Protection of Personal Information, Information Security and Records Management Policy
Privacy is paramount
This is the Protection of Personal Information, Information Security and Records Management Policy for:
SENSORY FX (PTY) LIMITED
Registration Number: 2010/016074/07 and all its subsidiaries and divisions (hereinafter referred to as the “the Organisation”).
PROTECTION OF PERSONAL INFORMATION IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013
1.1 The Organisation is mainly a property management company that manages sectional title schemes and Homeowner Associations. This requires the Organisation to collect, collate, store and disseminate a vast amount of personal information on a daily basis, obliging the Organisation to comply with the Protection of Personal Information Act 4 of 2013 (“Act”).
1.2 The Act requires the Organisation to inform their clients as to the manner in which their personal information is used, disclosed and destroyed. The Organisation is committed to protecting its client’s privacy and ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws.
1.3 This Policy sets out the manner in which the Organisation deals with their client’s personal information as well as stipulates the purpose for which said information is used.
1.4 The Policy is made available on the Organisation website www.sensoryfx.co.za and by request from the Organisation.
1.5 The Policy is drafted in conjunction with the National Credit Act 34 of 2005, and the Consumer Protection Act 68 of 2008.
2. BACKGROUND AND PURPOSE
2.1 What is the purpose of the Act (POPIA)?
2.2 The aim of the Act is to ensure the right of South African citizens to the privacy of personal information and to regulate all organisations that collect, store and disseminate personal information.
2.3 Personal information may only be processed if the process meets the conditions of the Act.
2.4 There are 8 (eight) distinct conditions which organisations need to meet to be acting lawfully:
2.4.2 processing limitation;
2.4.3 purpose specification;
2.4.4 use limitation;
2.4.5 information quality;
2.4.7 security safeguards; and
2.4.8 individual/data subject participation.
2.5 What is “personal information”?
2.6 Personal information means any information relating to an identifiable natural person (and existing juristic persons where applicable), including information relating to:
2.6.1 race, gender, sex, pregnancy, marital status, mental health, well-being, disability, religion, belief, culture, language and birth;
2.6.2 education, medical, financial, criminal or employment;
2.6.3 identity number, electronic and physical addresses, telephone numbers and on-line identifiers;
2.6.4 biometric information;
2.6.5 personal opinions, views or preferences; and
2.6.6 correspondence sent by a person implicitly or explicitly of a personal nature or confidential.
2.7 An organisation may not process the personal information of a child (under 18) unless the processing:
2.7.1 is carried out with the consent of the legal guardian;
2.7.2 is necessary to establish, exercise or defence of a right or obligation in law;
2.7.3 is necessary for historical, statistical or research purposes; or
2.7.4 is information that is deliberately been made public by the child with the consent of the guardian.
2.8 What is processing personal information?
2.9 Processing means any operation or activity, or set of activities, by automatic means or otherwise, including:
2.9.1 collecting, receiving, recording, collating, storing, updating, modifying, retrieving or use;
2.9.2 disseminating by means of transmission, distribution or any other means; or
2.9.3 merging, linking, restricting, erasing or destructing of information.
2.10 Who must comply?
2.10.1 All public and private bodies (natural and juristic persons) must comply.
2.11 What does compliance mean?
22.214.171.124 Organisations must assign responsibility to ensure compliance with the Act to a suitable person or persons.
126.96.36.199 Each organisation has an “information officer”. This will be the same person who has been appointed by the organisation as head in terms of the Promotion of Access to Information Act, i.e. the CEO or equivalent.
188.8.131.52 The information officer, together with an executive team/board, should decide on and record the POPI policy and procedure (this policy).
184.108.40.206 The information officer must appoint a “data controller” or a number of data controllers who decide:
220.127.116.11.1 the purpose of the data processing; and
18.104.22.168.2 the way the personal information should be processed.
22.214.171.124 The data controllers should be management who execute the POPI policy and procedure.
126.96.36.199 “Data processor/s” perform the processing administration/function (e.g. data capturing etc).
2.11.2 Processing limitation
188.8.131.52 Personal information may only be processed if it is:
184.108.40.206.1 adequate, relevant and necessary for the purpose for which it is processed;
220.127.116.11.2 with the consent of the data subject;
18.104.22.168.3 necessary for the contract to which the data subject is party;
22.214.171.124.4 necessary for the protection of a legitimate interest of the data subject
126.96.36.199.5 required by law;
188.8.131.52.6 necessary to pursue the legitimate interest of the organisation; or
184.108.40.206.7 collected directly from the data subject, except in certain circumstances (e.g. in public domain or to do so would defeat the purpose for collecting and processing).
