Data Protection and Privacy Policy

Table of contents

  1. Policy Context…………………………………………………………………………………………………. 2
  2. Terms and Definitions…………………………………………………………………………………….. 3
  3. Scope and Applicability…………………………………………………………………………………. 4
  4. Applicable Legislation and Regulations……………………………………………………….. 5
  5. Policy Statement…………………………………………………………………………………………….. 5
  6. Treatment of Information……………………………………………………………………………….. 6
  7. Information Security……………………………………………………………………………………….. 7
  8. Monitoring Compliance………………………………………………………………………………….. 7
  9. Disclosure to Third Parties and Third-Party Processors…………………………….. 7
  10. Data Subject Rights………………………………………………………………………………………… 7
  11. Non-Compliance and Breach…………………………………………………………………………. 8

1.   Policy Context

1.1           The Protection of Personal Information Act (POPIA), Act 4 of 2013, was enacted by the President of the Republic of South Africa on 1 July 2020.  The POPI Act also amends the Promotion of Access to Information Act (PAIA), Act 2 of 2000.

1.2           The PAIA give effect to the constitutional right of access to any information held by the State and any information that is held by a (natural or legal) person, that is required for the exercise or protection of rights subject to justifiable limitations – of which the protection of personal information is a key limitation.

1.3           The POPIA give effect to section 14 of the Constitution of the Republic of South Africa, 1996, that everyone has the right to privacy, which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.  The Act provides for safeguarding personal information when processed by a responsible party, subject to justifiable limitations.

1.4           The POPI Act provide for the establishment of an Information Regulator to enforce the Act and the amended PAIA also falls under the jurisdiction of the Information Regulator.

1.5           The POPI Act require public and private bodies (organisations) to implement policies, processes and procedures to give effect to the provisions of the Act.

1.6           Section 51 of the PAIA requires a private body (organisation) to publish a manual which describes:

1.6.1       in terms of the PAIA, the categories of record of the body and sufficient detail to facilitate a request for access to a record of the body; and

1.6.2       in terms of the POPIA, the purpose of the processing, a description of the categories of data subjects and of the information or categories of information relating thereto, the recipients or categories of recipients to whom the personal information may be supplied, transborder flows of personal information and a general description allowing a preliminary assessment of the suitability of the information security measures implemented by the responsible party to ensure the confidentiality, integrity and availability of the information which is to be processed.

1.7           The manual contemplated in section 1.6 must be available for inspection at the OUR COMPANY WEBSITE.

1.8           This Privacy Policy is the anchor for the implementation of the POPIA and PAIA at OUR COMPANY WEBSITE.

2.             Terms and Definitions

Term Definition
Personal information Information relating to an identifiable, living, natural person or an identifiable, existing juristic person:

a)     race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth;

b)     information relating to the education or the medical, financial, criminal or employment history;

c)     any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment;

d)     the biometric information;

e)     the personal opinions, views or preferences;

f)      correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

g)     the views or opinions of another individual about the person; and

h)     the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Special personal information Information relating to an identifiable, living, natural person:

a)     the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

b)     the criminal behaviour of a data subject to the extent that such information relates to—

(i)     the alleged commission by a data subject of any offence; or

(ii)   any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.

Data subject The person or legal entity to whom personal information relates.
Processing Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—

a)     the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

b)     dissemination by means of transmission, distribution or making available in any other form; or

c)     merging, linking, as well as restriction, degradation, erasure or destruction of information.

Responsible party A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
Operator A person or organisation who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Information Officer The head of a private body, who may appoint a Deputy Information Officer
Consent Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
De-identify In relation to personal information of a data subject, means to delete any information that—

a)     identifies the data subject;

b)     can be used or manipulated by a reasonably foreseeable method to identify the data subject; or

c)     can be linked by a reasonably foreseeable method to other information that identifies the data subject.

Unique identifier Any identifier that is assigned to a data subject and is used by a responsible party for the purposes of its operations and that uniquely identifies that data subject in relation to that responsible party.

 

3.             Scope and Applicability

3.1           The scope of the Privacy Policy is all information and records that can be classified as personal or special personal information, and the processing of such information.  The scope covers electronic information as well as non-electronic (i.e. paper documents, drawings etc.) information assets.

3.2           The Policy mandates the development, implementation and management of processes, controls and accountability required to ensure the OUR COMPANY WEBSITE’s compliance to POPIA and PAIA.

3.3           The Privacy Policy applies to OUR COMPANY WEBSITE, and covers:

3.3.1       Customers;

3.3.2       Suppliers and service providers;

3.3.3      Employees, prospective employees and past employees;

3.3.4       Casual visitors.

 

4.             Applicable Legislation and Regulations

4.1           The following legislation apply to this policy:

  1. Companies Act (Act No. 71 of 2008);
  2. Electronic Communications and Transactions Act (Act No. 25 of 2002);
  • Protection of Personal Information Act (Act No. 4 of 2013);
  1. Promotion of Access to Information (Act No. 2 of 2000).

5.             Policy Statement

5.1           In order to execute its core business OUR COMPANY WEBSITE needs to collect, store, process and sometimes share information with third parties.

5.2           OUR COMPANY WEBSITE shall identify categories of data subjects and determine the minimum personal information about each category of data subject that it needs to collect, store, processes and share (if relevant) in order to execute its core business operations and achieve its business objectives.

