Cecil Kilpin | March 2021 Newsletter

Firstly, what is asset tokenization? Effectively, it is the taking of a physical asset and converting it into a digital medium which is represented as a token on the blockchain. Each token also contains the associated ownership rights of the asset. For example, a house worth R1 million can be converted into 1 million tokens, each token representing 0,000001% ownership of the house.

Benefits
As one can imagine, this offers numerous benefits to both sellers and investors:

• Transparency
  • The token holder’s rights, and legal responsibilities can be embedded within the token, as well as a record of ownership
• Liquidity
  • Tokenized assets allow for the automated transfer of ownership while maintaining compliance as well as reduced complexity and cost. Combining this offers a definite improvement in liquidity
• Accessibility
  • Tokenization has opened investing to a much broader audience thanks to the lower minimum investments and lower investment periods. The divisibility of tokens allows for extremely small percentages of assets to be purchased at a time if wanted

Though the benefits are many, there are definitely still barriers and challenges ahead before this becomes widely used. The main challenge falls under the regulation, as seen as a challenge with many other emerging technologies. As blockchain is still relatively new, it is still quite unregulated, depending on the regulation laws that are to be put in place, many of the benefits in terms of liquidity and accessibility could be undermined.

Blockchain and asset tokenization are offering exciting opportunities going forward. If you would like to know more about this, please feel free to contact our offices.

The processing of an employee’s general personal information is necessary for a variety of reasons, such as:

• Concluding Employment Contracts
• Recruitment and Training
• The requirements of the Occupational Health and Safety Act, 1993, the Basic Conditions of Employment Act, 1997, and the Employment Equity Act, 1998
• The Covid-19 Pandemic

POPIA does also specifically include an employee’s employment history within the definition of personal information.

Chapter 3 of POPIA lists the 8 conditions for lawful processing of personal information. It is advisable that an employer be aware of these provisions.

Employers may also be required to process special personal information of an employee. To recap, this kind of special information relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information.

The processing of this information attracts special additional rules of compliance in terms of POPIA. Employers need to be cognisant of these special rules – especially in light of the Covid-19 pandemic, and the impact that this has had on the workplace.

How do we start the POPIA compliance program in the Workplace?

1. Designate an Information Officer

By default, the role of Information Officer, is assigned to the CEO / Managing Director / Sole Proprietor of an entity, whichever is applicable – however, this role can be delegated to someone else.

The Information Officer’s responsibilities include:

• (i) The encouragement of compliance by the employer with the conditions for lawful processing of personal information (such as the health information of employees relating to Covid-19)
• (ii) Dealing with requests, including employee access requests
• (iii) Working with the Information Regulator in relation to investigations

2. Develop a procedure ensuring information is processed in a lawful manner.
3. Ensure that the processing of personal information is done in accordance with the 8 conditions for the lawful processing of personal information.

4. Obtain consent from employees for the processing of their personal information.

The first step employers can take to guard against liability in terms of POPIA is to ensure that the consent of employees is obtained, and the processing of the employee’s personal information is for a specified purpose. An employee must be in a position to “opt in” and know what their personal information will be used for. POPIA states that, in addition to consent, justification for processing can be attained where the processing of personal information is necessary for conclusion of a contract, complies with an obligation imposed by law, protects the interest of the employee, or is necessary for the legitimate interests of the employer. Thus, obtaining proper consent from employees on a voluntary basis is essential. The way this can be done is by:

• providing consent forms for signature, when consent is required – these forms will set out the specific purpose for which the employee’s personal information will be processed, or
• amending all contracts of employment to include special reference to the processing of personal
  information and consent

5. Provide training to employees so as to ensue that information of clients and customers etc. ae processed lawfully, and also to ensure that employees themselves, as ‘data subjects’ are aware of their rights.

Employees have certain rights under POPIA. These include:

• the lawful processing of their personal information;
• to consent to the processing and further processing of personal information;
• to be notified when their personal information is being collected or has been subject to a breach;
• to be able to request access to their personal information;
• to object to the processing of their personal information; and
• to request the correction, destruction or deletion of their personal information

6. Putting in place measures to ensure the processing of ‘special personal information’ is lawful.
7. Putting in place a Manual on Workplace Policies and Procedures.

