Protection of Personal Information, Information Security and Records Management Policy
1.1 The Organisation is a consulting company providing actuarial services to clients. This requires the Organisation to collect, collate, store, and disseminate a vast amount of personal information on a daily basis, obliging the Organisation to comply with the Protection of Personal Information Act 4 of 2013 (“Act”).
1.2 The Act requires the Organisation to inform their clients as to the manner in which their personal information is used, disclosed, and destroyed. The Organisation is committed to protecting its client’s privacy and ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws.
1.3 This Policy sets out the manner in which the Organisation deals with their client’s personal information as well as stipulates the purpose for which said information is used.
1.4 This Policy is made available at the Organisation’s registered address and by request from the Organisation.
1.5 This Policy is drafted in conjunction with the National Credit Act 34 of 2005, and the Consumer Protection Act 68 of 2008.
2. Background And Purpose
2.1 What Is The Purpose Of The Act (POPIA)?
2.1.1 The aim of the Act is to ensure the right of South African citizens to the privacy of personal information and to regulate all organisations that collect, store, and disseminate personal information.
2.1.2 Personal information may only be processed if the process meets the conditions of the Act.
2.1.3 There are 8 (eight) distinct conditions which organisations need to meet to be acting lawfully:
184.108.40.206 processing limitation;
220.127.116.11 purpose specification;
18.104.22.168 use limitation;
22.214.171.124 information quality;
126.96.36.199 security safeguards; and
188.8.131.52 individual/data subject participation.
2.2 What Is “Personal Information”?
2.2.1 Personal information means any information relating to an identifiable natural person (and existing juristic persons where applicable), including information relating to:
184.108.40.206 race, gender, sex, pregnancy, marital status, mental health, well-being, disability, religion, belief, culture, language, and birth;
220.127.116.11 education, medical, financial, criminal or employment;
18.104.22.168 identity number, electronic and physical addresses, telephone numbers and on-line identifiers;
22.214.171.124 biometric information;
126.96.36.199 personal opinions, views, or preferences; and,
188.8.131.52 correspondence sent by a person implicitly or explicitly of a personal nature or confidential.
2.2.2 An organisation may not process the personal information of a child (under 18 years) unless the processing:
184.108.40.206 is carried out with the consent of the legal guardian;
220.127.116.11 is necessary to establish, exercise or defence of a right or obligation in law;
18.104.22.168 is necessary for historical, statistical or research purposes; or,
22.214.171.124 is information that is deliberately been made public by the child with the consent of the guardian.
2.3 What Is Processing Personal Information?
2.3.1 Processing means any operation or activity, or set of activities, by automatic means or otherwise, including:
126.96.36.199 collecting, receiving, recording, collating, storing, updating, modifying, retrieving or use;
188.8.131.52 disseminating by means of transmission, distribution, or any other means; or,
184.108.40.206 merging, linking, restricting, erasing, or destructing of information
2.4 Who Must Comply?
2.4.1 All public and private bodies (natural and juristic persons) must comply.
2.5 What Does Compliance Mean?
220.127.116.11 Organisations must assign responsibility to ensure compliance with the Act to a suitable person or persons.
18.104.22.168 Each organisation has an “information officer.” This will be the same person who has been appointed by the organisation as head in terms of the Promotion of Access to Information Act, i.e. the CEO or equivalent.
22.214.171.124 The information officer, together with an executive team/board, should decide on and record the POPI policy and procedure (this policy).
126.96.36.199 The information officer must appoint a “data controller” or a number of data controllers who decide:
188.8.131.52.1 the purpose of the data processing; and,
184.108.40.206.2 the way the personal information should be processed.
220.127.116.11 The data controllers should be Management who execute the POPI policy and procedure.
18.104.22.168 “Data processor/s” perform the processing administration/function (e.g. data capturing etc).
2.5.2 Processing Limitation
22.214.171.124 Personal information may only be processed if it is:
126.96.36.199.1 adequate, relevant, and necessary for the purpose for which it is processed;
188.8.131.52.2 with the consent of the data subject;
184.108.40.206.3 necessary for the contract to which the data subject is party;
220.127.116.11.4 necessary for the protection of a legitimate interest of the data subject;
18.104.22.168.5 required by law;
22.214.171.124.6 necessary to pursue the legitimate interest of the organisation; or,
126.96.36.199.7 collected directly from the data subject, except in certain circumstances (e.g. in public domain or to do so would defeat the purpose for collecting and processing).
188.8.131.52 “Consent” must be:
184.108.40.206.2 specific; and,
220.127.116.11 Informed consent requires that the data subject understand:
18.104.22.168.1 what information is being collected/processed;
22.214.171.124.2 why the information is being processed;
126.96.36.199.3 how the information is to be processed;
188.8.131.52.4 where the information is being processed; and,
184.108.40.206.5 to whom the information is intended to be given.
2.5.3 Purpose Specification
220.127.116.11 The data subject must be made aware of the purpose for which the information is being collected (“identified purpose”). This is necessary for giving consent (see above).
2.5.4 Use Limitation
18.104.22.168 Information/records may only be kept for as long as it is necessary to achieve the identified purpose. There are some statutory record-keeping periods which may exceed this.
