result of the legislature's shortsightedness, the only recourse available to the virtuous employer would be to make use of comprehensive (and costly) liability insurance to reduce or mitigate the risk of contraventions of POPI by its employees.175 Thus, the good deeds of the good employer will not be recognised as a defence. This position is at variance with that in analogous domestic acts176 that also create forms of statutory vicarious liability and that in corresponding foreign legislation.177

A proactive and law-abiding employer will take all necessary steps and precautions to reduce the risk of expensive and protracted litigation and settlement orders. Unfortunately, POPI makes no distinction between the liability of a prudent employer and one who adopts a nonchalant approach to the duty to respect the privacy of data subjects. Both the virtuous and the indifferent employer are treated alike in respect of contraventions by their employees. Consequently, the good deeds of the virtuous employer seem to be of no significance. Undeniably, the law-abiding employer's good deeds will not constitute an acceptable defence against retribution in terms of POPI.

In the light of the analogy with the EEA and the comparative study, it is submitted that an additional defence to a claim based on the statutory vicarious liability in terms of POPI should be included. Such an additional defence should mirror the defences contained in section 60(4) of the EEA, section 126(4) of the NZPA,178 section 13(3) of the UKDPA,179 and section 99A(2) of the APA.180 More specifically, it is submitted that section 99(2) should be amended to include the following wording, namely:

Despite subsection (1), an employer is not liable for the conduct of an employee if that employer is able to prove that it did all that was reasonably practicable to ensure that the employee would not act in contravention of this Act.

This simple addition would bring POPI in line with the legislation mentioned above and alleviate the plight of the employer without compromising any of the all-important objectives of POPI.

 

Bibliography

Literature

Allen RE (ed) The Concise Oxford Dictionary of Current English 8th ed (Oxford University Press Oxford 1990)        [ Links ]

Calitz K "Vicarious Liability of Employers: Reconsidering Risk as the Basis for Liability" 2005 TSAR 215-235        [ Links ]

Cooper C "Harassment on the Basis of Sex and Gender: A Form of Unfair Discrimination" 2002 (23) ILJ 1 at 28 - 29        [ Links ]

Currie I and De Waal J Bill of Rights Handbook 6th ed (Juta Cape Town 2013)        [ Links ]

De Stadler and Esselaar Guide to the Protection of Personal Information Act        [ Links ]

De Stadler E and Esselaar P A Guide to the Protection of Personal Information Act (Juta Cape Town 2015)        [ Links ]

Du Toit D et al Labour Relations Law: A Comprehensive Guide 5th ed (LexisNexis Durban 2006)        [ Links ]

Grogan J Workplace Law 11th ed (Juta Cape Town 2014)        [ Links ]

Hawthorne L "The 'New Learning' and Transformation of Contract Law: Reconciling the Rule of Law with the Constitutional Imperative to Social Transformation" 2008 SAPR/PL 77-99        [ Links ]

Lawlor R Vicarious and Direct Liability of an Employer for Sexual Harassment at Work (LLM-dissertation Nelson Mandela Metropolitan University 2007)        [ Links ]

Le Roux R "Vicarious Liability: Revisiting an Old Acquaintance" 2003 ILJ 1879-1883        [ Links ]

Le Roux R "Sexual Harassment in the Workplace: Reflecting on Grobler v Naspers" 2004 ILJ 1897-1900        [ Links ]

Loots BE "Sexual Harassment and Vicarious Liability: A Warning to Political Parties" 2008 Stell LR 143-169        [ Links ]

Loubser MM et al Deliktereg in Suid-Afrika (Oxford University Press Cape Town 2010)        [ Links ]

Magolego N "Personal Data on the Internet - Can POPI Protect You?" 2014 Dec De Rebus 20-23        [ Links ]

McQuoid-Mason D "Invasion of Privacy: Common Law v Constitutional Delict - Does It Make a Difference?" 2000 Acta Juridica 227-261        [ Links ]

