Protection of Personal Information (POPI) Policy
-
Introduction
- This policy forms part of The Frame Work (Pty) Ltd (hereinafter referred to as the company) policies and procedures.
- The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 ("POPIA")
- "POPIA" aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information.
- "POPIA" aims to balance the competing interests of:
- Our individual constitutional rights to privacy (which requires our personal information to be protected); and
- The needs of our society to have access to and to process (work with) our personal information for legitimate purposes, including the purpose of doing business.
- Through the provision of website compliance, marketing and development, the company is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of customers, suppliers, employees, and other stakeholders.
- A person's right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions.
- Given the importance of privacy, the company is committed to effectively managing personal information in accordance with POPIA's provisions and acknowledge we are accountable for looking after such information.
-
Definitions
Biometrics
Means a technique of personal identification that is based on physical, physiological, or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning, and voice recognition.
Child
Means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning them.
Competent Person
Means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
Consent
Means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
Constitution
Means the Constitution of the Republic of South Africa, 1996.
Data Subject
This refers to the natural or juristic person to whom personal information relates such as an individual client, customer or a company that supplies the company with products or other goods.
De-Identify
In relation to personal information of a data subject, this means to delete any information that:
- identifies the data subject;
- can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
- can be linked by a reasonably foreseeable method to other information that identifies the data subject, and "de-identified" has a corresponding meaning;
Direct Marketing
Means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
- Promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
- Requesting the data subject to make a donation of any kind for any reason.
Operator
Means a person who processes personal information on behalf of the responsible party.
Personal information
This means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
- The biometric information of the person;
- The personal opinions, views, or preferences of the person;
- Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- The views or opinions of another individual about the person; and
- The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Processing
Where reference is made to the "processing" of personal information, this will include any activity in which the information is worked with, from the time that the information is collected, up to the time that the information is destroyed, regardless of whether the information is worked with manually, or by automated systems.
Public Record
Means a record that is accessible in the public domain, and which is in the possession of or under the control of a public body, whether or not it was created by that public body.
Record
Means any recorded information, regardless of form or medium, including:
- Writing on any material;
- Information produced, recorded, or stored by means of any tape -recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded, or stored;
- Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
- Book, map, plan, graph, or drawing;
- Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.
Re-Identify
In relation to personal information of a data subject, this means to resurrect any information that has been de-identified, that:
- identifies the data subject;
- can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
- can be linked by a reasonably foreseeable method to other information that identifies the data subject and ‘‘re-identified’’ has a corresponding meaning.
Responsible party
The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, the company is the responsible party.
The Information officer
Where no information officer is appointed, the head of the company will be responsible for performing the information officer's duties.
Once appointed, the information officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties. Deputy information officers can also be appointed to assist the information officer.
Unique Identifier
Means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.
-
Purpose
- The purpose of this policy is to protect the company from the compliance risks associated with the protection of personal information which includes:
- Breaches of confidentiality;
- Failing to offer choice in that all data subjects should be free to choose how and for what purpose the company uses the information; and
- Reputational damage.
- This policy demonstrates the company's commitment to protecting the privacy rights of data subjects in the following manner:
- Through stating desired behaviour and directing compliance with the provisions of POPIA and best practice;
- By cultivating a culture that recognises privacy as a valuable human right;
- By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information;
- By creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the organisation;
- By assigning specific duties and responsibilities, including the appointment of an information officer and where necessary, deputy information officers in order to protect the interests of the organisation and data subjects; and
- By raising awareness through training.
-
Application
- This policy and it guiding principles apply to:
- All shareholders of the company
- All business units and divisions of the company
- All employees
- All contractors, suppliers and other persons acting on behalf of the company.
-
The Company’s Undertaking to Data Subjects
- The company undertakes:
- To follow POPIA at all relevant times and to process personal information lawfully and reasonably, so as not to infringe unnecessarily on the privacy of our data subjects;
- To process information only for the purpose for which it is intended, to enable the company to operate, as agreed with data subjects;
- To whenever necessary, obtain consent to process personal information;
- Where consent is not required, to follow legal obligations placed upon on the company in the processing of personal information, or to protect a legitimate interest that requires protection;
- To stop processing personal information if the required consent is withdrawn, or if a legitimate objection is raised;
- To collect personal information directly from the data subject, unless:
- the information is of public record; or
- the data subject has consented to the collection of their personal information from another source; or
- the collection of the information from another source does not prejudice the data subject; or
- the information to be collected is necessary for the maintenance of law and order or national security; or
- the information is being collected to comply with a legal obligation, including an obligation to SARS; or
- the information collected is required for the conduct of proceedings in any court or tribunal; where these proceedings have commenced or are reasonably contemplated; or
- the information is required to maintain our legitimate interests; or
- where requesting consent would prejudice the purpose of the collection of the information; or
- where requesting consent is not reasonably practical in the circumstances.
