The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 (“POPIA”).
POPIA aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner.
Through the provision of quality goods and services, the organisation is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of clients, customers, employees and other stakeholders.
A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions.
Given the importance of privacy, the organisation is committed to effectively managing personal information in accordance with POPIA’s provisions.
2.1 Personal Information
Personal information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:
- race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person;
the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
2.2 Data Subject
This refers to the natural or juristic person to whom personal information relates, such as an individual client, customer or a company that supplies the organisation with products or other goods.
2.3 Responsible Party
The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, the organisation is the responsible party.
An operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. For example, a third-party service provider that has contracted with the organisation to shred documents containing personal information. When dealing with an operator, it is considered good practice for a responsible party to include an indemnity clause.
2.5 Information Officer
The Information Officer is responsible for ensuring the organisation’s compliance with POPIA.
Where no Information Officer is appointed, the head of the organisation will be responsible for performing the Information Officer’s duties.
Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer.
The act of processing information includes any activity or any set of operations, whether or not by automatic means, concerning personal information and includes:
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in anyother form; or
merging, linking, as well as any restriction, degradation, erasure or destruction of information
Means any recorded information, regardless of form or medium, including:
- Writing on any material;
- Information produced, recorded or stored by means of any tape-recorder , computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
- Book, map, plan, graph or drawing;
Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.
2.8 Filing System
Means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
2.9 Unique Identifier
Means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.
This means to delete any information that identifies a data subject or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the data subject.
In relation to personal information of a data subject, means to resurrect any information that has been de-identified that identifies the data subject, or can be used or manipulated by areas on ably foreseeable method to identify the data subject.
Means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
2.13 Direct Marketing
Means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
- Promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
Requesting the data subject to make a donation of any kind for any reason.
Means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
This purpose of this policy is to protect the organisation from the compliance risks associated with the protection of personal information which includes:
- For instance, the organisation could suffer loss in revenue where it is found that the personal information of data subjects has been shared or disclosed inappropriately.
- Failing to offer choice. For instance, all data subjects should be free to choose how and for what purpose the organisation uses information relating to them.
- Reputational damage. For instance, the organisation could suffer a decline in shareholder value following an adverse event such as acomputer hacker deleting the personal information held by the organisation.
This policy demonstrates the organisation’s commitment to protecting the privacy rights of data subjects in the following manner:
- Through stating desired behaviour and directing compliance with the provisions of POPIA and best practice.
- By assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer and where necessary, Deputy Information Officers in order to protect the interests of the organisation and data subjects.
- By raising awareness through training and providing guidance to individuals who process personal information so that they can act confidently and consistently.
This policy and its guiding principles apply to:
- The organisation’s governing body
- All branches, business units and divisions of the organisation
- All employees and volunteers
- All contractors, suppliers and other persons acting on behalf of the organisation
The policy’s guiding principles find application in all situations and must be read in conjunction with POPIA as well as the organisation’s PAIA Policy as required by the Promotion of Access to Information Act (Act No 2 of 2000).
The legal duty to comply with POPIA’s provisions is activated in any situation where there is:
- A processing of
- personal information
- entered into a record
- by or for a responsible person
- who is domiciled in South Africa.
POPIA does not apply in situations where the processing of personal information:
- is concluded in the course of purely personal or house hold activities, or
- where the personal information has been de-identified.
All employees and persons acting on behalf of the organisation will at all times be subject to, and act in accordance with, thefollowingguidingprinciples:
Failing to comply with POPIA could potentially damage the organisation’s reputation or expose the organisation to a civil claimfordamages. Theprotectionofpersonalinformationisthereforeeverybody’sresponsibility.
The organisation will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, the organisation will take appropriate sanctions, which may includedisciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to complywiththeprinciplesandresponsibilitiesoutlinedinthispolicy.
- in a fair, lawful and non-excessive manner, and
- only with the informed consent of the data subject, and
- only for a specifically defined purpose.
The organisation will inform the data subject of the reasons for collecting his, her or its personal information and obtain writtenconsentpriortoprocessingpersonalinformation.
Alternatively, where services or transactions are concluded over the telephone or electronic video feed, the organisation willmaintaina voice recordingof the stated purposefor collectingthe personal informationfollowedby thedatasubject’ssubsequentconsent.
Theorganisationwill under no circumstancesdistributeorsharepersonalinformationbetweenseparatelegalentities, associated organisations (such as subsidiary companies)or with any individuals that are not directly involved with facilitatingthepurposeforwhichtheinformationwasoriginallycollected.
