1.1. The Organisation: The Respublica Group (Pty) Ltd, its subsidiaries and affiliated companies.
1.2. Registration Number: 2020/136398/07
1.3. VAT Registration Number: 423097055
1.4. Physical Address: Silver Stream Business Park, 10 Muswell Road, Bryanston.
2. POLICY STATEMENT
2.1. Every person has rights with regard to how their personal information is handled and protected. In order to carry out its business and provide its services, the organisation set out in item 1.1 of the Schedule (“Organisation”) may collect, store and process personal information about:
2.1.4. service providers / suppliers; and
2.1.5. business contacts.
2.2. The Organisation recognises the need to treat this information in an appropriate and lawful manner. The Organisation is committed to complying with its obligations in this regard in respect of all personal information it handles, in a manner which maintains the confidence of the Organisation’s customers, service providers / suppliers, business contacts and employees.
2.3. The Protection of Personal Information Act no. 4 of 2013 (“POPIA”) and regulations (2018) relate to identifiable, living, natural persons and identifiable, existing, juristic persons. The European Union General Data Protection Regulation (“GDPR”) only relates to the information of European Citizens (natural persons). Additional privacy legislation may also be applicable should the Organisation also conduct business in another country.
2.4. The types of information that the Organisation may be required to handle include details of current, past and prospective employees, service providers / suppliers, customers, consumers and other business contacts that the Organisation communicates with. The information would typically include names, addresses, email addresses, dates of birth, identity / passport numbers, phone numbers, private and confidential information and, potentially, special personal information. In addition, the Organisation may occasionally be required to collect and use certain additional types of personal information to comply with the requirements of the law.
2.5. The information may be stored on paper, electronically or by other media and is subject to certain legal safeguards specified in POPIA and GDPR, and potentially other applicable acts and regulations. The provisions of POPIA and GDPR impose restrictions on how the Organisation may collect and process the personal information in question.
3. DEFINITIONS OF TERMS USED IN THIS POLICY
3.1. POPIA Definitions
3.1.1. “data subject” means all living, identifiable natural or juristic persons about whom the Organisation holds personal information or special personal information;
3.1.2. “operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
3.1.3. “personal information” means information relating to an identifiable, living, natural or juristic person, including (i) factual information, such as identity and passport numbers, names, addresses, phone numbers, email addresses and the like, or (ii) opinions regarding a data subject, such as a performance appraisal;
3.1.4. “processing POPIA” means any operation or activity, whether or not by automatic means, concerning personal information, including the:
126.96.36.199. collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use of personal information;
188.8.131.52. dissemination of such information by means of transmission, distribution or making available in any other form; or
184.108.40.206. merging, linking, as well as restriction, degradation, erasure or destruction of information;
3.1.5. “responsible party” means a public or private body, or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information; and
3.1.6. “special personal information” means more sensitive information about an individual that pertains to racial or ethnic origins, political, religious or philosophical beliefs, health or sexual life, trade union membership or political persuasion, biometric information or criminal behaviour (to the extent that such criminal behaviour relates to the alleged commission by a data subject of an offence or any proceedings in respect of any offence allegedly committed by a data subject, which can only be processed under strict conditions and will usually require the express written consent of the data subject concerned.
4. PURPOSE AND SCOPE OF THE POLICY
4.1. This Policy sets out the Organisation’s general rules and the important legal conditions that must be satisfied in relation to the collecting, obtaining, handling, processing, storage, transportation and destruction of identifiable personal and special personal information.
4.2. This Policy also describes the privacy compliance framework and information governance of the Organisation in detail.
4.3. This Policy is applicable to all (i) employees, (ii) contractors, (iii) visitors, and / or (iv) other persons authorised to access and use the Organisation’s systems (“Users”).
5. PRIVACY COMPLIANCE FRAMEWORK
5.1.1. To ensure compliance with the requirements of relevant privacy legislation such as POPIA, the focus areas that must be addressed to be compliant are as follows:
220.127.116.11. process; and
6. INFORMATION PROCESSING PRINCIPLES
6.1. POPIA: The Organisation fully supports and complies with the 8 (Eight) protection principles of POPIA which are summarised below:
6.1.1. Accountability: a responsible party must ensure that the information processing principles are complied with;
6.1.2. Processing limitation: personal information must be processed lawfully and in a reasonable manner;
6.1.3. Purpose specification: personal information must be obtained/ processed for specific lawful purposes;
6.1.4. Further processing limitation: further processing of personal information must be in accordance or compatible with the purpose/s for which it was originally collected;
6.1.5. Information quality: personal information must be complete, accurate, not misleading and kept up to date;
6.1.6. Openness: personal information may only be processed by a responsible party who has taken reasonable steps to notify the data subject;
6.1.7. Security safeguards: personal information must be kept secure, and its confidentiality and integrity must be maintained; and
6.1.8. Data subject participation: a data subject has the right to request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information, together with a description of the personal information held by such responsible party.