Millard D and Botha MM "The Past, Present and Future of Vicarious Liability in South Africa" 2012 De Jure 225-253        [ Links ]

Mischke C and Beukes V "Vicarious Liability: When is the Employer Liable for the Wrongful Acts of Employees?" 2002 CLL 11-17        [ Links ]

Murray S The Extent of an Employer's Vicarious Liability When an Employee Acts Within the Scope of Employment (LLB-dissertation North West University 2012)        [ Links ]

Neethling J Law of Personality 5th ed (LexisNexis Durban 2005)        [ Links ]

Neethling J "The Concept of Privacy in South African Law" 2005 SALJ 18-28        [ Links ]

Neethling J "Vicarious Liability of the State for Rape by a Police Official" 2011 TSAR 186-191        [ Links ]

Neethling J "Features of the Protection of Personal Information Bill, 2009 and the Law of Delict" 2012 THRHR 241-255        [ Links ]

Neethling J and Potgieter J Neethling, Potgieter and Visser Law of Delict 7th ed (Durban LexisNexis 2015)        [ Links ]

Roos A "Data Protection: Explaining the International Backdrop and Evaluating the Current South African Position" 2007 SALJ 400-433        [ Links ]

Roos A "Personal Data Protection in New Zealand: Lessons for South Africa?" 2008 PER/PELJ 61 -109        [ Links ]

Scott J "Some Reflections on Vicarious Liability and Dishonest Employees" 2000 Acta Juridica 265-279        [ Links ]

Scott J "Middellike Aanspreeklikheid van die Staat vir Misdadige Polisie-optrede: Die Heilsame Ontwikkeling Duur Voort" 2011 TSAR 135-147        [ Links ]

Scott J "Die Hoogste Hof van Appèl Smoor Heilsame Regsontwikkeling: Minister of Safety and Security v F 2011 3 SA 487 (HHA)" 2011 TSAR 773-?        [ Links ]

Scott J "Staatsaanspreeklikheid vir Opsetsdelikte van die Polisie: Die Hoogste Hof van Appèl kry Nogmaals Bloedneus" 2012 TSAR 541-558        [ Links ]

Scott J "Middellike Staatsaanspreeklikheid: Mistastings oor Gevestigde Regsbeginsels" 2015 TSAR 623-640        [ Links ]

Simpson J and Speake J (eds) The Concise Oxford Dictionary of Proverbs (Oxford University Press Oxford 2003)        [ Links ]

Smit N and Van der Nest D "When Sisters are Doing It for Themselves: Sexual Harassment Claims in the Workplace" 2004 TSAR 520-543        [ Links ]

Van Niekerk A et al Law@Work 2nd ed (LexisNexis Durban 2015)        [ Links ]

Whitcher B "Two Roads to an Employer's Vicarious Liability for Sexual Harassment: S Grobler v Naspers Bpk en 'n Ander and Ntsabo v Real Security CC" 2004 ILJ 1907-1924        [ Links ]

Woolman S and Bishop M Constitutional Law of South Africa 2nd ed (Juta Cape Town 2014)        [ Links ]

Case law

Foreign case law

Google Spain SL, Google Inc v Agencia Espanola de Proteccion de Datos (AEP) Mario Costeja Gonzales (Case No C-131/12 of 13 May 2014)

New Zealand

Privacy Commissioner Case Notes 16005 [2001] NZPrivCmr 17 (1 July 2001)

South Africa

Absa Bank Ltd v Bond Equipment Pretoria (Pty) Ltd 2001 1 SA 372 (SCA)

Barkhuizen v Napier 2007 5 SA 323 (CC)

Bezuidenhout v Eskom 2003 3 SA 83 (SCA)

Carter & Co (Pty) Ltd v McDonald 1955 1 SA 202 (A)

Case v Minister of Safety and Security 1996 3 SA 617 (CC)