Where applicable, the data subject must be informed of the possibility that their personal information will be shared with otheraspectsoftheorganisation’sbusinessandbeprovidedwiththereasonsfordoingso.
All of the organisation’s business units and operations mustbe informed bytheprincipleoftransparency.
The organisation will process personal information only for specific, explicitly defined and legitimate reasons. The organisationwillinformdatasubjectsofthesereasonspriortocollectingor recordingthedatasubject’spersonalinformation.
Personal information will not be processed for a secondary purpose unless that processing is compatible with the originalpurpose.
Therefore, where the organisation seeks to process personal information it holds for a purpose other than the original purposefor which it was originallycollected, and where this secondarypurpose is not compatiblewith the original purpose,theorganisationwillfirstobtain additionalconsentfromthedatasubject.
The organisation will take reasonable steps to ensure that all personal information collected is complete, accurate and notmisleading.
The more important it is that the personal information be accurate (for example, the beneficiary details of a life insurance policyareoftheutmostimportance),thegreatertheefforttheorganisationwillputintoensuringitsaccuracy.
Where personal information is collected or received from third parties, the organisationwill take reasonablesteps to confirmthatthe informationis correctbyverifyingthe accuracyof theinformationdirectlywith the datasubject orby wayofindependentsources.
The organisation will take reasonable steps to ensure that data subjects are notified (are at all times aware) that their personalinformationisbeingcollectedincludingthepurposeforwhichitisbeingcollectedandprocessed.
The organisation will ensure that it establishes and maintains a “contact us” facility, for instance via its website or through anelectronichelpdesk,fordatasubjectswhowantto:
- Enquire whether the organisation holds related personal information, or
- Request access to related personal information, or
- Request the organisation to update or correct related personal information, or
- Make a complaint concerning the processing of personal information.
- The organisation will manage the security of its filing system to ensure that personal information is adequately protected. To this end, security controls will be implemented in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction.
- Security measures also need to be applied in a context-sensitive manner. For example, the more sensitive the personal information, such as medical information or credit card details, the greater the security required.
- The organisation will continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the organisation’s IT network.
- The organisationwill ensure that all paper and electronic records comprising personal information are securely stored andmadeaccessibleonlytoauthorisedindividuals.
- All new employees will be required to sign employment contracts containing contractual terms for the use and storage ofemployee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personalinformationfor which theorganisationisresponsible.
- All existing employees will, after the required consultation process has been followed, be required to sign an addendum to theiremploymentcontainingtherelevantconsentandconfidentialityclauses.
- The organisation’s operators and third-party service providers will be required to enter into service level agreements with theorganisationwhere both partiespledgetheirmutual commitmentto POPIAand the lawfulprocessingof anypersonalinformationpursuanttotheagreement.
Adatasubjectmay requestthecorrectionordeletionofhis, her oritspersonal informationheldbytheorganisation.
The organisation will ensure that it provides a facility for data subjects who want to request the correction of deletion of theirpersonalinformation.
Where applicable, the organisation will include a link to unsubscribe from any of its electronic newsletters or related marketingactivities.
The organisation will appoint an Information Officer and where necessary, a Deputy Information Officer to assist the Information Officer.
The organisation’s Information Officer is responsible for ensuring compliance with POPIA.
The reareno legal requirements under POPIA for an organisation to appointan Information Officer.
Appointing an Information Officer is however, considered to be a good business practice, particularly within larger organisations.
Where no Information Officer is appointed, the head of the organisation will assume the role of the Information Officer. Consideration will be given on an annual basis to there-appointment or replacement of the Information Officer and the reappointment or replacement of any Deputy Information Officers.
Once appointed, the organisation will register the Information Officer with the South African Information Regulator established under POPIA prior to performing his or her duties.
“Information Officer Appointment Letter” can be found under Annexure A5.
Theorganisation’s governingbodycannotdelegateits accountabilityandisultimatelyanswerableforensuringthattheorganisationmeetsitslegalobligationsintermsofPOPIA.
- TheorganisationappointsanInformationOfficer,andwherenecessary,aDeputyInformation Officer.
- All persons responsible for the processing of personal information on behalf of the organisation: areappropriatelytrainedandsupervisedtodoso,
- understandthattheyarecontractuallyobligatedtoprotectthepersonalinformationtheycomeintocontact with, and
- Datasubjectswhowanttomake enquiresabouttheirpersonalinformationaremadeawareoftheprocedurethatneeds tobefollowedshouldtheywishtodoso.
