Privacy Policy

1. Introduction

1.1 The Organisation is a consulting company providing actuarial services to clients. This requires the Organisation to collect, collate, store, and disseminate a vast amount of personal information on a daily basis, obliging the Organisation to comply with the Protection of Personal Information Act 4 of 2013 (“Act”).

1.2 The Act requires the Organisation to inform their clients as to the manner in which their personal information is used, disclosed, and destroyed. The Organisation is committed to protecting its client’s privacy and ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws.
1.3 This Policy sets out the manner in which the Organisation deals with their client’s personal information as well as stipulates the purpose for which said information is used.
1.4 This Policy is made available at the Organisation’s registered address and by request from the Organisation.
1.5 This Policy is drafted in conjunction with the National Credit Act 34 of 2005, and the Consumer Protection Act 68 of 2008.

​

2. Background And Purpose

2.1 What Is The Purpose Of The Act (POPIA)?

2.1.1 The aim of the Act is to ensure the right of South African citizens to the privacy of personal information and to regulate all organisations that collect, store, and disseminate personal information.
2.1.2 Personal information may only be processed if the process meets the conditions of the Act.
2.1.3 There are 8 (eight) distinct conditions which organisations need to meet to be acting lawfully:

2.1.3.1 accountability;
2.1.3.2 processing limitation;
2.1.3.3 purpose specification;
2.1.3.4 use limitation;
2.1.3.5 information quality;
2.1.3.6 openness;
2.1.3.7 security safeguards; and
2.1.3.8 individual/data subject participation.

​

2.2 What Is “Personal Information”?

2.2.1 Personal information means any information relating to an identifiable natural person (and existing juristic persons where applicable), including information relating to:

2.2.1.1 race, gender, sex, pregnancy, marital status, mental health, well-being, disability, religion, belief, culture, language, and birth;
2.2.1.2 education, medical, financial, criminal or employment;
2.2.1.3 identity number, electronic and physical addresses, telephone numbers and online identifiers;
2.2.1.4 biometric information;
2.2.1.5 personal opinions, views, or preferences; and,
2.2.1.6 correspondence sent by a person implicitly or explicitly of a personal nature or confidential.

2.2.2 An organisation may not process the personal information of a child (under 18 years) unless the processing:

2.2.2.1 is carried out with the consent of the legal guardian;
2.2.2.2 is necessary to establish, exercise or defence of a right or obligation in law;
2.2.2.3 is necessary for historical, statistical or research purposes; or,
2.2.2.4 is information that is deliberately been made public by the child with the consent of the guardian.

​

2.3 What Is Processing Personal Information?

2.3.1 Processing means any operation or activity, or set of activities, by automatic means or otherwise, including:

2.3.1.1 collecting, receiving, recording, collating, storing, updating, modifying, retrieving or use;
2.3.1.2 disseminating by means of transmission, distribution, or any other means; or,
2.3.1.3 merging, linking, restricting, erasing, or destructing of information

​

2.4 Who Must Comply?

2.4.1 All public and private bodies (natural and juristic persons) must comply.

​

2.5 What Does Compliance Mean?

2.5.1 Accountability

2.5.1.1 Organisations must assign responsibility to ensure compliance with the Act to a suitable person or persons.
2.5.1.2 Each organisation has an “information officer.” This will be the same person who has been appointed by the organisation as head in terms of the Promotion of Access to Information Act, i.e. the CEO or equivalent.
2.5.1.3 The information officer, together with an executive team/board, should decide on and record the POPI policy and procedure (this policy).
2.5.1.4 The information officer must appoint a “data controller” or a number of data controllers who decide

2.5.1.4.1 the purpose of the data processing; and,
2.5.1.4.2 the way the personal information should be processed.

2.5.1.5 The data controllers should be Management who execute the POPI policy and procedure.
2.5.1.6 “Data processor/s” perform the processing administration/function (e.g. data capturing etc).

2.5.2 Processing Limitation

2.5.2.1 Personal information may only be processed if it is:

2.5.2.1.1 adequate, relevant, and necessary for the purpose for which it is processed;
2.5.2.1.2 with the consent of the data subject;
2.5.2.1.3 necessary for the contract to which the data subject is party;
2.5.2.1.4 necessary for the protection of a legitimate interest of the data subject;
2.5.2.1.5 required by law;
2.5.2.1.6 necessary to pursue the legitimate interest of the organisation; or,
2.5.2.1.7 collected directly from the data subject, except in certain circumstances (e.g. in public domain or to do so would defeat the purpose for collecting and processing).

