POLICY STATEMENT
In terms of the Protection of Personal Information Act 4 of 2013 (“PoPI”), any responsible party that processes personal information must do so in accordance with the principles outlined in PoPI Act.
This policy forms part of SARACCA’s internal business processes and procedures and will ensure that your personal information is used appropriately and according to law.
The Association’s National Executive Committee, its employees, committee members, volunteers, training providers, and any other persons acting on behalf of SARACCA are required to familiarise themselves with the policy’s requirements and undertake to comply with the stated processes and procedures.
- INTRODUCTION
The right to privacy is an integral human right recognised and protected in the South African Constitution and PoPI, PoPI aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner. Through the provision of services, SARACCA is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of members, employees and other stakeholders. A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions. Given the importance of privacy, SARACCA is committed to effectively managing personal information in accordance with PoPI’s provisions. - DEFINITIONS
2.1 Personal Information
Personal information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:
– The Members business name and or trading name,
– street and postal address,
– telephone and fax number
– email address,
– The names of directors/partners and their identity numbers,
– BBBEE status,
– VAT No,
– Annual financial turnover,
– banking details,
– membership status at certain other construction bodies
– correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
– the views or opinions of another individual about the person;
– the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
2.2 Data Subject
This refers to the natural or juristic person to whom personal information relates, such as an individual, Member Company, Authorised Refrigerant Gas Practitioner or a company that supplies SARACCA with products or other goods or services.
2.3 Responsible Party
The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, SARACCA is the responsible party. This information is used by SARACCA for the provision of a service to a Member Company and/or Authorised Refrigerant Gas Practitioner and to maintain a quality service.
2.4 Operator
An operator means a person who processes personal information for a the responsible party in terms of a contract or mandate, without coming under the direct authority of that party. For example, a third-party service provider that has contracted with SARACCA to shred documents containing personal information.
2.5 Information Officer
The Information Officer is responsible for ensuring the organisation’s compliance with PoPI. Once appointed, the Information Officer must be registered with the South African Information Regulator established under PoPIA prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer.
2.6 Processing
SARACCA collects personal information directly from a data subject when applying for SARACCA membership or when registering as an Authorised Refrigerant Gas Practitioner status with SAQCC Gas or if you want to make use of other services as a member.
2.7 Record
Means any recorded information, regardless of form or medium, including:
– Writing on any material;
– Membership applications;
– Information produced, recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
– Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
– Book, map, plan, graph or drawing;
– Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.
2.8 Filing System
Means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
2.9 Unique Identifier – what does this mean?
Means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that
responsible party.
2.10 De-Identify
This means to delete any information that identifies a data subject or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the data subject.
2.11 Re-Identify
In relation to personal information of a data subject, means to resurrect any information that has been deidentified that identifies the data subject, or can be used or manipulated by a reasonably foreseeable
method to identify the data subject.
2.12 Consent
Means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
2.13 Marketing
Means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
– Promoting or offering to supply, in the ordinary course of business, any services to the data subject; or
3. POLICY PURPOSE
This policy demonstrates SARACCA’s commitment to protecting the privacy rights of data subjects in the following manner:
– Through stating desired behaviour and directing compliance with the provisions of PoPI and best practice.
– By cultivating an organisational culture that recognises privacy as a valuable human right.
– By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information.
– By creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the organisation and the Law (e.g.Pressure Equipment Regulations).
– By raising awareness through training and providing guidance to individuals who process personal information so that they can act confidently and consistently.
4. POLICY APPLICATION
This policy and its guiding principles applies to:
– SARACCA’s National Executive Committee
– All branches of SARACCA
– All employees committee members and volunteers
– All contractors, suppliers, training providers and other persons acting on behalf of SARACCA
The policy’s guiding principles find application in all situations and must be read in conjunction with PoPI as well as the organisation’s PAIA Policy as required by the Promotion of Access to Information Act (Act No 2 of 2000).
The legal duty to comply with POPI’s provisions is activated in any situation where there is:
– A processing of personal information entered into a record by or for a responsible person who is domiciled in South Africa.
PoPI does not apply in situations where the processing of personal information:
– is concluded in the course of purely personal or household activities, or
– where the personal information has been de-identified.
5. RIGHTS OF DATA SUBJECTS
Where appropriate, SARACCA will ensure that its members are made aware of the rights conferred upon them as data subjects. SARACCA will ensure that it gives effect to the following seven rights.
5.1 The Right to Access Personal Information
SARACCA recognises that a data subject has the right to establish whether SARACCA holds personal information related to him, her or it including the right to request access to that personal information. An example of a “Personal Information Request Form” can be found under Annexure A.