Costa da Oura Restaurant (Pty) Ltd t/a Umdloti Bush Tavern v Reddy 2003 24 ILJ 1337 (SCA)

Crown Chickens (Pty) Ltd t/a Rocklands Poultry v Rieck 2007 2 SA 118 (SCA)

Ess Kay Electronics (Pty) Ltd v First National Bank of Southern Africa Ltd 2001 1 SA 1214 (SCA)

F v Minister of Safety and Security 2012 1 SA 536 (CC)

Feldman (Pty) Ltd v Mall 1945 AD 733

Gibbins v Williams, Muller, Wright & Mostert Ingelyf 1987 2 SA 82 (T)

Grobler v Naspers 2004 2 All SA 160 (C)

K v Minister of Safety and Security 2005 3 SA 179 (SCA)

K v Minister of Safety and Security 2005 6 SA 419 (CC)

Masuku v Mdlalose 1998 1 SA 1 (SCA)

Minister of Finance v Gore 2007 1 SA 111 (SCA)

Minister of Law and Order v Ngobo 1992 4 SA 822 (A)

Minister of Police v Rabie 1986 1 SA 117 (A)

Minister of Safety & Security v Jordaan t/a André Jordaan Transport 2000 4 SA 21 (SCA)

Minister van Veiligheid en Sekuriteit v Japmoco 2002 5 SA 649 (SCA)

National Media Ltd v Jooste 1996 3 SA 262 (A)

Ntsabo v Real Security CC 2003 24 ILJ 2341 (LC)

OKeeff v Argus Printing and Publishing Co Ltd 1954 3 SA 244 (C)

Piliso v Old Mutual Life Assurance Co (SA) Ltd 2007 28 ILJ 897 (LC)

SA Railways & Harbours v Marais 1950 4 SA 610 (A)

Smit v Workmen's Compensation Commissioner 1979 1 SA 51 (A)

Viljoen v Smith 1997 1 SA 309 (SCA)

Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1977 4 SA 376 (T)

Legislation

Commonwealth

Australian Privacy Act 119 of 1988 (as amended)

New Zealand's Privacy Act 28 of 1993

United Kingdom's Data Protection Act, 1998

South Africa

Basic Conditions of Employment Act 75 of 1997 (as amended)

Constitution of the Republic of South Africa, 1996

Employment Equity Act 55 of 1998 (as amended)

Occupational Health and Safety Act 85 of 1993 (as amended)

Protection of Personal Information Act 4 of 2013

International instruments

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (1995)

List of Abbreviations

APA Australian Privacy Act 119 of 1988

CLL Contemporary Labour Law

EEA Employment Equity Act 55 of 1998

ILJ Industrial Law Journal

NZPA New Zealand's Privacy Act 28 of 1993

NZPC New Zealand Privacy Commissioner

OHSA Occupational Health and Safety Act 85 of 1993

PER/PELJ Potchefstroom Elektroniese Regstydskrif / Potchefstroom Electronic Law Journal

POPI Protection of Personal Information Act 4 of 2013

SALJ South African Law Journal

SAPR/PL SA Publiekreg / SA Public Law

SAPS South African Police Service

Stell LR Stellenbosch Law Review

THRHR Tydskrif vir Hedendaagse Romeins-Holandse Reg

TSAR Tydskrif vir die Suid-Afrikaanse Reg

UKDPA United Kingdom's Data Protection Act of 1998

 

 

Date published 5 July 2016

 

 