22.214.171.124 After this retention period the responsible person must delete or destroy such information as soon as reasonably possible.
126.96.36.199 If the purpose changes (e.g. something else occurs that could use the same information again for this alternative purpose), it may be necessary to inform the data subject and get consent again.
2.5.5 Information Quality
188.8.131.52 Information must be as accurate as possible, complete, and updated if necessary.
184.108.40.206 Information must be available to the data subject to verify/object to the accuracy thereof.
220.127.116.11 The Organisation must take reasonable practical steps to ensure that the data subject is aware of what personal information is being collected, stored, and used, whether or not collected directly from the data subject.
2.5.7 Security Safeguards
18.104.22.168 The organisation must secure the integrity and confidentiality of personal information und must take appropriate technical/organisational measure to prevent:
22.214.171.124.1 the loss of or damage to personal information; or,
126.96.36.199.2 the unlawful access to or processing of personal information.
188.8.131.52 To do this, the organisation must:
184.108.40.206.1 identify all reasonable, foreseeable, internal, and external risks to personal information held;
220.127.116.11.2 establish and maintain appropriate reasonable safeguards against the risks;
18.104.22.168.3 monitor the safeguards and regularly verify safeguards are effective; and,
22.214.171.124.4 ensure safeguards are updated to respond to new risks or deficiencies in previous safeguards.
126.96.36.199 The data controllers and data processors must operate under his/her authority from the information officer and treat all personal information as confidential.
188.8.131.52 Where there are reasonable grounds for suspecting a breach of data security, the responsible person must notify the Regulator and the data subject.
2.5.8 Data Subject Participation
184.108.40.206 Any person who can positively identify themselves is entitled to access their own personal information.
220.127.116.11 A data subject has the right to correct or amend any of their personal information that may be inaccurate, misleading, or out of date.
2.6 What Steps Should Be Taken To Comply?
2.6.1 An audit should be conducted of the following:
18.104.22.168 what personal information is held?
22.214.171.124 where the personal information is being held?
126.96.36.199 by whom is the personal information being held?
2.6.2 Establish what personal information is being collected in one place and being transferred to another.
2.6.3 Review privacy statements, email indemnity, supplier or other standard terms and conditions, engagement letters, employee letters of appointment and third-party agreements that will process personal information of your clients or customers.
2.6.4 Develop organisation wide standard data protection policies and protocols, and if in place already in place, review such policies and protocols.
2.6.5 Review IT outsourcing contracts and arrangements.
2.6.6 Review data collecting activities (completion of forms etc).
2.6.7 Appoint an information officer for POPI and PAIA purposes.
2.6.8 Provide training to staff.
2.7 Details of Information Officer and Deputy Information Officer
2.7.1 The details of the Organisation’s Information Officer and Deputy Information Officer are as follows:
Information Officer: Craig Falconer
Address: 1st Floor, The Bridle, Hunts End Office Park, 38 Wierda Road West, Sandton, 2196
Telephone Number: +27 11 038 3700
Deputy Information Officer: Etienne Louw
Address: 1st Floor, The Bridle, Hunts End Office Park, 38 Wierda Road West, Sandton, 2196
Telephone Number: +27 11 038 3700
To view the full Protection of Personal Information, Information Security and Records Management Policy please follow the link below:
This e-mail disclaimer shall at all times take precedence over any other e-mail disclaimer(s).
The information contained in this e-mail communication, attachments and all subsequent e-mail communications and attachments, collectively referred to as an electronic message, is confidential and may be legally privileged.
It is intended solely for the use of the receiver (individual or entity) to whom we have addressed the electronic message and others authorised by us to receive it. If you are not the intended receiver you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.
If you are not the intended receiver of this electronic message (or such person’s authorised representative), then please notify the sender of this electronic message immediately by return e-mail and delete this electronic message from your system. You may not print, store, forward or copy this electronic message or any part thereof or disclose or cause information in this electronic message to be disclosed to any other person. We are not liable for the improper or incomplete transmission of the information contained in this electronic message, or for any delay in its receipt.
We are not liable for any harm or loss resulting from malicious software code or viruses in this electronic message, including data corruption resulting therefrom. Any advice or information contained in this electronic message is subject also to any governing agreement between us.
Only an individual expressly authorised in writing by us is able to bind us contractually. Unless expressly indicated as such, nothing in this electronic message constitutes an offer, warranty or representation from us. By sending us this electronic message, you expressly give us consent to collect and process the personal information contained herein which will be done in accordance with the Protection of Personal Information Act (4 of 2013) (POPI) and our PAIA and POPI Manual.
We respect your privacy and acknowledge that this electronic message will contain personal details, which may belong to you, others and/or to your company (personal information). No electronic communication including any data message such as an e-mail or SMS sent or received will give rise to a binding legal transaction. We will not be liable if any variation is affected by any document or correspondence emailed unless that variation has been approved in writing and signed by an authorised representative.
An electronic message is only deemed to be received by us once we acknowledge receipt thereof. It will be deemed that we have sent an electronic message once reflected as sent on our e-mail server. An auto-reply shall not constitute a response for the purposes hereof.
If this electronic message contains offensive, derogatory or defamatory statements or materials, it means the message has been sent outside the sender’s scope of employment with us and only the sender can be held liable in his/her personal capacity.