5.2 The Right to have Personal Information Corrected or Deleted
The data subject has the right to request, where necessary, that his, her or its personal information must be corrected or deleted where SARACCA is no longer authorised to retain the personal information.
5.3 The Right to Object to the Processing of Personal Information
The data subject has the right, on reasonable grounds, to object to the processing of his, her or its personal information. In such circumstances, SARACCA will give due consideration to the request and the requirements of PoPI. SARACCA may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.
5.4 The Right to Object to Direct Marketing
The data subject has the right to object to the processing of his, her or its personal information for purposes of direct marketing by means of unsolicited electronic communications.
5.5 The Right to Complain to the Information Regulator
The data subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under PoPI and to institute civil proceedings regarding the
alleged non-compliance with the protection of his, her or its personal information.
An example of a “PoPI Complaint Form” can be found under Annexure B.
5.6 The Right to be Informed
The data subject has the right to be notified that his, her or its personal information is being collected by the organisation. The data subject also has the right to be notified in any situation where SARACCA has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person.
6. GENERAL GUIDING PRINCIPLES
All employees and persons acting on behalf of SARACCA will at all times be subject to, and act in accordance with, the following guiding principles:
6.1 Accountability
Failing to comply with PoPI could potentially damage SARACCA’s reputation or expose SARACCA to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility. SARACCA will ensure that the provisions of PoPI and the guiding principles outlined in this policy are complied with. However, SARACCA will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply
with the principles and responsibilities outlined in this policy.
6.2 Processing Limitation
SARACCA will ensure that personal information under its control is processed:
– in a fair, lawful and non-excessive manner, and
– only with the informed consent of the data subject and
– only for a specifically defined purpose.
SARACCA will inform the data subject of the reasons for collecting his, her or its personal information and obtain written consent prior to processing personal information.
SARACCA will under no circumstances distribute or share personal information between separate legal entities or with any individuals that are not directly involved with facilitating the purpose for which the
information was originally collected.
Where applicable, the data subject must be informed of the possibility that their personal information will be shared with other aspects of SARACCA’s business and be provided with the reasons for doing so.
6.3 Purpose Specification
SARACCA will process personal information only for specific, explicitly defined and legitimate reasons.
SARACCA will inform data subjects of these reasons prior to collecting or recording the data subject’s personal information.
6.4 Further Processing Limitation
Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose. Therefore, where SARACCA seeks to process personal information, it holds for a purpose other than the original purpose for which it was originally collected, and where this secondary purpose is not compatible with the original purpose, SARACCA will first obtain additional consent from the data subject to further process personal information.
6.5 Information Quality
SARACCA will take reasonable steps to ensure that all personal information collected is complete, accurate and not misleading. Where personal information is collected or received from third parties, SARACCA will take reasonable steps to confirm that the information is correct by verifying the accuracy of the information directly with the data subject or by way of independent sources.
6.6 Open Communication
SARACCA will take reasonable steps to ensure that data subjects are notified that their personal information is being collected including the purpose for which it is being collected and processed.
SARACCA will ensure that it establishes and maintains a “contact us” facility, for data subjects who want
to:
– Enquire whether SARACCA holds related personal information, or
– Request access to related personal information, or
– Request SARACCA to update or correct related personal information, or
– Make a complaint concerning the processing of personal information.
6.7 Security Safeguards
SARACCA will manage the security of its filing system to ensure that personal information is adequately protected. To this end, security controls will be implemented in order to minimise the risk of loss,
unauthorised access, disclosure, interference, modification or destruction.
SARACCA will continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the organisation’s IT network. SARACCA will ensure
that all paper and electronic records comprising personal information are securely stored and made accessible only to authorised individuals. All new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personal information for which SARACCA is responsible. SARACCA’s operators and third-party service providers will be required to enter into data privacy agreements with SARACCA where the 3rd party agrees to their commitments under to PoPI and the lawful processing of any personal information pursuant to the agreement.
6.8 Data Subject Participation
A data subject may request the correction or deletion of his, her or its personal information held by the organisation. SARACCA will ensure that it provides a facility for data subjects who want to request the correction of deletion of their personal information. Where applicable, SARACCA will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.
7. INFORMATION OFFICERS
SARACCA will appoint an Information Officer and where necessary, a Deputy Information Officer to assist the Information Officer. Consideration will be given on an annual basis to the re-appointment or
replacement of the Information Officer and the re-appointment or replacement of any Deputy Information Officers.
Once appointed, SARACCA will register the Information Officer with the South African Information Regulator established under PoPI prior to performing his or her duties.
8. SPECIFIC DUTIES AND RESPONSIBILITIES
8.1 National Executive Committee
SARACCA’s NEC cannot delegate its accountability and is ultimately answerable for ensuring that SARACCA meets its legal obligations in terms of PoPI. The board may however delegate some of its responsibilities in terms of PoPI to management or other capable individuals.