6.2.1. The provisions of POPIA are intended not to prevent the processing of personal information, but to make sure that a responsible party ensures that the information processing principles as set out in POPIA, and all the measures that give effect to the principles, are complied with.
6.2.2. The data subject must be told the identity of the responsible party (in this case, the Organisation) and the purpose for which personal information is to be processed by the Organisation.
6.2.3. This Policy, developed by the Organisation to protect privacy, is available at the Organisation premises and is also accessible online at the Organisation’s website. This Policy outlines the Organisation’s commitment to privacy.
6.3. PROCESSING LIMITATION
6.3.1. For personal information to be processed lawfully, certain conditions have to be met. These may include, amongst other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the responsible party or the party to whom the personal information is disclosed. When special personal information is being processed, in most cases the data subject’s explicit consent to the processing of such special personal information will be required.
6.3.2. A responsible party must collect personal information directly from the data subject unless (i) information is in a public record, (ii) the data subject has consented, (iii) the collection of personal information does not prejudice the legitimate interest of the data subject, or (iv) collection is necessary to comply with, or to avoid prejudice with or to the maintenance of, laws; to enforce legislation concerning the collection of revenue; for purposes of proceedings in a court; or in the interest of national security.
6.4. PURPOSE SPECIFICATION
6.4.1. Personal information may only be processed for a specific and lawful purpose, or for any other purpose specifically permitted by POPIA, and steps must be taken to ensure that the data subject is aware of the purpose of the collection of the personal information. The Organisation undertakes not to (i) collect personal information for one purpose and then use the personal information for another purpose, or (ii) retain personal information for any longer than is necessary for achieving the purpose for which the information was collected.
6.4.2. Personal information should only be collected to the extent that it is required for the specific purpose communicated to the data subject. Any personal information which is not necessary for that purpose should not be collected by the Organisation.
6.4.3. If it becomes necessary to change the purpose for which the personal information is processed, the data subject will be informed of the new purpose before any processing occurs. Any employee personal information collected by the Organisation will be used for ordinary human resources purposes. Where there is a need to collect employee personal information for any other purpose, the Organisation will notify the employee in question of this and, where it is appropriate and practicable, the Organisation will get the employee’s consent prior to such processing.
6.4.4. Where the Organisation collects personal information directly from a data subject, the personal information collected and processed by the Organisation, such as identity number, proof of address and the like, will only be used for the required purpose.
6.5. FURTHER PROCESSING LIMITATION
6.5.1. Personal information should not be kept longer than is necessary for the purpose for which it was collected. For guidance in relation to a particular personal information retention period, a User should contact the Organisation. The Organisation has various legal obligations to keep certain personal information of Users for a specified period of time. In addition, the Organisation may need to retain personal information for a period of time to protect its legitimate commercial and other interests.
6.5.2. The Organisation will not use any personal information for any purpose other than that for which it received the information in the first place, unless any further processing of such information is compatible with the original purposes for which the information was collected.
6.6. INFORMATION QUALITY
6.6.1. Personal information must be complete, accurate, and kept up to date. Personal information which is incorrect, misleading or is not accurate, steps will be taken to check the accuracy of any personal information at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date personal information will be destroyed. Employees should ensure that they notify their manager / human resources of any relevant changes to their personal information so that it can be updated and maintained accurately.
6.6.2. All personal information which is in paper form should be destroyed only by shredding. If the personal information is held electronically, the Organisation aims to ensure that a reputable service provider destroys the personal information so that there is no future record of the information and the Organisation undertakes to obtain an undertaking from the applicable service provider in this regard.
6.7.1. Personal information may only be processed by the Organisation if the Organisation has notified the data subject that the Organisation has obtained the information from legitimate sources.
6.7.2. In cases where the Organisation works directly with a data subject, the Organisation shall take reasonable, practicable steps to ensure that the data subject is aware of the following:
18.104.22.168. What information is being collected and, where it is not collected from the data subject, the source of the information;
22.214.171.124. The full name and addresses of the Organisation;
126.96.36.199. The purpose for which the information is being collected;
188.8.131.52. Whether supplying the personal information to the Organisation is voluntary or mandatory;
184.108.40.206. The consequences of failure to provide the information;
220.127.116.11. The applicable law authorising or requiring the collection of the information;
18.104.22.168. The right to lodge a complaint against the Organisation the Regulator; and
22.214.171.124. Any further relevant information, such as recipient or category of recipients of information, nature of information, existence of the right of access and the right to rectify information collection.
6.8. SECURITY SAFEGUARDS
6.8.1. The Organisation and its employees aim to ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal information, and against the accidental loss of, or damage to, personal information.