2.5.2.2 “Consent” must be:

2.5.2.2.1 voluntary;
2.5.2.2.2 specific; and,
2.5.2.2.3 informed.

2.5.2.3    Informed consent requires that the data subject understand:

2.5.2.3.1 what information is being collected/processed;
2.5.2.3.2 why the information is being processed;
2.5.2.3.3 how the information is to be processed;
2.5.2.3.4 where the information is being processed; and,
2.5.2.3.5 to whom the information is intended to be given.

2.5.3 Purpose Specification

2.5.3.1 The data subject must be made aware of the purpose for which the information is being collected (“identified purpose”). This is necessary for giving consent (see above).

2.5.4 Use Limitation

2.5.4.1 Information/records may only be kept for as long as it is necessary to achieve the identified purpose. There are some statutory record-keeping periods which may exceed this.
2.5.4.2 After this retention period the responsible person must delete or destroy such information as soon as reasonably possible.
2.5.4.3 If the purpose changes (e.g. something else occurs that could use the same information again for this alternative purpose), it may be necessary to inform the data subject and get consent again.

2.5.5 Information Quality

2.5.5.1 Information must be as accurate as possible, complete, and updated if necessary.
2.5.5.2 Information must be available to the data subject to verify/object to the accuracy thereof.

2.5.6 Openness

2.5.6.1 The Organisation must take reasonable practical steps to ensure that the data subject is aware of what personal information is being collected, stored, and used, whether or not collected directly from the data subject.

2.5.7 Security Safeguards

2.5.7.1 The organisation must secure the integrity and confidentiality of personal information und must take appropriate technical/organisational measure to prevent:

2.5.7.1.1 the loss of or damage to personal information; or,
2.5.7.1.2 the unlawful access to or processing of personal information.

2.5.7.2 To do this, the organisation must:

2.5.7.2.1 identify all reasonable, foreseeable, internal, and external risks to personal information held;
2.5.7.2.2 establish and maintain appropriate reasonable safeguards against the risks;
2.5.7.2.3 monitor the safeguards and regularly verify safeguards are effective; and,
2.5.7.2.4 ensure safeguards are updated to respond to new risks or deficiencies in previous safeguards.

2.5.7.3 The data controllers and data processors must operate under his/her authority from the information officer and treat all personal information as confidential.
2.5.7.4 Where there are reasonable grounds for suspecting a breach of data security, the responsible person must notify the Regulator and the data subject.

2.5.8 Data Subject Participation

2.5.8.1 Any person who can positively identify themselves is entitled to access their own personal information.
2.5.8.2 A data subject has the right to correct or amend any of their personal information that may be inaccurate, misleading, or out of date.

​

2.6 What Steps Should Be Taken To Comply?

2.6.1 An audit should be conducted of the following:

2.6.1.1 what personal information is held?
2.6.1.2 where the personal information is being held?
2.6.1.3 by whom is the personal information being held?

2.6.2 Establish what personal information is being collected in one place and being transferred to another.
2.6.3 Review privacy statements, email indemnity, supplier or other standard terms and conditions, engagement letters, employee letters of appointment and third-party agreements that will process personal information of your clients or customers.
2.6.4 Develop organisation wide standard data protection policies and protocols, and if in place already in place, review such policies and protocols.

2.6.5 Review IT outsourcing contracts and arrangements.
2.6.6 Review data collecting activities (completion of forms etc).
2.6.7 Appoint an information officer for POPI and PAIA purposes.
2.6.8 Provide training to staff. 

​

2.7 Details of Information Officer and Deputy Information Officer

2.7.1 The details of the Organisation’s Information Officer and Deputy Information Officer are as follows:

Information Officer:   Craig Falconer
Address:    1st Floor, The Bridle, Hunts End Office Park, 38 Wierda Road West, Sandton, 2196
Telephone Number:    +27 11 038 3700

​

Deputy Information Officer:    Etienne Louw
Address:    1st Floor, The Bridle, Hunts End Office Park, 38 Wierda Road West, Sandton, 2196
Telephone Number:    +27 11 038 3700

​

To view the full Protection of Personal Information, Information Security and Records Management Policy please follow the link below: