Who Represents Your Organisation?
Virgin Active was recently in the news, unfortunately for the wrong reasons. It was reported that they contracted with a known Interpol fugitive at one of their branches as a personal trainer. They initially indicated that the individual was a contractor and has been suspended pending an investigation into the allegations. Virgin Active has since severed ties with the individual. This incident should however at least serve as a cautionary tale for any director or person in charge of a business. The risk of reputational damage is not only ringfenced to employees but can include anyone who represents your brand. In other words, this is not merely a human resources issue; it is a matter of governance.
The regulatory gold standard
Those businesses that are authorised as financial services providers (“FSPs”) have been required to screen employees for years. In terms of Board Notice 194 of 2017 representatives and key individuals must meet the fit and proper requirements, which includes honesty, integrity and competence requirements. Needless to say, South African companies have learned by now that the information offered by candidates should be verified – trust but verify. Due to fraud in the regulatory exams (“RE”) space for example, FSPs are required to verify the authenticity of RE certificates.
For accountable institutions, Directive 8 issued by the Financial Intelligence Centre, similarly requires the periodic screening of prospective and current employees for competence and integrity using a risk-based approach and scrutinising employee information against targeted financial sanctions lists. Public Compliance Communication (“PCC”) 55 provides practical guidance on implementing Directive 8 and gives examples of possible ways of testing competence and integrity. Some of the examples given in the PCC for determining competence and integrity include determining any criminal record, and checking qualifications, designations and employment history. The Financial Intelligence Centre Act 38 of 2001 is also quite clear on who takes responsibility for compliance with the obligations in the act: the board of directors1.
Other industries
Don’t be misled by the fact that only FSPs and accountable institutions are subject to regulatory scrutiny in this area. Other industries face similar governance and financial risks. The controls to mitigate these risks are just legislated.
In Umgeni Water v Naidoo2 the court had to address the issue of fraudulent misrepresentation of a qualification. The prospective employee provided Umgeni Water with a B Sc. in Chemical Engineering when he applied to their graduate programme. The qualification was only verified a few years later when he applied for another position with Umgeni Water. The verification failed and Umgeni Water was awarded repayment of in excess of R2 million in respect of payments made to him during his employment at Umgeni Water.
Privacy guardrails
Screening of employees cannot be conducted unchecked though. Businesses must always ensure that they comply with for example the Labour Relations Act 66 of 1995 and the Basic Conditions of Employment Act 75 of 1997.
Also, conducting background checks are intrusive and requires the processing of personal information such as employment history, educational background, criminal record, etc. You will need to demonstrate that you comply with all eight conditions for lawful processing as prescribed in the Protection of Personal Information Act (“POPIA”). Amongst others you must be able to demonstrate that you have a lawful reason for processing all this personal information.
Section 11 of POPIA provides that personal information can only be processed if, amongst other things, the data subject has given consent, to comply with an obligation in law, to protect a legitimate interest of the data subject, etc. Providers of screening services usually require you to upload a written consent from the individual being screened before the screening will be conducted. Remember that POPIA require that the consent must be voluntary, specific and informed and that consent is not necessarily the be all and end all of POPIA compliance. You must therefore make sure that you disclose to candidates what the screening process entails, why we need to screen, keep it relevant and securely store the information with limited access.
You also need to be mindful of the fact that some of the personal information that you are processing may include special personal information3.
When all is said and done in terms of POPIA, the buck stops with the Information Officer, who is defined as the head of a juristic person, that is the CEO or equivalent designation4.
Governance concern
There has been a fair amount of commentary on the recent Virgin Active incident. Ultimately this is a governance issue. Governance is not tested when everything works, it is tested when something goes wrong. Governance is not just what you write in your policies but is about effective leadership that results in good risk management, institutional integrity and trust from stakeholders. Board responsibility does not stop with strategy and financial oversight but extends to something as fundamental as to who you allow to represent your brand and who you allow to have access to your clients.
The wau-difference
In light of the recent news events, I told one of our payroll team members of the importance of the work they do for wauko. They together with compliance are responsible for our employee screening. In line with the risk-based approach set out in our Risk Management and Compliance Programme we conduct sanctions screening, employment history checks, criminal record checks, etc. Our team can do the same for you to give you peace of mind. If employee screening is a major risk you face, connect with Marianne Mokken on 021-819 7813 or mmokken@wauko.com.
Footnotes
- Section 42A of FICA
- [2023] 1 All SA 857 (KZP)
-
Section 26 defines the following as special personal information:(a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject;(b) the criminal behaviour of a data subject to the extent that such information relates to—(i) the alleged commission by a data subject of any offence; or (ii) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
- Section 1 of the Promotion of Access to Information Act 2 of 2000