Editor Prof C Rautenbach
* Daleen Millard. BIur LLB LLM (University of Pretoria) LLD (University of Johannesburg). Professor of Private law, University of Johannesburg, South Africa. Email: dmillard@uj.ac.za.
** Eugene Gustav Bascerano. LLB (University of Pretoria) LLM (University of Johannesburg) Advanced Certificate in Labour Law (University of Pretoria). Legal Advisor, Office of the General Council, University of Johannesburg. Email:eugeneb@uj.ac.za.
1 Simpson and Speake Concise Oxford Dictionary of Proverbs 142. The author explains that this saying means that life is so unfair that one is more likely to get into some sort of trouble than be rewarded if one attempts a good deed. The saying has been attributed to American financier John P Grier, banker Andrew W Mellon and writer Clare Boothe Luce, but its ultimate origin is unknown.
2 Lawlor Vicarious and Direct Liability 45; Le Roux 2004 ILJ 1897; Le Roux 2003 ILJ 1879-1883; Millard and Botha 2012 De Jure 227; Mischke and Beukes 2002 CLL 17; Murray Extent of an Employer's Vicarious Liability 41 ; Neethling and Potgieter Law of Delict 389; Neethling 2011 a TSAR 186; Scott 2011 b TSAR 786-787; Scott 2011 TSAR 135; Scott 2015 TSAR 623-640; Scott 2012 TSAR 541; and Smit and Van der Nest 2004 TSAR 520-543.
3 Du Toit et al Labour Relations Law 622; Lawlor Vicarious and Direct Liability 45; Le Roux 2003 ILJ 1879-1883; Mischke and Beukes 2002 CLL 17; Murray Extent of an Employer's Vicarious Liability 41; Neethling and Potgieter Law of Delict 389; Le Roux 2004 ILJ 1897; Smit and Van der Nest 2004 TSAR 520-543; Van Niekerk et al Law@Work 87; and Whitcher 2004 ILJ 1907.
4 Statutory vicarious liability is where a statute imposes strict liability on one party for the actions of another.
5 "Personal information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
6 Section 2 provides for instance that the purpose of the act is inter alia to regulate the manner in which personal information may be processed and to provide persons with rights and remedies to protect their personal information from unlawful processing. Also see ss 5 and 11. These rights collectively provide data subjects with a degree of control over the flow of their personal information.
7 Section 14 of the Constitution of the Republic of South Africa, 1996, see also s 2 of POPI; De Stadler and Esselaar Guide to the Protection of Personal Information Act 1.
8 Section 4 of POPI.
9 Section 2(c) of POPI. For an exposition of the offences, penalties and administrative fines contained in POPI, refer to ch 11 (ss 100 to 109) thereof.
10 Sanctions created by POPI include enforcement notices (s 95), penalties (s 107), administrative fines (s 109) and civil remedies (s 99).
11 See the definition of "responsible party" in s 1 of POPI.
12 S 99 of POPI provides for a data subject's right to institute a civil action for damages resulting from non-compliance with the act. The civil action for damages can be brought by a data subject or by the Information Regulator acting on behalf of the data subject. The employer's liability is strict because it does not matter whether the employer, or its employee, acted intentionally or negligently. When determining the quantum of the damages, a court will consider what is just and equitable and ponder compensation for loss (including patrimonial and non-patrimonial loss), aggravated damages, interest and the costs of suit. See De Stadler and Esselaar Guide to the Protection of Personal Information Act 90.
13 In particular, POPI is compared with the United Kingdom's Data Protection Act, 1998; the New Zealand's Privacy Act 28 of 1993; and the Australian Privacy Act 119 of 1988 (as amended).