5.3           OUR COMPANY WEBSITE shall communicate, as required, the following information to a data subject:

5.3.1       The purpose for which personal information is collected;

5.3.2       Details of the personal information collected;

5.3.3       The processing that will be done with / to the personal information;

5.3.4       Whether the personal information will be shared and with whom it will be shared, and whether the data will be transferred to a foreign country;

5.3.5       How and where the personal information will be stored;

5.3.6       How long the personal information will be retained and what will happen to the personal information when it is no longer required i.e. shredded;

5.3.7       A description of the data security measures or safeguards that will be applied to the personal information i.e. passwords, locked cupboards;

5.3.8       The processes to maintain the integrity of the personal information;

5.3.9       The data subject’s right to access his personal information;

5.3.10    The process the data subject needs to follow to access his personal information or inform OUR COMPANY WEBSITE of changes to or amending inaccuracies in the personal information.

5.4           The POPI Act defines the conditions for lawful processing of personal information and these conditions will be applied by OUR COMPANY WEBSITE as follows:

5.4.1       Accountability: This policy establishes the development, implementation and management of the processes, controls and accountability required to ensure that the collection, storage and processing of personal information is compliant to the POPI Act.

5.4.2       Processing limitation:  OUR COMPANY WEBSITE will only collect and process the personal information of a data subject necessary to achieve the purpose for which it is required.

5.4.3       Purpose specification:  The purpose for which data about different categories of data subject (e.g. customers, suppliers, employees, contractors, services providers) is collected, stored and processed shall be explicitly defined.

5.4.4       Further processing limitation:  OUR COMPANY WEBSITE shall not process personal information for any purpose which is incompatible with the purpose for which the information was initially connected.

5.4.5       Information quality:  OUR COMPANY WEBSITE is responsible to ensure the currency and accuracy of the personal information in its possession or under its control and shall implement the processes necessary to maintain the quality of the information.

5.4.6       Openness:  OUR COMPANY WEBSITE shall disclose the information in 5.3 and develop and publish of the manual required by PAIA per 1.6 and 1.7 above.

5.4.7       Security safeguards:  OUR COMPANY WEBSITE shall amend its information security  practices to provide for the requirements of the POPI Act and implement the necessary technical and organisational measures to secure the integrity of, prevent unauthorised or unlawful access or processing of and guard against the risk of loss, damage or destruction of personal information.

5.4.8       Data subject participation:  A data subject is entitled to know what personal information is stored and processed by OUR COMPANY WEBSITE.

5.5           The POPIA stipulates that the head of a private body is its Information Officer, responsible for:

5.5.1       taking the steps necessary to ensure OUR COMPANY WEBSITE’s ongoing compliance with the provisions of the POPI Act, including but not limited to ensuring that all contracts entered into between OUR COMPANY WEBSITE and data subjects (e.g. employees, services providers …), contain the appropriate disclosure and consent clauses to allow lawful processing of personal information;

5.5.2       ensuring awareness by all staff and training of personnel involved in the processing of personal information, and ensuring that all staff are aware of the risks associated with the processing of personal information and the security controls implemented;

5.5.3       conducting or ensuring regular checks;

5.5.4       working with the Information Regulator on investigations related to OUR COMPANY WEBSITE and be the designated contact point for all matters and issues related to processing of personal information.

6.             Treatment of Information

6.1           All paper-based information shall be stored in files in locked cabinets or if electronic, with password control.

6.2           Electronic data shall be backed up onto an external hard drive which is stored off-site.

6.3           Critical paper-based information (e.g. contracts) should be scanned and the electronic copy saved on the external hard drive.

6.4           OUR COMPANY WEBSITE will communicate via e-mail with suppliers and customers.

7.             Information Security

7.1           Appropriate technical and organisational measures shall be implemented to secure the integrity and confidentiality of the information, to prevent accidental or unlawful destruction and loss as well as the unauthorised access to or disclosure of personal information, for both the electronic information contained in the ICT systems and for hard copy or paper documents.

8.             Monitoring Compliance

8.1           The POPI Act requires that the organisation should monitor its compliance with the provisions of the Act on an ongoing basis.

8.2           The Act further requires that the safeguards for information integrity and confidentiality are continually reviewed and updated in response to new risks.  The  Information Officer is responsible to ensure that this is done to ensure that the requirements of the POPI Act is complied with.

9.             Disclosure to Third Parties and Third-Party Processors

OUR COMPANY WEBSITE may disclose personal information  or personal data to:

9.1           legal and regulatory authorities who request personal data or to report any potential or actual breach of applicable law or regulation;

9.2           third party processors who provide specialist services to OUR COMPANY WEBSITE who are also legally bound to the protection of personal information being processed;

9.3           law enforcement agencies, courts or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights;

9.4           third parties where necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;

9.5           external professional advisers, such as accountants, auditors and lawyers, who are bound by confidentiality agreements and protection of personal information legislation.

10.         Data Subject Rights

10.1        Excluding normal customer purchases and business transactions, which carry implicit consent, OUR COMPANY WEBSITE will obtain prior consent from data subject (i.e. client, employee, suppliers) to collect and process their personal information, unless such processing is required by law or to protect the rights of a data subject.

11.         Non-Compliance and Breach

11.1        External breach of the Information Security policy – in the form of a security breach event  shall be handled via the breach  process

11.2        Accidental or unlawful destruction or loss, and unauthorised access to or disclosure of Personal Information shall be dealt with as above

11.3        Internal breach can occur through commission (e.g. unauthorised or attempted access to  data that a user is not authorised to, wilful entry into the system of incorrect or fraudulent data), or omission.

11.4        A violation of a national law, including the POPI Act, can also result in civil and criminal liability and will be referred to the appropriate legal authorities.

 

*** END OF DOCUMENT ***