The National Executive Committee is responsible for ensuring that:
– All persons responsible for the processing of personal information on behalf of the organisation:
– are appropriately trained and supervised to do so,
– understand that they are contractually obligated to protect the personal information they come into contact with, and
– are aware that a wilful or negligent breach of this policy’s processes and procedures may lead to disciplinary action being taken against them.
– Data subjects who want to make enquires about their personal information are made aware of the procedure that needs to be followed should they wish to do so.
– The scheduling of a periodic PoPI audit in order to accurately assess and review the ways in which SARACCA collects, holds, uses, shares, discloses, destroys and processes personal information.
8.2 Information Officer
SARACCA’s Information Officer is responsible for:
– Taking steps to ensure the organisation’s reasonable compliance with the provisions of PoPI
– Keeping the board updated about the organisation’s information protection responsibilities under PoPI.
– Continually analysing privacy regulations and aligning them with SARACCA’s personal information processing procedures. This will include reviewing the organisation’s information protection procedures and related policies.
– Ensuring that PoPI Audits are scheduled and conducted on a regular basis.
– Ensuring that SARACCA makes it convenient for data subjects who want to update their personal information or submit PoPI related complaints to SARACCA.
– Approving any contracts entered into with operators, employees and other third parties which may have an impact on the personal information held by SARACCA.
– Encouraging compliance with the conditions required for the lawful processing of personal information.
– Ensuring that employees and other persons acting on behalf of SARACCA are fully aware of the risks associated with the processing of personal information and that they remain informed about the SARACCA’s security controls.
– Organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of SARACCA.
– Addressing employees’ PoPI related questions.
– Addressing all PoPI related requests and complaints made by SARACCA’s data subjects.
– Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, with regard to any other matter.
The Deputy Information Officer will assist the Information Officer in performing his or her duties.
8.3 IT Manager
SARACCA’s IT Manager/ Service Provider is responsible for:
– Ensuring that SARACCA’s IT infrastructure, filing systems and any other devices used for processing personal information meet acceptable security standards.
– Ensuring that all electronically held personal information is kept only on designated drives and servers and uploaded only to approved cloud computing services.
– Ensuring that servers containing personal information are sited in a secure location, away from the general office space.
– Ensuring that all electronically stored personal information is backed-up and tested on a regular basis.
– Ensuring that all back-ups containing personal information are protected from unauthorised access, accidental deletion and malicious hacking attempts.
– Ensuring that personal information being transferred electronically is encrypted.
– Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software.
– Performing regular IT audits to ensure that the security of SARACCA’s hardware and software systems are functioning properly.
– Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by any unauthorised persons.
– Performing a proper due diligence review prior to contracting with operators or any other third party service providers to process personal information on SARACCA’s behalf. For instance, cloud computing services.
8.4 Employees and other Persons acting on behalf of SARACCA
Employees and other persons acting on behalf of SARACCA will, during the course of the performance of their services, gain access to and become acquainted with the personal information of certain customers, suppliers and other employees. Employees and other persons acting on behalf of SARACCA are required to treat personal information as a confidential business asset and to respect the privacy of data subjects.
Employees and other persons acting on behalf of SARACCA may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within SARACCA or externally, any
personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties.
Employees and other persons acting on behalf of SARACCA must request assistance from the Information Officer if they are unsure about any aspect related to the protection of a data subject’s personal information. Employees and other persons acting on behalf of SARACCA will only process personal information where:
– The data subject, or a competent person where the data subject is a child, consents to the processing; or
– The processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party; or
– The processing complies with an obligation imposed by law on the responsible party; or
– The processing protects a legitimate interest of the data subject; or
– The processing is necessary for pursuing the legitimate interests of SARACCA or of a third part to whom the information is supplied.
Furthermore, personal information will only be processed where the data subject:
– Clearly understands why and for what purpose his, her or its personal information is being collected; and
– Has granted SARACCA with explicit written or verbally recorded consent to process his, her or its personal information.
Employees and other persons acting on behalf of SARACCA will consequently, prior to processing any personal information, obtain a specific and informed expression of will from the data subject, in terms of which permission is given for the processing of personal information.
Informed consent is therefore when the data subject clearly understands for what purpose his, her or its personal information is needed and who it will be shared with.
Consent can be obtained in written form which includes any appropriate electronic medium that is accurately and readily reducible to printed form.
Consent to process a data subject’s personal information will be obtained directly from the data subject, except where:
– the personal information has been made public, or
– where valid consent has been given to a third party, or
– the information is necessary for effective law enforcement.
Employees and other persons acting on behalf of SARACCA will under no circumstances:
– Process or have access to personal information where such processing or access is not a requirement to perform their respective work-related tasks or duties.
