Privacy Policy

Introduction

Purpose of policy
The purpose of this policy is to enable the organisation to:

  • comply with the law in respect of the data it holds about individuals;
  • follow good practice;
  • protect the organisation’ staff and other individuals protect the organisation from the consequences of abreach of its responsibilities.

Personal information
This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act, 2013 (hereinafter POPI Act).

Policy statement
The organisation will:

  • comply with both the law and good practice
  • respect individuals’ rights
  • be open and honest with individuals whose data is held
  • provide training and support for staff who handle personal data, so that they can act confidently and consistently
  • The organisation recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:
  • keeping information securely in the right hands, and
  • retention of good quality information.

Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, the organisation will seek to give individuals as much choice as is possible and reasonable over what data is
held and how it is used.

Key risks
The organisation has identified the following potential key risks, which this policy is designed to address:

  • Breach of confidentiality (information being given out inappropriately)
  • Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
  • Failure to offer choice about data use when appropriate
  • Breach of security by allowing unauthorised access
  • Harm to individuals if personal data is not up to date
  • Data Operator contracts

Information Officer Responsibilities

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and Chapter 5, Part B.

Information Officer Responsibilities
The Information Officer has the following responsibilities:

  • Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act, including but not limited to the following:
  • Reviewing the POPI Act and periodic updates as published
  • Ensuring that POPI Act induction training takes place for all staff
  • Ensuring that periodic communication awareness on POPI Act responsibilities takes place
  • Ensuring that Privacy Notices for internal and external purposes are developed and published
  • Handling data subject access requests
  • Approving unusual or controversial disclosures of personal data
    Approving contracts with Data Operators
  • Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information
  • Ensuring that appropriate Security Safeguards in line with the POPI Act for personal information are in place
  • Handling all aspects of relationship with the Regulator as foreseen in the POPI Act
  • Provide direction to any Deputy Information Officer if and when appointed

Appointment
The appointment of the organisation Information Officer will be authorised by the Designated Head. Consideration will be given an annual basis of the re-appointment or replacement of the Information Officer; the need for any Deputy to assist the Information Officer.

Processing Limitation

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 3.

Purpose specification
The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 13 and 14, subject to the following stipulation (Retention periods).

Retention periods
The organisation will establish retention periods for at least the following categories of data:

  • Directors
  • Staff
  • Customers
  • Suppliers

Use of Cookies where applicable
Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive through your web browser to enable our systems to recognise your browser and to automatically collect information from your computer such as your IP address and other details about your computer which are automatically collected by our web server, operating system and browser type, for system administration and to report aggregate information to us. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual. The “Help” menu on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. Additionally, you can disable or delete similar data used by browser add-ons, such as flash cookies, by changing the add-on’s settings or visiting the website of its manufacturer. However, because cookies allow you to take advantage of some of the Company’s essential features, we recommend that you leave them turned on. If you do leave cookies turned on, be sure to sign off when you finish using a shared computer.

Further processing limitation

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 4.

Further processing limitation
The organisation undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, section 15.

Information quality

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 5. The organisation will comply with all of the aspects of Condition 5, section 16.

Accuracy
The organisation will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

  • Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
  • Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
  • Staff who keeps more detailed information about individuals will be given additional guidance on accuracy in record keeping.

Updating
The organisation will review all personal information on an annual basis.

Archiving
All Personal Information which you provide to the Company will be held and/ or stored securely for the purpose of collection. Your Personal Information will be stored electronically in a database. Where appropriate, some information may be retained in hard copy. In either event, storage will be secure and audited regularly regarding the safety and the security of the information. Where data is stored electronically outside the borders of South Africa, such is done only in countries that have similar privacy laws to our own or where such facilities are bound contractually to no lesser regulations than those imposed by POPI. Once this information is no longer required, due to the fact that the purpose has been served, such Personal Information will be safely and securely archived for a period of 7 years, as per the requirements of the Companies Act, 71 of 2008, or longer, should this be required by any other law applicable in South Africa. Thereafter, all your Personal Information will be permanently destroyed. Information about our members is an important part of our business and we do not sell it to others. The Company shares customer information only as described below.

Third Party Service Providers
We employ other companies and individuals to perform functions on our behalf. Examples include sending postal mail and e-mail, removing repetitive information from customer lists, analysing data, and providing marketing services. Third party service providers have access to personal information needed to perform their functions, but may not use it for other purposes. Further, they must process the personal information in accordance with this privacy policy and as permitted by South African data protection legislation.

Business Transfers
As we continue to develop our business, we might sell or buy or subsidiaries or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing privacy policy (unless, of course, the customer consents otherwise). Also, in the unlikely event that the Company or substantially all of its assets are acquired, personal information will of course be one of the transferred assets.

