< Back to News & Media

COMPLIANCE – POPI & Recruiters

Author: Sino Sume, Ethics & Compliance Officer

The Promotion of Personal Information (POPI) Act regulates the types of personal information that can be collected as well as how that personal information may be used. On an ongoing basis, you receive personal information from candidates which is processed to establish whether or not they meet the criteria of any possible employment opportunities. POPI is intended to introduce information protection principles to establish minimum requirements for the processing of personal information. POPI will provide for the establishment of an Information Protection Regulator which will provide for the issuing of codes of conduct.

The regulator will require reports detailing the personal information that you have processed as well as the steps taken to ensure the protection of that information.

POPI provides for the rights of persons regarding unsolicited electronic communications and automated decision making and regulates the flow of information across the borders of the Republic.

Personal information can be described as:

  • Information relating to race, gender, sex, pregnancy, marital status, nation, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
  • Information relating to education or the medical, financial, criminal or employment history of the person.
  • Any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to that person.
  • The blood type or any other biometric information of that person.
  • Personal opinions, views and preferences of that person, i.e. references
  • Correspondence.
  • Views or opinions of the other person about that person.
  • The name of that person.
  • The qualification is that if the information would reveal information about that person it is personal information.


In order to effectively implement POPI you must:

  • Establish Standard Operating Policies and Procedures
  • Train your people (everyone that will have access to personal information)
  • Integrate and automate standard electronic templates and responses
  • Monitor and manage your data system
  • Create a secure IT infrastructure

Whenever personal information is collected it is essential that your candidate has given his/her express permission for you to use that information for a specific and legitimate reason.



It is important to ensure that the information you have is correct, accurate and relevant. This effectively means that all data has a life cycle. In the staffing industry personal information may be out of date and irrelevant within three months. Candidate information should be updated at least once every twelve months. It is therefore imperative that you automate this process so that a candidate can elect to update his personal information electronically or to “opt out”. If a candidate cannot be reached or information cannot be confirmed we advise that you rather discard and delete that information. Personal information must be managed in accordance to your POPI policy and standard operating procedures.

Your responsibility to act legitimately and lawfully with personal information starts the moment you receive personal information through varies means. You must then decide whether or not you will accept and use the information or reject and delete the information. The candidate will have to be informed each time, and where you have elected to accept and use the information you will require the candidate’s express permission to do so.

If the client expresses an interest in the candidate and would like to retain his/ her CV after the recruitment process is over he will have to get the candidate‘s express permission to do so and qualify the purpose for which it is kept.

In the event that the candidate is regretted, you may still elect to either keep the candidates information or delete it. It is very important to note that your client needs to discard and delete the information of regretted candidates. If the candidate is successful you may want to keep his/ her information in which case you must obtain the candidate’s express permission to do so.

POPI requires the implementation of technical and organisational measures to secure the integrity of personal information, and to guard against the risk of loss, damage or destruction of personal information. Personal information must also be protected against any unauthorised or unlawful access or processing.

A POPI toolkit has been created as a guide for member agencies and will be available on our website (www.apso.co.za) to members that need assistance.