14 Magolego 2014 De Rebus 20, 24. Also see Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (1995).
15 A detailed exposition of the penalties and administrative fines provided for by POPI falls outside the scope and purpose of this article. For an exposition of the offences, penalties and administrative fines contained in POPI, refer to ch 11 (ss 100-109) thereof. Instead, the focus of this article is limited to the civil remedy available to data subjects and the extent of the employer's liability in this regard (s 99 of POPI).
16 Neethling 2005 SALJ 18. The author contends that "it is generally accepted that the concept of privacy is difficult to define because it is vague and evanescent, or amorphous and elusive, often meaning strikingly different things to different people".
17 Google Spain SL, Google Inc v Agencia Espanola de Proteccion de Datos (AEP) Mario Costeja Gonzales (Case No C-131/12 of 13 May 2014).
18 National Media Ltd v Jooste 1996 3 SA 262 (A) 271-272.
19 Woolman and Bishop Constitutional Law 2.
20 Neethling 2012 THRHR 243.
21 National Media Ltd v Jooste 1996 3 SA 262 (A) 271-272.
22 Case v Minister of Safety and Security 1996 3 SA 617 (CC) para 91.
23 Neethling 2005 SALJ 19; Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1977 4 SA 376 (T).
24 Neethling Law of Personality 29.
25 Neethling Law of Personality 29.
26 Roos 2007 SALJ 422.
27 Woolman and Bishop Constitutional Law 3. Also see O'Keeffe v Argus Printing and Publishing Co Ltd 1954 3 SA 244 (C) 249.
28 Also see OKeeffe v Argus Printing and Publishing Co Ltd 1954 3 SA 244 (C).
29 Roos 2008 PER/PELJ 62, 90.
30 Neethling Law of Personality 30.
31 Neethling Law of Personality 30.
32 See Neethling 2005 SALJ 20. Neethling contends that "the constitutional concept of privacy is, on the face of it at least, also concerned with what can briefly be described as informational privacy". Also see Currie and De Waal Bill of Rights Handbook 302. The authors argue that the right to privacy includes "informational privacy", which is a person's right to control access to and the use of private information.
33 Neethling 2012 THRHR 244.
34 See Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1977 4 SA 376 (T). McQuoid-Mason 2000 Acta Juridica 234. See also Roos 2007 SALJ 423.
35 Roos 2008 PER/PELJ 93.
36 Neethling Law of Personality 254. In addition to the aggrieved party's common-law right to an interdict aimed at preventing threatening infringement or continuing infringement of his or her right to privacy, POPI now also gives the Information Regulator the power to issue an enforcement notice if it is satisfied that the responsible party has interfered or is interfering with the protection of a data subject's personal information. Such enforcement notice may require the responsible party to take certain steps within a specified time; to refrain from taking certain steps; or to cease the processing of personal information specified in the notice. See s 95 of POPI. Also see McQuoid-Mason 2000 Acta Juridica 257.
37 McQuoid-Mason 2000 Acta Juridica 228.
38 Barkhuizen v Napier 2007 5 SA 323 (CC) 333C-D. Hawthorne 2008 SAPR/PL 89.
39 Barkhuizen v Napier 2007 5 SA 323 (CC) 333E-334A.
40 Roos 2007 SALJ 423.
41 Roos 2007 SALJ 423.
42 Neethling 2012 THRHR 244.
43 Neethling 2012 THRHR 244.
44 Neethling Law of Personality 271-272.
45 Paragraph 2.2 above and s 14 of the Constitution. Also see the Preamble to POPI; s 7(2) of the Constitution.
46 See s 5 of POPI (Rights of data subjects) for a concise list of the rights of data subjects.
47 Section 5 of POPI (Rights of data subjects). For a definition of processing see s 1 of the Act. "'Processing' means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including - (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as restriction, degradation, erasure or destruction of information."
48 Paragraph 2.2 above.
49 Section 8 of POPI.
50 Section 8 of POPI.
51 Section 99(1) of POPI.
52 Section 1 of POPI.
53 Section 1 of POPI.
54 Grogan Workplace Law 56.
55 See s 31 of the Basic Conditions of Employment Act 75 of 1997 (as amended), which determines that an employer must keep a record containing at least information on its employees' names, occupations, time worked, remuneration paid, date of birth and any other prescribed information.
56 Paragraph 1 above.
57 Section 6(1)(a) of POPI.
58 Section 3(1)(a) of POPI.
59 Section 8 of POPI.
60 Scott 2000 Acta Juridica 265-266 describes this as: "[t]he vicarious liability of an employer for the delict of his or her employee in an instance of so-called strict liability, or liability without fault".
61 Section 99(1) of POPI.
62 Section 9 of POPI.
63 Section 4 of POPI lists the eight conditions for lawful processing of personal information.
64 Section 107 of POPI.
65 Section 109 of POPI.
66 Section 99 of POPI.
67 Chapter 3 of POPI sets out eight conditions for lawful processing.
68 Section 19 of POPI. Also see Neethling 2012 THRHR 253.
69 Section 19(2)(a) of POPI determines that the responsible party must ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
70 De Stadler and Esselaar Guide to the Protection of Personal Information Act 35.
71 Although expensive, the ISO 27001 (international security standard) may in most instances constitute reasonable and appropriate technical security standards.
72 This is most probably why POPI requires only that responsible parties implement "appropriate" and "reasonable" security measures.
73 Section 99(2) of POPI.
74 Section 99(3) of POPI.
75 Section 11(1)(a) of POPI.
76 Section 1 of POPI.
77 Section 11(1)(b) of POPI.
78 Section 11(1)(c) of POPI.
79 Section 11(1)(d) of POPI.
80 Section 11(1)(f) of POPI.
81 Section 11(1)(e) of POPI.
82 Section 13(1) of POPI.
83 Allen Concise Oxford Dictionary 412.
84 Section 15(1) of POPI.
85 Sections 10, 13, and 15 of POPI.
86 Paragraph 3.4 above.
87 Section 13 of POPI determines that personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.
88 Woolman and Bishop Constitutional Law 3.
89 Whitcher 2004 ILJ 1907.
90 Grobler v Naspers 2004 2 All SA 160 (C).
91 Ntsabo v Real Security CC 2003 24 ILJ 2341 (LC).
92 Millard and Botha 2012 De Jure 231-232.
93 See Neethling and Potgieter Law of Delict 389.
94 Millard and Botha 2012 De Jure 227.
95 Millard and Botha 2012 De Jure 227.
96 Loots 2008 Stell LR 143 - 169. The author points out that in the seventeenth and eighteenth centuries the maxim qui facit per alium facit per se ("he who acts through another acts himself") was regarded as reflecting the view that the unlawful acts of one person may be attributed to another.
97 Le Roux 2003 ILJ 1879.
98 Le Roux 2003 ILJ 1879.
99 Le Roux 2003 ILJ 1879. There is an array of theories that justify the doctrine of vicarious liability. See for example Neethling and Potgieter Law of Delict 389. These include: (i) the employer's own fault theory (see for example Feldman (Pty) Ltd v Mall 1945 AD 733, where the court held that culpa in eligendo referred to the employer's fault in the choice of an employee); (ii) the interest or profit theory (in terms of which the employer must, together with the benefits and profits received from employing employees, also bear the losses occasioned by its employees' wrongful acts); (iii) the identification theory (in terms of which the employee is simply an extension of the employer); (iv) the solvency theory (in terms of which the employer is financially in a better position to carry the costs of compensating the claimant); and (v) the risk theory (in terms of which the employer should be held accountable for the wrongful acts committed by its employees since entrusting employees with work creates a risk of harm to others).