– Save copies of personal information directly to their own private computers, laptops or other mobile devices like tablets or smart phones.
– Share personal information informally. Where access to personal information is required, this may be requested from the Information Officer.
– Transfer personal information outside of South Africa without the express permission from the Information Officer.
Employees and other persons acting on behalf of SARACCA are responsible for:
– Keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy.
– Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created.
– Ensuring that personal information is encrypted prior to sending or sharing the information electronically. The IT Manager/ Service Provider will assist employees and where required, other persons acting on behalf of SARACCA, with the sending or sharing of personal information to or with authorised external persons.
– Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected. Passwords must be changed regularly and may not be shared with unauthorised persons.
– Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks.
– Ensuring that where personal information is stored on removable storage medias such as external drives, CDs or DVDs that these are kept locked away securely when not being used.
– Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet.
– Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer.
– Taking reasonable steps to ensure that personal information is kept accurate and up to date. For instance, confirming a data subject’s contact details when the member phones or communicates via email.
– Where a data subject’s information is found to be out of date, authorisation must first be obtained from the Information Officer to update the information accordingly.
– Taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal information is no longer required, authorisation must first be obtained from the Information Officer to delete or dispose of the personal information in the appropriate manner.
– Undergoing PoPI awareness training from time to time.
Where an employee, or a person acting on behalf of SARACCA, becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of personal information, he or she must immediately report this event or suspicion to the Information Officer or the Deputy Information Officer.
9. POPI AUDIT
SARACCA’s Information Officer will schedule periodic PoPI audits.
The purpose of a PoPI audit is to:
– Identify the processes used to collect, record, store, disseminate and destroy personal information.
– Determine the flow of personal information throughout SARACCA. For instance, SARACCA’s various divisions, business units and branches.
– Redefine the purpose for gathering and processing personal information.
– Ensure that the processing parameters are still adequately limited.
– Ensure that new data subjects are made aware of the processing of their personal information.
– Re-establish the rationale for any further processing where information is received via a third party.
– Verify the quality and security of personal information.
– Monitor the extent of compliance with PoPI and this policy.
– Monitor the effectiveness of internal controls established to manage SARACCA’s PoPI related compliance risk.
In performing the PoPI audit, Information Officers will liaise with managers in order to identify areas within SARACCA’s operation that are most vulnerable or susceptible to the unlawful processing of personal
information.
10. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE
Data subjects have the right to:
– Request what personal information SARACCA holds about them and why.
– Request access to their personal information.
– Be informed how to keep their personal information up to date.
Access to information requests can be made by email, addressed to the Information Officer. The Information Officer will provide the data subject with a “Personal Information Request Form”.
Once the completed form has been received, the Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against the organisation’s PAIA Policy.
The appropriate request form is available from the SARACCA information officer
The Information Officer will process all requests within a reasonable time.
11. POPI COMPLAINTS PROCEDURE
Data subjects have the right to complain in instances where any of their rights under PoPI have been infringed upon. SARACCA takes all complaints very seriously and will address all PoPI related complaints
in accordance with the following procedure:
– PoPI complaints must be submitted to SARACCA in writing. Where so required, the Information Officer will provide the data subject with a “PoPI Complaint Form”.
– Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 1 working day.
– The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 2 working days.
– The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner. In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in PoPI.
– The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on SARACCA’s data subjects.
– Where the Information Officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with SARACCA’s board where after the affected data subjects and the Information Regulator will be informed of this breach.
– The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to SARACCA’s board within 7 working days of receipt of the complaint.
In all instances, SARACCA will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines.
The Information Officer’s response to the data subject may comprise any of the following:
1. A suggested remedy for the complaint,
2. A dismissal of the complaint and the reasons as to why it was dismissed,
3. An apology (if applicable) and any disciplinary action that has been taken against any employees involved.
– Where the data subject is not satisfied with the Information Officer’s suggested remedies, the data subject has the right to complain to the Information Regulator.
– The Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to
PoPI related complaints.
The appropriate complaint form is available from the SARACCA information officer
12. DISCIPLINARY ACTION
Where a PoPI complaint or a PoPI infringement investigation has been finalised, SARACCA may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.
In the case of ignorance or minor negligence, SARACCA will undertake to provide further awareness training to the employee. Any gross negligence or the wilful mismanagement of personal information, will
be considered a serious form of misconduct for which SARACCA may summarily dismiss the employee.
Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence.
Examples of immediate actions that may be taken subsequent to an investigation include:
– A recommendation to commence with disciplinary action.
– A referral to appropriate law enforcement agencies for criminal investigation.
– Recovery of funds and assets in order to limit any prejudice or damages caused