- TheschedulingofaperiodicPOPIAuditinordertoaccuratelyassessandreviewthewaysinwhichtheorganisationcollects,holds,uses,shares,discloses, destroysandprocessespersonalinformation.
Theorganisation’sInformationOfficer isresponsible for:
- Taking steps to ensure the organisation’s reasonable compliance with the provision of POPIA.
- Keeping the governing body updated about the organisation’s information protection responsibilities under POPIA. For instance, in thecase of a security breach, the Information Officer must inform and advise the governing body of their obligations pursuant to POPIA.
- Continually analysing privacy regulations and aligning them with the organisation’s personal information processing procedures. This will include reviewing the organisation’s information protection procedures and related policies.
- Ensuring that POPI Audits are scheduled and conducted on a regular basis.
- Ensuring that the organisation makes it convenient for data subjects who want to update their personal information or submit POPI related complaints to the organisation. For instance, maintaining a “contact us” facility on the organisation’s website
- Approving any contracts entered into with operators, employees and other third parties which may have an impact on thepersonalinformationheldbytheorganisation.Thiswillincludeoverseeingtheamendmentoftheorganisation’semploymentcontractsandotherservicelevelagreements.
- Encouragingcompliance withtheconditionsrequiredforthelawfulprocessingofpersonalinformation.
- Ensuring that employees and other persons acting on behalf of the organisation are fully aware of the risks associated withtheprocessingofpersonalinformationandthattheyremaininformedabouttheorganisation’ssecuritycontrols.
- Organising and overseeingthe awareness training of employeesand other individualsinvolved in the processing ofpersonalinformationonbehalfoftheorganisation.
- Addressingemployees’ POPIArelatedquestions.
- AddressingallPOPIArelatedrequests andcomplaintsmadebytheorganisation’sdatasubjects.
- Working with the Information Regulator in relation to any ongoing investigations . The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information andwillconsult withtheInformationRegulatorwhereappropriate, withregardtoanyothermatter.
Employees and other persons acting on behalf of the organisation will, during the course of the performance of their services, gainaccesstoandbecomeacquaintedwiththepersonalinformationofcertainclients, suppliersandotheremployees.
Employees and other persons acting on behalf of the organisation are required to treat personal information as a confidentialbusinessassetandtorespecttheprivacyof datasubjects.
Employees and other persons acting on behalf of the organisation may not directly or indirectly, utilise, disclose or make publicin any manner to any person or third party, either within the organisation or externally, any personal information, unless suchinformation is already publicly known or the disclosure is necessary in order for the employee or person to perform his or herduties.
Employees and other persons acting on behalf of the organisation must request assistance from their line manager or theInformationOfficeriftheyareunsureabout anyaspectrelatedtotheprotectionofadatasubject’spersonalinformation.
- Thedatasubject, oracompetentpersonwherethedatasubjectisachild, consentstotheprocessing; or
- The processingis necessaryto carry out actions for the conclusion or performanceof a contract to which the data subjectisa party; or
- Theprocessingcomplieswithanobligationimposedbylawontheresponsibleparty; or
- The processing protects a legitimate interest of the data subject; or
- Clearlyunderstandswhyandforwhatpurposehis, heroritspersonalinformationisbeingcollected; and
- Hasgrantedtheorganisationwithexplicitwrittenorverballyrecordedconsenttoprocesshis, her
Employeesand otherpersonsacting on behalfof the organisationwillconsequently, prior to processingany personalinformation, obtain a specific and informed expression of will from the data subject, in termsof which permissionis given fortheprocessingof personalinformation.
Informed consent is therefore when the data subject clearly understands for what purpose his, her or its personal information isneededandwhoitwillbesharedwith.
Consent can be obtained in written form which includes any appropriate electronic medium that is accurately and readilyreducible to printed form. Alternatively, the organisation will keep a voice recording of the data subject’s consent in instanceswheretransactionsareconcludedtelephonicallyor viaelectronicvideofeed.
Consent to processadatasubject’spersonalinformationwillbeobtaineddirectlyfromthedatasubject,except where:
- where validconsenthasbeengiventoathirdparty, or
- the informationisnecessaryforeffectivelawenforcement.
- Process or have access to personal information where such processing or access is not a requirement to perform theirrespectivework-relatedtasksorduties.