It is the responsibility of the Information Officer to put a manual in Place on Workplace Policies and Procedures for POPIA. This manual should function as an important tool in training staff on the requirements, implications, implementation, and consequences of POPIA. Compliance with every aspect of POPIA should be understood by everyone in the workplace. By setting up the manual, the policies and procedures will be documented. But they also need to be seen to be implemented. Checklists for procedures and protocols for recording actions are thus also important to have in place. Examples of polices to be included in the manual would be:

• A Privacy Policy;
• A Monitoring and Surveillance Policy;
• A Protection of Personal Information Policy;
• A Data Protection Policy;
• A Data Retention Policy;
• A Communications Policy;
• An Information Technology Security Policy;
• A Covid-19 Policy

The list above is only an indication of commonly used policies. Depending on the size, scale and services of an employer, it may be necessary to consolidate the policies or establish new ones to adequately address high risk areas when processing personal information of employees, and/or clients, customers, services providers etc. (data subjects). These policies form a basis of compliance and awareness, however regular training of
employees on and about the policies is essential.

8. Ensure that adequate safe-guards are in place.

Employers are required to identify reasonably foreseeable risks, in respect of non-compliance with POPIA, and then develop safeguards, in order to respond thereto. For example, in relation to cybersecurity. Employers must, in terms of Section 18 of POPIA, implement appropriate, reasonable technical and organisational measures to secure the integrity and confidentiality of any personal information in their possession or control.

9. Implementing procedures to address and deal with any complaints from employees regarding the processing of their personal information.

Covid-19, the Workplace and POPIA:

On the 15 th March 2020, a national state of disaster was declared by the South African Government due to the Covid-19 pandemic that reached our shores in early 2020. Regulations and Directives have been published to provide for procedures to be followed during the period of lockdown. In
terms of these, employers are required to process personal information and special personal information of both employees and clients/ customers/ service providers (i.e. third party visitors to the workplace) to prevent and mitigate the spread of Covid-19.

Regulation 46(5) issued in terms of Section 27(2) of the Disaster Management Act, 2002, states that employers are required to implement measures for employees who are over 60 years of age, or those with comorbidities, to facilitate their safe return to work, which may include special measures
at the workplace to limit employees’ exposure to Covid-19 infection and where possible that the employees work from home.

Regulation 46(6) states that construction, manufacturing, business and financial services firms with more than 500 employees must finalise appropriate sector or workplace arrangements or compacts to address, inter alia, the screening of employees daily for symptoms of Covid-19 and for referring the employees who display symptoms for medical examination and testing where necessary, and submitting data collected during the screening and testing process to the Director-General: Health.

The Occupational Health and Safety Labour Directive 20.11 states (inter alia) that if a worker has been diagnosed with Covid-19, an employer must:

• Inform the Department of Health and the Department of Employment and Labour, and
• Investigate the mode of exposure including any control failure and review its risk assessment to ensure that the necessary controls and PPE requirements are in place;
• Give administrative support to any contact-tracing measures implemented by the Department of Health

Directive 25.2 requires workers to immediately inform the employer if they experience any symptoms such as cough, sore throat, shortness of breath, loss of smell or taste, fever, body aches, redness of eyes, nausea, vomiting, diarrhoea, fatigue, weakness or tiredness – while at work.

Employers are thus obligated to process health information of employees in terms of these Regulations and Directives by way of screening, recording of symptoms, test results, and the registering of comorbidities.

This information, by its nature, is special personal information, as defined by POPIA. Ideally, proper, written, clear, voluntary and specific consent should be obtained by the employee / third party in regard to the processing of such information. Where there is no such consent, or a refusal to give consent, Section 27 of POPIA would apply – whereby an employer (as a Responsible Party) may make an application to the Information Regulator to authorise the processing of special personal information where such processing is deemed by the Information Regulator to be in the public interest and subject to adequate safeguards.