100 See Calitz 2005 TSAR 216.
101 Smit v Workmen's Compensation Commissioner 1979 1 SA 51 (A) 61-62; Gibbins v Williams, Muller, Wright & Mostert Ingelyf 1987 2 SA 82 (T).
102 Crown Chickens (Pty) Ltd t/a Rocklands Poultry v Rieck 2007 2 SA 118 (SCA).
103 Scott 2012 TSAR 546. Also see Masuku v Mdlalose 1998 1 SA 1 (SCA); and Costa da Oura Restaurant (Pty) Ltd t/a Umdloti Bush Tavern v Reddy 2003 24 ILJ 1337 (SCA).
104 Scott 2012 TSAR 546.
105 Loubser et al Deliktereg 392 indicate that the problem lies in distinguishing between the unlawful manner in which authorised work is performed, an unlawful act which falls outside the scope of the employee's work, and an act which involves the use of the employer's time or equipment but which is aimed solely at the advancement of the employee's own interests.
106 See for example Viljoen v Smith 1997 1 SA 309 (A) where the employer was held accountable for the damage caused by its employee after the employee caused a fire to the neighbouring property by smoking while relieving himself. Also see Feldman (Pty) Ltd v Mall 1945 AD 733, where the employer was held liable for an accident caused by the employee with the employer's delivery vehicle, after the employee drank alcohol and collided with another driver en route back to work. Also see Carter & Co (Pty) Ltd v McDonald 1955 1 SA 202 (A), where the employer was not held liable for the damage caused by an employee who collided with a pedestrian when the employee rode to the market, on his own bicycle, for personal reasons.
107 Loubser et al Deliktereg 389. Also see Costa da Oura Restaurant (Pty) Ltd t/a Umdloti Bush Tavern v Reddy 2003 24 ILJ 1337 (SCA).
108 Minister of Safety & Security v Jordaan t/a André Jordaan Transport 2000 4 SA 21 (SCA).
109 Le Roux 2003 ILJ 1879.
110 Feldman (Pty) Ltd v Mall 1945 AD 733.
111 Mischke and Beukes 2002 CLL 17.
112 Minister of Police v Rabie 1986 1 SA 117 (A) 134.
113 Loubser et al Deliktereg 390.
114 Loubser et al Deliktereg 391.
115 Loubser et al Deliktereg 391.
116 Bezuidenhout v Eskom 2003 3 SA 83 (SCA).
117 SA Railways & Harbours v Marais 1950 4 SA 610 (A).
118 Le Roux 2003 ILJ 1879; Neethling and Potgieter Law of Delict 389.
119 Le Roux 2004 ILJ 1897.
120 Minister of Law and Order v Ngobo 1992 4 SA 822 (A) ; Ess Kay Electronics (Pty) Ltd v First National Bank of Southern Africa Ltd 2001 1 SA 1214 (SCA); Viljoen v Smith 1997 1 SA 309 (SCA); K v Minister of Safety and Security 2005 3 SA 179 (SCA); and K v Minister of Safety and Security 2005 6 SA 419 (CC); Loubser et al Deliktereg 383-396.
121 Loubser et al Deliktereg 383-396.
122 Loubser et al Deliktereg 389. In Bezuidenhout v Eskom 2003 3 SA 83 (SCA) the court found that the employee's act of transporting a passenger (who later sustained injuries) with the employer's vehicle contrary to express prohibition, did not fall within the course and scope of his employment. The employer was held not to be liable.
123 Ess Kay Electronics (Pty) Ltd v First National Bank of Southern Africa Ltd 2001 1 SA 1214 (SCA).
124 Ess Kay Electronics (Pty) Ltd v First National Bank of Southern Africa Ltd 2001 1 SA 1214 (SCA).
125 Absa Bank Ltd v Bond Equipment Pretoria (Pty) Ltd 2001 1 SA 372 (SCA).
126 Absa Bank Ltd v Bond Equipment Pretoria (Pty) Ltd 2001 1 SA 372 (SCA) para 6.
127 Costa da Oura Restaurant (Pty) Ltd t/a Umdloti Bush Tavern v Reddy 2003 24 ILJ 1337 (SCA).
128 Costa da Oura Restaurant (Pty) Ltd t/a Umdloti Bush Tavern v Reddy 2003 24 ILJ 1337 (SCA) para 7.
129 K v Minister of Safety and Security 2005 6 SA 419 (CC).