- To retain records of the personal information collected for the minimum period as required by law unless the data subject has furnished their consent or instructed the company to retain the records for a longer period;
- To advise data subjects of the purpose of the collection of the personal information;
- To destroy or delete records of the personal information (so as to de-identify the data subject) as soon as reasonably possible after the time period for which we were entitled to hold the records have expired;
- To restrict the processing of personal information:
- where the accuracy of the information is contested, for a period sufficient to enable the company to verify the accuracy of the information;
- where the purpose for which the personal information was collected has been achieved and where the personal information is being retained only for the purposes of proof;
- where the data subject requests that the personal information is not destroyed or deleted, but rather retained; or
- where the data subject requests that the personal information be transmitted to another automated data processing system.
- The further processing of personal information shall only be undertaken:
- where the further processing is compatible with the original purpose;
- where the further processing is necessary because of a threat to public health or public safety or to the life or health of the data subject;
- where the information is used for historical, statistical or research purposes and the identity of the data subject will not be disclosed; or
- where this is required by the Information Regulator appointed in terms of POPI.
- To undertake to ensure that the personal information which the company collects, and processes is complete, accurate, not misleading and up to date;
- To undertake to retain the physical file and the electronic data related to the processing of the personal information;
- To undertake to take special care with data subject bank account details, and we are not entitled to obtain or disclose such banking details unless the data subjects’ specific consent has been obtained.
-
Data Subjects Rights
- Where appropriate the company will ensure that its clients, customers, suppliers, and employees are made aware of the rights conferred upon them as data subjects.
- The company will ensure it gives effect to the following rights:
- The right to access personal information.
- to establish what personal information the company holds about them and why;
- to access to their personal information; and
- to establish how to keep their personal information up to date.
- The right to have personal information corrected or deleted.
- The right to object to the processing of personal information
- The right to object to direct marketing
- The right to complain to the information officer.
- The right to be informed.
- The right to withdraw consent.
The company recognises that a data subject has the right:
On production of proof of identity, any person is entitled to request that the company confirms, free of charge, whether the company holds any personal information about themselves.
Access to information requests can be made by an email addressed to the information officer. The information officer will provide the data subject with a “Personal Information Request Form”. Once the completed form is received the information officer will, on verification of identity, hand over the information. The information officer shall do this within a reasonable period of time, in a reasonable manner and in an understandable form.
In certain circumstances the company will be obliged to refuse to disclose the record containing the personal information to the data subject. In other circumstances the company will have discretion as to whether or not to do so. In all cases where the disclosure of a record will entail the disclosure of information that is additional to the personal information of the person requesting the record, the written consent of the information officer (or the deputy) will be required, and that person shall make their decision having regard to the provisions of Chapter 4 part 3 of the Promotion of Access to Information Act.
If a request for personal information is made and part of the requested information may, or must be refused, every other part will still be disclosed.
A data subject is entitled to require the company to correct or delete personal information that the company has, which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or which has been obtained unlawfully.
A data subject is also entitled to require the company to destroy or delete records of personal information about the data subject that the company is no longer authorised to retain. Any such request must be made on the "Request for correction or deletion of Personal Information Form".
Upon receipt of such a lawful request, the company will comply as soon as reasonably practicable. In the event that a dispute arises regarding the data subject’s rights to have information corrected, and in the event that the data subject so requires, the company will attach to the information, in a way that it will always be read with the information, an indication that the correction of the information has been requested but has not been made.
The company will notify the data subject who has made a request for their personal information to be corrected or deleted what action has been taken as a result of such a request.
The data subject has the right, on reasonable grounds, to object to the processing of their personal information.
In such circumstances, the company will give due consideration to the request and the requirements of POPIA. The company may cease to use or disclose the data subject's personal information and may, subject to any statutory and contractual record-keeping requirements, also approve the destruction of the personal information.
The data subject has the right to object to the processing of their personal information for purposes of direct marketing by means of unsolicited electronic communications.
The data subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of their personal information. (Complaint Form)
The data subject has the right to be notified that their personal information is being collected by the company.
The data subject also has the right to be notified in any situation where the company has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person.
In cases where the data subject’s consent is required to process their personal information, this consent may be withdrawn.
-
Guiding Principles
The company will ensure that the below principles/conditions for lawful processing of personal information set out in POPIA, are complied with:
- Condition 1 Accountability
- Condition 2 - Processing Limitation
- Condition 3 - Purpose specification
- Condition 4 - Further Processing Limitation
- Condition 5 - Quality of Information
- Condition 6 - Openness
- Condition 7 - Security Safeguards
- Condition 8 - Data subject participation
The company must be accountable for the personal information it processes or holds in its possession.
Personal information must be processed in a lawful and reasonable manner. The purpose for processing the information must be lawful, adequate, relevant, and not excessive.