220.127.116.11 “Consent” must be:
18.104.22.168.2 specific; and
22.214.171.124 Informed consent requires that the data subject understand:
126.96.36.199.1 what information is being collected/processed;
188.8.131.52.2 why the information is being processed;
184.108.40.206.3 how the information is to be processed;
220.127.116.11.4 where the information is being processed; and
18.104.22.168.5 to whom the information is intended to be given.
2.11.3 Purpose specification
22.214.171.124 The data subject must be made aware of the purpose for which the information is being collected (“identified purpose”). This is necessary for giving consent (see above).
2.11.4 Use limitation
126.96.36.199 Information/records may only be kept for as long as it is necessary to achieve the identified purpose. There are some statutory record keeping periods which may exceed this.
188.8.131.52 After this retention period the responsible person must delete or destroy such information as soon as reasonably possible.
184.108.40.206 If the purpose changes (e.g. something else occurs that could use the same information again for this alternative purpose), it may be necessary to inform the data subject and get consent again.
2.11.5 Information quality
220.127.116.11 Information must be as accurate as possible, complete and updated if necessary.
18.104.22.168 Information must be available to the data subject to verify/object to the accuracy thereof.
22.214.171.124 The Organisation must take reasonable practical steps to ensure that the data subject is aware of what personal information is being collected, stored and used, whether or not collected directly from the data subject.
2.11.7 Security safeguards
126.96.36.199 The organisation must secure the integrity and confidentiality of personal information und must take appropriate technical/organisational measure to prevent:
188.8.131.52.1 the loss of or damage to personal information; or
184.108.40.206.2 the unlawful access to or processing of personal information.
220.127.116.11 To do this, the organisation must:
18.104.22.168.1 identify all reasonable foreseeable internal and external risks to personal information held;
22.214.171.124.2 establish and maintain appropriate reasonable safeguards against the risks;
126.96.36.199.3 monitor the safeguards and regularly verify safeguards are effective; and
188.8.131.52.4 ensure safeguards are updated to respond to new risks or deficiencies in previous safeguards
184.108.40.206 The data controllers and data processors must operate under his/her authority from the information officer and treat all personal information as confidential.
220.127.116.11 Where there are reasonable grounds for suspecting a breach of data security, the responsible person must notify the Regulator and the data subject.
2.11.8 Data subject participation
18.104.22.168 Any person who can positively identify themselves is entitled to access their own personal information.
22.214.171.124 A data subject has the right to correct or amend any of their personal information that may be inaccurate, misleading or out of date.
2.12 What steps should be taken to comply?
2.12.1 An audit should be conducted of the following:
126.96.36.199 what personal information is held?
188.8.131.52 where the personal information is being held?
184.108.40.206 by whom is the personal information being held?
2.12.2 Establish what personal information is being collected in one place and being transferred to another.
2.12.3 Review website and other privacy statements, email indemnity, supplier or other standard terms and conditions, engagement letters, employee letters of appointment and third-party agreements that will process personal information of your clients or customers.
2.12.4 Develop organisation wide standard data protection policies and protocols, and if in place already in place, review such policies and protocols.
2.12.5 Review IT outsourcing contracts and arrangements.
2.12.6 Review data collecting activities (completion of forms etc).
2.12.7 Appoint an information officer for POPI and PAIA purposes.
2.12.8 Provide training to staff.
2.13 Details of Information Officer and Head Office
2.13.1 The details of the Organisation’s Information Officer and Head Office are as follows:
Information Officer Johannes Wilhelm Stodart
Address 154 Edward Avenue, Hennops Park, Centurion, South Africa
Telephone Number 082 575 5054
Deputy Information Officer Elcois Wesseloo
Address 154 Edward Avenue, Hennops Park, Centurion, South Africa
Telephone Number 072 120 0012
3 PERSONAL INFORMATION COLLECTED
3.1 Section 9 of the Act states that “Personal Information” may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not “excessive.”
3.2 The Organisation collects and processes client’s personal information for the ordering, manufacturing and delivery of products, the opening of trading accounts (where applicable), for communication purposes (relating to the ordering, manufacturing and delivery of products) and to communicate with clients with regards to future orders, prices and accounts.
3.3 The type of information will depend on the need for which it is collected and will be processed for that purpose only.
3.4 Whenever possible, the Organisation will inform the client as to the information required and the information deemed optional.
3.5 The Organisation also collects and processes the client’s personal information for marketing purposes in order to ensure that our products and services remain relevant to our clients and potential clients.
