POPIA and domestic workers: what you need to know as an employer

The moment you ask a prospective employee for their ID number, POPIA begins to apply. This is not a hypothetical or an edge case awaiting legal interpretation. The Protection of Personal Information Act 4 of 2013 defines "processing" to include the collection of personal information, and it defines a "responsible party" as any person who determines the purpose of and means for processing. If you decided to ask for that ID number — to verify identity, to register for UIF, or simply because it seemed prudent — you made both of those determinations. You are a responsible party. The obligations that follow are not discretionary, and they do not disappear because your employee works in your home rather than your office.

Section 6(1)(c) of POPIA excludes from its application "the processing of personal information carried out solely for personal or household activity." Household employers frequently interpret this as a general exemption that covers all their employment-related data practices. It does not. The exemption was designed for genuinely private matters — a personal diary, a family photograph album, a list of friends' birthdays — not for the formal legal and economic relationship of employment. The personal information generated by that relationship exists because you are exercising functions as an employer, not because you are living your personal life. The Information Regulator has not yet published sector-specific guidance for domestic employers, but the Act's architecture makes the position clear: when you employ someone, you determine the purpose and means of processing their information, and you are bound by the Act's conditions accordingly.

This distinction matters because the category of information involved in domestic employment is neither trivial nor narrow. It typically includes the employee's full name and identity number, their banking details for wage payment, their contact numbers and home address, the details of their UIF registration, any sick notes or medical certificates they have provided, their work schedule, and the contents of whatever written or digital communications you have exchanged about their employment. All of it is personal information. All of it is being processed under your authority.

POPIA's definition of "processing" is deliberately broad. It covers collection, receipt, recording, organisation, storage, updating, retrieval, use, transmission, distribution, and destruction. This means that the ID copy in your household file, the photograph of their identity document on your phone, their bank account number saved in your contacts, their voice notes about leave or hours, and the WhatsApp thread in which you discussed their duties are all forms of processed personal information for which you bear responsibility as a responsible party.

Health information requires particular attention. Section 26 of the Act designates certain categories of information as "special personal information" — including information concerning health or sex life — and subjects this category to stricter processing conditions. If your employee has disclosed a medical condition, a pregnancy, or any other health-related matter, whether voluntarily or in the course of seeking sick leave, you are holding special personal information. Processing it requires explicit consent and cannot be justified by operational convenience.

The Act's eight conditions for lawful processing are binding obligations, not guidelines. They apply to every responsible party, including household employers, and together they define what compliant data practice looks like in concrete terms.

The conditions require, in plain language, that personal information be collected only for a specific, explicitly defined, and legitimate purpose; that the data subject be made aware of the collection and its purpose; that the information collected be limited to what is necessary for that purpose; that it be complete, accurate, and not misleading; that it be kept no longer than is necessary to fulfil the purpose; that it be adequately secured against loss, damage, or unlawful access; that the data subject be informed of their rights; and that cross-border transfers of the information be subject to appropriate safeguards.

▎ "Personal information must be collected for a specific, explicitly defined and legitimate purpose related to a function or activity of the responsible party." — ▎ POPIA, Section 13(1)

In practical terms, this shapes several common household employment habits. You should not retain an employee's personal information indefinitely after their employment ends — the purpose for which it was collected has passed, and retention beyond a reasonable period becomes unlawful. You should not share their details with third parties — including domestic worker agencies, labour brokers, or neighbouring households looking to hire — without their express consent. You should store whatever information you hold securely, which at minimum means a locked drawer or password-protected folder, not a shared family group chat.

One of the most common reasons household employers hold personal information is UIF registration. The Unemployment Insurance Act 63 of 2001 requires employers to register domestic workers and deduct and remit UIF contributions, which involves submitting the employee's name, identity number, earnings, and employment details to the Department of Employment and Labour. This is lawful processing — the law requires it — but the legal requirement for the registration itself does not exempt the underlying information from POPIA's other conditions. The information must still be collected correctly, stored securely, used only for its stated purpose, and not shared beyond what the registration process demands. The law requiring the act does not authorise every downstream use of the information the act generates.

Your employee also has rights you should understand. Section 23 of POPIA gives data subjects the right to know whether a responsible party holds personal information about them, and if so, what information and for what purpose. Section 24 gives them the right to request correction or deletion of inaccurate, irrelevant, or out-of-date information. These rights are enforceable, and the Information Regulator has the mandate and the powers to investigate complaints.

POPIA provides for administrative fines of up to R10 million and, in serious cases, criminal penalties including up to ten years' imprisonment. The threshold for enforcement against individual household employers is lower than for large organisations, but the legal position is the same. A domestic worker whose ID number was shared without consent, whose health information was disclosed to a third party, or whose employment records were retained years after dismissal has standing to lodge a complaint with the Information Regulator, and the Regulator has the power to act on it.

The more immediate consequence of non-compliance tends to be evidentiary. When disputes reach the Commission for Conciliation, Mediation and Arbitration — whether over dismissal, wages, or conduct — an employer who cannot account for how they handled their employee's personal information, or who shared information in ways that were not authorised, finds themselves managing two problems at once.

Compliance does not require a lawyer or a formal data management system. It requires intention. Collect only the personal information you genuinely need. Keep it securely. Tell your employee what you hold and why. Correct it when it is wrong. Destroy it — properly, which means beyond reasonable retrieval — when the employment relationship has ended and there is no ongoing legal reason to retain it. If you use a digital platform to manage employment verification records, understand what information that platform holds on your behalf, under what terms, and what happens to that information when you stop using the service.

The domestic employment relationship generates some of the most sensitive personal information in any South African household. The frameworks POPIA creates were designed precisely for the context in which one person holds significant power over another person's economic life. Understanding what that means in law is the first step toward acting on it responsibly.