6.8.2. The Organisation undertakes to put in place procedures and technologies to maintain the security of all personal information. Personal Information may only be transferred to an operator if the operator has agreed to comply with those procedures and policies or has adequate security measures in place.
6.8.3. Users may refer to the Organisation’s information security and related policies for further information concerning the Organisation’s security safeguards.
6.8.4. The following principles must be maintained by the Organisation:
126.96.36.199. Confidentiality: that only people who are authorised to use the personal information in question can access it. The Organisation ensures that only authorised persons have access to an employee’s personnel file and any other personal or special information held by the Organisation. Employees are required to maintain the confidentiality of any personal information and / or special personal information that they have access to.
188.8.131.52. Integrity: that proper security safeguards are in place to ensure the maintenance and assurance, of the accuracy and consistency of information / data over its entire life cycle.
184.108.40.206. Availability: that authorised users should be able to access the personal information if they need it for an authorised purpose.
6.8.5. Examples of security procedures at the Organisation include:
220.127.116.11. Secure lockable desks and Cupboards – desks and cupboards must be kept locked if they hold confidential personal identifiable information of any kind;
18.104.22.168. Methods of Disposal – paper documents must be shredded. CD ROMs and USB keys should be physically destroyed when they are no longer required;
22.214.171.124. Equipment – data users must ensure that individual computer monitors do not show confidential information to passers-by and that they log off from their computer when it is left unattended; and
126.96.36.199. User Management – any access to the Organisation’s database is logged by the Organisation through a username and password system. Any changes / updates / uploads to the system are constantly tracked.
6.8.6. Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the Organisation or any third party processing personal information under the authority of the Organisation, must notify the Regulator and the data subject as soon as is reasonably possible, taking into consideration the time that is taken by the Organisation to determine the scope of the breach and to restore the integrity of its information systems.
6.8.7. Any notification to a data subject must be in writing and communicated to the data subject in at least one of the following ways:
188.8.131.52. Mailed to the data subjects last known physical or postal address;
184.108.40.206. Sent by email to the data subjects last known email address;
220.127.116.11. Placed in a prominent position on the website of the Organisation;
18.104.22.168. Published in the news media; or
22.214.171.124. As directed by the Regulator.
6.8.8. The notification referred to above must provide sufficient information to all the affected data subjects to take protective measures against the potential consequences of the security compromise including:
126.96.36.199. a description of the possible consequences of the security compromise;
188.8.131.52. a description of the measures that the Organisation intends to take or has taken to address the security compromise;
184.108.40.206. a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
220.127.116.11. if known to the Organisation, the identity of the unauthorised person who may have accessed or acquired the personal information in question.
6.9. DATA SUBJECT PARTICIPATION
6.9.1. A formal request from a data subject for information that the Organisation holds about them must be made in writing, accompanied with adequate proof of identification (in most instances, a certified copy of the individual’s identity document or passport and proof of residence will be sufficient).
6.9.2. Any employees who receive a written request in respect of data held by the Organisation must forward it to the information officer immediately.
6.9.3. Any individual requesting personal information that may be held by the Organisation will be referred by the relevant employee to whom the request was made to the information officer, who will process the request. The information officer will either process the request directly or will direct such employee to request a certified copy of the individual’s identity document or passport as well as proof of address. Once this is received, the employee will then be authorised to release the personal information to the individual. The employee must:
18.104.22.168. record the request in the request register / system; and
22.214.171.124. safely store the certified copy of the identity document and passport either in a file in a locked cupboard (if in paper format) or online in an encrypted folder which cannot be accessed by unauthorised personnel. Storage of these documents should be kept for 1 (one) year, after which they must be properly destroyed.
6.9.4. Any employee dealing with telephonic enquiries from data subjects should guard against disclosing any personal information held by the Organisation over the phone. In particular, the employee must:
126.96.36.199. check the identity of the caller to ensure that information will only be given to a person who is entitled to that information – this can be accomplished by confirming: identity number, date of birth, address, cell phone number and the like;
188.8.131.52. request that the caller put their request in writing if the employee is not completely sure about the identity of the caller and in circumstances where the identity of the caller cannot be verified. In these circumstances, the employee should also request that a certified copy of the identity document / passport of the individual is provided before information is released;
184.108.40.206. refer the request to their manager for assistance in difficult situations. No employee should feel forced to disclose personal information; and
220.127.116.11. where a request has been made in terms of this section, and personal information is communicated to the data subject, the data subject must be advised of their right to request the correction of the information.
6.9.5. The data subject may request that the Organisation correct or delete personal information which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, or to destroy such record of personal information. If such a request is made, the Organisation must send this request to the appropriate party within the Organisation who should then correct the information, destroy or delete it, and provide the data subject with credible evidence that this has been done.
7. REVIEW OF POLICY
The Organisation will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required, taking into account changes in the law and organisational or security changes.