130 F v Minister of Safety and Security 2012 1 SA 536 (CC).
131 The fundamental difference between the cases of K and F is that in K the policemen were on duty, while in F the police officer was on standby duty.
132 F v Minister of Safety and Security 2012 1 SA 536 (CC) 550D-557B.
133 F v Minister of Safety and Security 2012 1 SA 536 (CC) 557B, 557D and 557E-G.
134 Minister van Veiligheid en Sekuriteit v Japmoco 2002 5 SA 649 (SCA).
135 Minister of Finance v Gore 2007 1 SA 111 (SCA).
136 Ess Kay Electronics (Pty) Ltd v First National Bank of Southern Africa Ltd 2001 1 SA 1214 (SCA). Also see Mischke and Beukes 2002 CLL 17.
137 Minister van Veiligheid en Sekuriteit v Japmoco 2002 5 SA 649 (SCA).
138 K v Minister of Safety and Security 2005 3 SA 179 (SCA); and K v Minister of Safety and Security 2005 6 SA 419 (CC).
139 K v Minister of Safety and Security 2005 6 SA 419 (CC).
140 Neethling and Potgieter Law of Delict 389. See n 103 above.
141 Bezuidenhout v Eskom 2003 3 SA 83 (SCA).
142 Costa da Oura Restaurant (Pty) Ltd t/a Umdloti Bush Tavern v Reddy 2003 24 ILJ 1337 (SCA).
143 Minister of Police v Rabie 1986 1 SA 117 (AD).
144 Bezuidenhout v Eskom 2003 3 SA 83 (SCA).
145 Minister of Finance v Gore 2007 1 SA 111 (SCA).
146 Ess Kay Electronics (Pty) Ltd v First National Bank of Southern Africa Ltd 2001 1 SA 1214 (SCA).
147 See s 2(c) of POPI.
148 Employment Equity Act 55 of 1998 (as amended).
149 Occupational Health and Safety Act 85 of 1993 (as amended).
150 See s 8 of POPI.
151 See s 11 of POPI (Consent, justification and objection) for the different justifications for processing personal information without the consent of the data subject.
152 See s 12 of POPI (Collection directly from data subject) for the different circumstances that justify the collection of personal information from sources other than the data subject itself.
153 Neethling 2012 THRHR 247.
154 Section 99 of POPI; Neethling 2012 THRHR 247.
155 Section 2(a) of POPI.
156 Section 2(b) of POPI.
157 Sections 2(c) and (d) of POPI.
158 Neethling Law of Personality.
159 See, for example, the EEA and the OHSA.
160 See s 5 of the EEA, which stipulates that every employer must take steps, in advance (and proactively), to promote compliance with the Act.
161 Section 60(4) of the EEA. There seems to be an exception to this rule to the extent that the employer will be unable to escape liability for unlawful conduct in breach of the EEA by senior employees, since senior employees are often viewed as "the employer". The effect hereof is that knowledge of the contravention will be imputed to the employer and will defeat the use of the defence.
162 Cooper 2002 23 ILJ 1.
163 Piliso v Old Mutual Life Assurance Co (SA) Ltd 2007 28 ILJ 897 (LC).
164 Whitcher 2004 ILJ 1907.
165 Own emphasis. See s 37 of OHSA (as amended).
166 Data Protection Act ,1998.
167 See s 13(3) of UKDPA.
168 See s 13(1) of UKDPA.
169 Section 13(3) of UKDPA.
170 Privacy Commissioner Case Notes 16005 [2001] NZPrivCmr 17 (1 July 2001).
171 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (1995)
172 Emphasis added.
173 Murray Extent of an Employer's Vicarious Liability 41.
174 See s 60 of the EEA.
175 Lawlor Vicarious and Direct Liability 45. Also see Smit and Van der Nest 2004 TSAR 520-543.
176 See, for example, the EEA and the OHSA (as amended).
177 See, for example, the UKDPA; the NZPA and the Australian Privacy Act 119 of 1877 (as amended).
178 New Zealand's Privacy Act 28 of 1993.
179 United Kingdom's Data Protection Act, 1998.
180 Australian Privacy Act 119 of 1988 (as amended).

Creative Commons License Todo el contenido de esta revista, excepto dónde está identificado, está bajo una Licencia Creative Commons