Protection of the Company and others
We release account and other personal information when we believe that such a release is appropriate to comply with the law; enforce or apply our customer or other agreements; or protect the rights, property or safety of the Company, our users or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. Obviously, however, this does not include selling, sharing or otherwise disclosing personally identifiable information from customers for commercial purposes in a way that is contrary to the commitments made in this privacy policy. With your consent, other than as set out above, you will receive notice when information about you might go to third parties and you will have an opportunity to choose not to share the information.

Openness

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 6.

Openness
In line with Conditions 6 and 8 of the Act, the organisation is committed to ensuring that in principle Data Subjects are aware that their data is being processed and

  • for what purpose it is being processed;
  • what types of disclosure are likely; and
  • How to exercise their rights in relation to the data.

Procedure
Data Subjects will generally be informed in the following ways:

  • Policies
  • Privacy Notice
  • Consent Forms

Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.

Security Safeguards

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 7, and section 19 to 22. This section of the policy only addresses security issues relating to personal information. It does not cover security of the building, business continuity or any other aspect of security.

Specific risks
The organisation has identified the following risks:

  • Staff with access to personal information could misuse it.
  • Staff may be tricked into giving away information, either about customers / member or colleagues, especially over the phone, through “social engineering”.

Setting security levels
Access to information on the main the organisation computer system will be controlled by function.

Security measures
The organisation will ensure that all necessary controls are in place in terms of access to personal information.

Business continuity
The organisation will ensure that adequate steps are taken to provide business continuity in the event of an emergency.

Data Subject participation

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 8, sections 23 to 25.

Responsibility
Any subject access requests will be handled by the POPI Act Information Officer in terms of Condition 8.

Procedure for making request
Subject access requests must be in writing. All staff is required to pass on anything which might be a subject access request to the POPI Act Information Officer without delay. Requests for access to personal information will be handled in compliance with the POPI Act and in compliance with the Promotion of Access to Information Act (PAIA), as defined in the organisation PAIA Manual.

Provision for verifying identity
Where the individual making a subject access request is not personally known to the POPI Act Information Officer their identity will be verified before handing over any information. Charging Fees for access to personal information will be handled in compliance with the PAIA Act.

Procedure for granting access
Procedures for access to personal information will be handled in compliance with the PAIA Act, as defined in the organisation PAIA Manual.

Data Subject’s rights
You have the right to request a copy of the personal information we hold about you or to object to the processing of personal information held about you. To do this, contact us at the numbers/addresses listed earlier and specify what information you would like. We will take all reasonable steps to confirm your identity before providing details of your personal information. You can always choose not to provide information. If you do not want to receive e-mail or other electronic communications and mail from us, tick the opt-out box in your terms and conditions or let us know in writing if you don’t want to receive these offers. However, please note, if you do not want to receive legal notices from us, such as this privacy policy, those notices will still govern your use of the Company services and products and it is your responsibility to review them for changes. You have the right to ask us to update, correct or delete your personal information. You may do this by contacting us at the numbers/addresses provided earlier. We will take all reasonable steps to confirm your identity before making changes to personal information we may hold about you. We would appreciate it if you would keep your personal information accurate. Please update your information by contacting us at the numbers/addresses provided earlier whenever your details change.

Processing of Personal Information of Children

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part C, sections 34 and 35.

Processing of Personal Information of Children
The organisation has the policy of adhering to the process of Special Personal Information of children. This applies to under-18 individuals, so an age check is required for all personal information records. General authorisation concerning personal information of children only applies where under-18 are involved.

Prior Authorisation

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 6.

Prior Authorisation
The organisation has the policy of adhering to the process of Prior Authorisation in terms of sections 57 to 59.

Direct Marketing, Directories and Automated Decision Making

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.

Direct Marketing, Directories and Automated Decision Making
The organisation undertakes to comply with the POPI Act Chapter 8, sections 69 to 71.

Opting in
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.

Electronic contact
Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

Trans-border information flows

Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 9.

Trans border information flows
The organisation will ensure that the POPI Act Chapter 9, section 72 is fully complied with. Compliance with section 72 will be achieved through the use of the necessary contractual commitments from the relevant third parties.

Staff training & acceptance of responsibilities

Scope
The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter 5, Part B.

Documentation
Information for staff is contained in this policy document and other materials made available by the Information Officer.

Induction
The Information Officer will ensure that all staff that has access to any kind of personal information will have their responsibilities outlined during their induction procedures.

Continuing training
The organisation will provide opportunities for staff to explore POPI Act issues through training, team meetings, and supervisions.

Procedure for staff signifying acceptance of policy
The organisation will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPI Act.

Policy review

Responsibility
The Information Officer is responsible for an annual review to be completed prior to the policy anniversary date.

Procedure
The Information Officer will ensure relevant stakeholders are consulted as part of the annual review to be completed prior to the policy anniversary date.