3.6 The Organisation aims to have agreements in place with all product suppliers and third-party service providers to ensure a mutual understanding with regard to the protection of the client’s personal information. The Organisation suppliers will be subject to the same regulations as applicable to the Organisation.
3.7 With the client’s consent, the Organisation may also supplement the information provided with information the Organisation receives from other providers in order to offer a more consistent and personalized experience in the client’s interaction with the Organisation. For purposes of this Policy, clients include potential and existing clients.
4 THE USE OF PERSONAL INFORMATION
4.1 The Client’s personal information will only be used for the purpose for which it was collected and as agreed. This may include:
220.127.116.11 providing products or services to clients and to carry out the transactions requested;
18.104.22.168 for the ordering, manufacturing and delivery of products;
22.214.171.124 for the opening of trading accounts, where applicable;
126.96.36.199 for communication purposes relating to the ordering, manufacturing and delivery of products; and
188.8.131.52 to communicate with clients with regards to future orders, prices and accounts.
184.108.40.206 confirming, verifying and updating client details;
220.127.116.11 conducting market or customer satisfaction research;
18.104.22.168 for audit and record keeping purposes;
22.214.171.124 in connection with legal proceedings;
126.96.36.199 in connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law; and
4.1.2 as required in terms of clause 3.2 above.
4.2 According to section 10 of the Act, personal information may only be processed if certain conditions, listed below, are met along with supporting information for the Organisation processing of Personal Information:
4.2.1 the client’s consent to the processing: – consent is obtained from clients during the introductory, appointment and needs analysis stage of the relationship;
4.2.2 the necessity of processing: in order to conduct an accurate analysis of the client’s needs;
4.2.3 processing complies with an obligation imposed by law on the Organisation;
4.2.4 the National Credit Act requires a Credit Provider’s to conduct an affordability assessment
4.2.5 processing protects a legitimate interest of the client; or
4.2.6 processing is necessary for pursuing the legitimate interests of the Organisation or of a third party to whom information is supplied — in order to provide the Organisation clients with products and or services both the Organisation and any of our product suppliers require certain personal information from the clients in order to make an expert decision on the unique and specific product and or service required.
5 DISCLOSURE OF PERSONAL INFORMATION
5.1 The Organisation may disclose a client’s personal information to any of the Organisation subsidiaries, joint venture companies and or approved product supplier or third-party service providers whose services or products clients elect to use. The Organisation has agreements in place to ensure compliance with confidentiality and privacy conditions.
5.2 The Organisation may also share client personal information with, and obtain information about clients from third parties for the reasons already discussed above.
5.3 The Organisation may also disclose a client’s information where it has a duty or a right to disclose in terms of applicable legislation, the law, or where it may be deemed necessary in order to protect the Organisation rights.
5.4 All employees have a duty of confidentiality in relation to the Organisation and clients.
5.5 Information on clients: Our clients’ right to confidentiality is protected in the Constitution and in terms of the Law. Information may be given to a third party if the client has consented in writing to that person receiving the information.
5.6 The Organisation views any contravention of this policy very seriously and employees who are guilty of contravening the policy will be subject to disciplinary procedures, which may lead to the dismissal of any guilty party.
6 SAFEGUARDING PERSONAL INFORMATION
6.1 It is a requirement of the Act to adequately protect personal information. The Organisation will continuously review its security controls and processes to ensure that personal information is properly safeguarded.
6.2 The Organisation Information Officer is responsible for the compliance of the conditions of the lawful processing of personal information and other provisions of the Act. The Information Officer will be assisted by Deputy Information Officer/s.
6.3 This policy has been put in place throughout the Organisation and training on this policy and the Act has already taken place and will continue to be conducted by the Organisation.
6.4 Each new employee will be required to sign an Employment Contract containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of the Act.
6.5 Every employee currently employed within the Organisation will be required to sign an addendum to their Employment Contracts containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of the Act.
6.6 All the Organisation electronic files or data are backed and stored off site.
6.7 The Organisation product suppliers, insurers and other third-party service providers will be required to sign a service level agreement guaranteeing their commitment to the Protection of Personal Information; this is however an ongoing process that will be evaluated as needed.
7 CORRECTION OF PERSONAL INFORMATION
7.1 Clients have the right to access the personal information the Organisation holds about them. Clients also have the right to ask the Organisation to update, correct or delete their personal information on reasonable grounds. Once a client objects to the processing of their personal information, the Organisation may no longer process said personal information.
7.2 The Organisation will take all reasonable steps to confirm its clients’ identity before providing details of their personal information or making changes to their personal information.