- Save copies of personal information directly to their own private computers, laptops or other mobile devices like tablets orsmart phones. All personal information must be accessed and updated from the organisation’s central database or adedicatedserver.
- Share personal information informally. In particular, personal information should never be sent by email, as this form ofcommunicationis not secure. Where access to personal information is required, this may be requested from the relevantlinemanagerortheInformationOfficer.
- Keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy.
- Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created.
- Ensuring that personal information is encrypted prior to sending or sharing the information electronically. The IT Manager will assist employees and where required, other persons acting on behalf of the organisation, with the sending or sharing of personal information to or with authorised external persons.
- Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons.
- Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks.
- Ensuring that where personal information is stored on removable storage medias such as external drives, CDs or DVDs that these are kept locked away securely when not being used.
- Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet.
- Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer.
- Taking reasonable steps to ensure that personal information is kept accurate and up to date. For instance, confirming a data subject’s contact details when the client or customer phones or communicates via email. Where a data subject’s information is found to be out of date, authorisation must first be obtained from the relevant line manager or the Information Officer to update the information accordingly.
- Taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal information is no longer required, authorisation must first
- be obtained from the relevant line manager or the Information Officer to delete or dispose of the personal information in the appropriate manner.
Where an employee, or a person acting on behalf of the organisation, becomes aware or suspicious of any security breachsuchastheunauthorisedaccess, interference, modification, destructionortheunsanctioneddisclosureofpersonalinformation, he or she must immediately report this event or suspicion to the Information Officer or the Deputy InformationOfficer.
The organisation’s Information Officer will schedule periodic POPI Audits. The purpose of a POPI audit is to:
- Identify the processes used to collect, record, store, disseminate and destroy personal information.
- Determine the flow of personal information through out the organisation. For instance, the organisation’s various business units, divisions, branches and other associated organisations.
- Redefine the purpose for gathering and processing personal information.
- Ensure that the processing parameters are still adequately limited.
- Ensure that new data subjects are made aware of the processing of their personal information.
- Re-establish the rationale for any further processing where information is received via a third party.
- Verify the quality and security of personal information.
- Monitor the extend of compliance with POPIA and this policy.
- Monitor the effectiveness of internal controls established to manage the organisation’s POPI related
In performing the POPI Audit, Information Officers will liaise with line managers in order to identify areas within in the organisation’s operation that are most vulnerable or susceptible to the unlawful processing of personal information.
Information Officers will be permitted direct access to and have demonstrable support from line managers and the organisation’s governing body in performing their duties.
Data subjects have the right to:
- Request what personal information the organisation holds about them and why.
- Request access to their personal information.
- Be informed how to keep their personal information up to date.
Access to information requests can be made by email, addressed to the Information Officer. The Information Officer will provide the data subject with a “Personal Information Request Form”.
Once the completed form has been received, the Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against the organisation’s PAIA Policy.
The Information Officer will process all requests within areas on able time.
Data subjects have the right to complain in instances where any of their rights under POPIA have been infringed upon. The organisation takes all complaints very seriously and will address all POPI related complaints in accordance with the following procedure:
- POPI complaints must be submitted to the organisation in writing. Where so required, the Information Officer will provide the data subject with a “POPI Complaint Form”.
- Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 1 working day.
- The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 2 working days.
- The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner. In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA.
- The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the organisation’s data subjects.
- Where the Information Officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with the organisation’s governing body where after the affected data subjects and the Information Regulator will be informed of this breach.
- The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to the organisation’s governing body within 7 working days of receipt of the complaint. In all instances, the organisation will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines.
- The Information Officer’s response to the data subject may comprise any of the following:
- A suggested remedy for the complaint,
- A dismissal of the complaint and the reasons as to why it was dismissed,
- An apology (if applicable) and any disciplinary action that has been taken against any employees involved.
- Where the data subject is not satisfied with the Information Officer’s suggested remedies, the data subject has the right to complain to the Information Regulator.
- The Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPI related complaints.
Where a POPI complaint or a POPI infringement investigation has been finalised, the organisation may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.
In the case of ignorance or minor negligence, the organisation will undertake to provide further awareness training to the employee
Any gross negligence or the wilful mismanagement of personal information, will be considered a serious form of misconduct for which the organisation may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence.
Examples of immediate actions that may be taken subsequent to an investigation include:
- A recommendation to commence with disciplinary action.
- A referral to appropriate law enforcement agencies for criminal investigation.
- Recovery of funds and assets in order to limit any prejudice or damages caused.