Section 32(1)(f) of POPIA entitles employers to process health information of employees if necessary, for (i) the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on health or sex of the data subject or (ii) the reintegration of or support for workers or persons entitled to a benefit in connection with sickness or work capacity.

Directive 47 of the Occupational Health and Safety Directive also places an obligation on workers to comply with measures introduced by employers in regard to Covid-19.

The 8 conditions for the lawful processing of the personal information as set out in POPIA would also apply in these circumstances. By way of example, we have listed three of these conditions below, and how they would be implemented in regard to Covid-19 in the workplace:

Condition 3: Purpose Specification

• Whereby records on Covid-19 information should not be retained for longer than necessary to achieve its purpose

Condition 5: Information Quality

• It is important to ensure that the correct symptom screening results are stored in respect of the correct employee

Condition 8: Data Subject Participation

• Employees are entitled to request access to their personal information on Covid-19 as processed by the employer

Regulation 17 has clarified the situation relating to Condition 3, by stating that:
“Within 6 weeks after the national state of disaster has lapsed or been terminated –

(a) The information on the Covid-19 Database (Department of Health) shall be deidentified,
(b) The deidentified information on the Covid-19 Database shall be retained and only used for research, study and teaching purposes…”

POPIA and considerations for Auditors and Accountants:
Auditors and accountants are privy to their clients’ personal and financial circumstances by the very nature of the services they provide. When auditors and accountants perform either an independent review or audit for a client, POPIA should be kept in mind, particularly when assessing the NOCLAR requirement (included in the IESBA Code of Ethics for Professional Accountants, and the SAICA Code of Professional Conduct). NOCLAR stands for “Non-Compliance with Laws and Regulations”. Any such non-compliance is required to be evaluated (also in the context of POPIA) and a possible Reportable Irregularity considered (for reporting to IRBA or CIPC, as appropriate).

Employer Responsibilities and Penalties for non-Compliance with POPIA:
The responsibility is on the employer to comply, as the Responsible Party, with POPIA, failing which, penalties may include imprisonment of up to 12 months and/or administrative fines of up to R10-million.

Making it easy
To attend to this in an easy and convenient manner we would like to draw your attention to the following important information that you need to know. This is:

• Employers and Payroll Administrators need to download the latest e@syFile™ Employer version 7.1.0 which was released on 15 December 2020. This can be done via SARS eFiling
• Employers must submit outstanding monthly declarations (EMP201) and annual reconciliations (EMP501) to SARS prior to submitting the EMP501 for 2021
• Employers must register employees for income tax purposes using Single (“Individual ITREG”) and bundle IT Registration (“Bundled ITREG”) for existing tax numbers as well as new registrations available on e@syfile™
• First-time job seekers can register for income tax via eFiling or on the SARS MobiApp
• Employers must issue IRP5/IT3(a)’s to employees on time
• Employees need to check and verify if their details on their IRP5/IT3(a)’s are correct

Penalties for Non-Compliance
An employer who files their EMP501 late will be penalised under the provisions of paragraph 14(6) of the Fourth Schedule of the Income Tax Act. The penalty will equal 1% of the year’s PAYE, for each month that the return is late, up to 10% of the year’s PAYE.

Criminal charges for failure to submit a return
Any employer who wilfully or negligently fails to submit a return to SARS is guilty of an offence and is therefore liable, upon conviction, to a fine or to imprisonment for a period of up to two years. This applies to EMP201’s as well as EMP501’s.

Accuracy and on-time filing is critical
It is very important for employers to file accurate and complete EMP501’s. The information received through your submission of an EMP501 is used to populate auto-assessments and income tax returns on behalf of your employees. Incomplete or inaccurate information will negatively affect your
employees’ ability to meet their tax obligations. In practice, your incomplete or inaccurate information may result in significant delays of refunds to your employees when these refunds are due.

Should you require professional assistance in this regard do not hesitate to contact our offices.

Sincerely,