8 AMENDMENTS TO THIS POLICY
8.1 Amendments to, or a review of this Policy, will take place on an ad hoc basis or at least once a year.
8.2 Clients are advised to access the Organisation’s website periodically to keep abreast of any changes. Where material changes take place, clients will be notified directly or changes will be stipulated on the Organisation website or on request from the registered office of the Organisation.
9 ACCESS TO DOCUMENTS
9.1 All company and client information must be dealt with in the strictest confidence and may only be disclosed, without fear of redress, in the following circumstances:
9.1.1 where disclosure is under compulsion of law;
9.1.2 where there is a duty to the public to disclose;
9.1.3 where the interests of the Organisation require disclosure; or
9.1.4 where disclosure is made with the express or implied consent of the client.
10 REQUESTS FOR THE ORGANISATION INFORMATION
10.1 This is dealt with in terms of the Promotion of Access to Information Act, 2 of 2000 (“PAIA”), which gives effect to the constitutional right of access to information held by the State or any person (natural and juristic) that is required for the exercise or protection of rights. Private bodies, like the Organisation, must however refuse access to records if disclosure would constitute an action for breach of the duty of secrecy owed to a third party.
10.2 In terms hereof, requests must be made in writing on the prescribed form to the Information Officer in terms of PAIA. The requesting party has to state the reason for wanting the information and has to pay a prescribed fee.
10.3 The Organisation’s manuals in terms of PAIA, which contains the prescribed forms and details of prescribed fees, is available on the intranet and the Organisation website www.sensoryfx.co.za.
10.4 Confidential company and/or business information of the Organisation may not be disclosed to third parties as this could constitute industrial espionage. The affairs of the Organisation must be kept strictly confidential at all times.
11 RETENTION OF DOCUMENTS
11.1 Hard Copy – The statutory periods for the retention of documents are as per the Law. These are available on request.
11.2 Electronic Storage – The internal procedure requires that electronic storage of information: important documents and information must be referred to and discussed with IT who will arrange for the indexing, storage and retrieval thereof. This will be done in conjunction with the departments concerned.
11.3 Scanned documents: If documents are scanned, the hard copy must be retained for as long as the information is used or for 1 year after the date of scanning, with the exception of documents pertaining to personnel. Any document containing information on the written particulars of an employee, including: employee’s name and occupation, time worked by each employee, remuneration and date of birth of an employee under the age of 18 years; must be retained for a period of 3 years after termination of employment.
11.4 Section 51 of the Electronic Communications Act No 25 of 2005 requires that personal information and the purpose for which the data was collected must be kept by the person who electronically requests, collects, collates, processes or stores the information and a record of any third party to whom the information was disclosed must be retained for a period of 1 year or for as long as the information is used.
11.5 It is also required that all personal information which has become obsolete must be destroyed.
12 DESTRUCTION OF DOCUMENTS
12.1 Documents may be destroyed after the termination of the retention period specified in terms of the Law. Registration will request departments to attend to the destruction of their documents and these requests shall be attended to as soon as possible.
12.2 Each department is responsible for attending to the destruction of its documents, which must be done on a regular basis. Files must be checked in order to make sure that they may be destroyed and also to ascertain if there are important original documents in the file. Original documents must be returned to the holder thereof, failing which, they should be retained by the Organisation pending such return.
12.3 After completion of the process in clause 13.2 above, the General Manager of the department shall, in writing, authorise the removal and destruction of the documents in the authorisation document. These records will be retained by Registration.
12.4 The documents are then made available for collection by the removers of the Organisation’s documents, who also ensure that the documents are shredded before disposal. This also helps to ensure confidentiality of information.
12.5 Documents may also be stored off-site, in storage facilities approved by the Organisation.
13 CROSS-BORDER FLOWS OF PERSONAL INFORMATION
13.1 Section 72 of the Act provides that Personal Information may only be transferred out of the Republic of South Africa if the:
13.1.1 recipient country can offer such data an “adequate level” of protection. This means that its data privacy laws must be substantially similar to the Conditions for Lawful Processing as contained in the Act; or
13.1.2 the client or customer consents to the transfer of their personal information; or
13.1.3 transfer is necessary for the performance of a contractual obligation between the client or customer and the Organisation; or
13.1.4 transfer is necessary for the performance of a contractual obligation between the Organisation and a third party, in the interests of the client or customer; or
13.1.5 the transfer is for the benefit of the client or customer, and it is not reasonably practicable to obtain the consent of the client or customer, and if it were, the client or customer, would in all likelihood provide such consent.