The purpose for processing personal information must be specific, explicitly defined, and lawful.
The reason for processing personal information further must be compatible with the original purpose of collection.
The company is required to take practicable steps to ensure that the personal information processed is complete, accurate, not misleading and updated.
Personal information must be processed in a way that allows the data subject to know what is happening to their personal information.
The company must ensure that there are sufficient security safeguards in place to secure the integrity and confidentiality of the personal information in our possession.
Data subjects have a right to access to their personal information and to correct and update their personal information.
-
Security Safeguards
- POPIA demands that company’s take reasonable measures to protect personal information and to protect it at each step. In order to secure the integrity and confidentiality of the personal information in the company’s possession and to protect it against loss or damage or unauthorised access, the company has implemented the following security safeguards:
- The processing of special personal information will be prohibited;
- All personal data in company processes has been identified;
- The company does not generate paper records, all electronic records are stored on OneDrive;
- All devices within the company are protected by passwords;
- Personal information is made accessible only to authorised individuals;
- All new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosure of personal information for which the company is responsible;
- Employees will be trained to carry out their duties in compliance with POPIA, and this training will be ongoing;
- The digital work profiles and privileges of employees who have left the employ of the company will be terminated;
- Employment contracts for employees whose duty it is to process a data subject’s personal information, will include an obligation on the employee to maintain the company’s security measures, and to notify their superior immediately if there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person;
- The company’s operators and third-party service providers will be required to enter into service level agreements with the company where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.
- Regularly review contractual obligations of third parties; and
- The requirements of Information Officer and/or Information Regulator will be complied with.
-
Security Breaches
- Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person, the company will report this to the Information Regulator and advise the relevant data subject/s, unless the company is no longer able to identify the data subject/s. This notification will take place as soon as reasonably possible.
- Such notification will be given to the Information Regulator first as it is possible that they or another public body might require the notification to the data subject/s be delayed.
- The notification to the data subject will be communicated in writing in one of the following ways, with a view to ensuring that the notification reaches the data subject:
- by mail to the data subject’s last known physical or postal address;
- by email to the data subjects last known email address;
- by publication on the company’s website or in the news media; or
- as directed by the information Regulator.
- The notification to the data subject will give sufficient information to enable the data subject to protect themselves against the potential consequences of the security breach and must include:
- a description of the possible consequences of the breach;
- details of the measures that the company intends to take or have taken to address the breach;
- the recommendation of what the data subject could do to mitigate the adverse effects of the breach; and
- if known, the identity of the person who may have accessed, or acquired the personal information.
-
Special Personal Information
- Special rules apply to the collection and use of information relating to a person’s religious or philosophical beliefs, their race or ethnic origin, their trade union membership, their political persuasion, their health or sex life, their biometric information, or their criminal behaviour.
- The company shall not process any of this special personal information without the data subject’s consent or where this is necessary for the establishment, exercise, or defence of a right or an obligation in law or the authorisation of the Regulator has been obtained.
- In the normal course of business, it is unlikely that there will be a need to process special information, but should it be necessary the guidance of the information officer will be sought.
-
The Processing Of Personal Information Of Children
- The company will only process the personal information of a child if:
- The prior consent of a competent person is obtained;
- The information has been deliberately made public by the child with the consent of a competent person.
- The processing is necessary:
- for the establishment, exercise, or defence of aright or obligation in Law;
- to comply an obligation of International Public law; or
- for historical, statistical or research purposes
- Application is made to the Regulator in the case of public interest.
-
Duties And Responsibilities
- The company will only process the personal information of a child with the consent of the child’s parent or legal guardian.
- Furthermore, In the following circumstances the company will require prior authorisation from the Information Regulator before processing any personal information:
- in the event that the company intends to utilise any unique identifiers of data subjects (account numbers, file numbers or other numbers or codes allocated to data subjects for the purposes of identifying them) for any purpose other than the original intention, or to link the information with information held by others;
- if the company is processing information on criminal behaviour, unlawful or objectionable conduct or for the purposes of credit;
- if the company is transferring special personal information or the personal information of children to a third party in a foreign country, that does not provide adequate protection of that personal information.
- The Information Regulator will be notified of the company’s intention to process any personal information as set out above prior to any processing taking place and the company will not commence with such processing until the Information Regulator has decided in the company’s favour. The Information Regulator has four (4) weeks to decide but may decide that a more detailed investigation is required. In this event the decision will be made in a period as indicated by the Information Regulator, which must not exceed thirteen (13) weeks. If the Information Regulator does not decide within the stipulated time periods, the company will assume that the decision is in the company’s favour and commence processing the information.
-
Circumstances Requiring Prior Authorisation
- The company will only process the personal information of a child with the consent of the child’s parent or legal guardian.
- Furthermore, In the following circumstances the company will require prior authorisation from the Information Regulator before processing any personal information:
- in the event that the company intends to utilise any unique identifiers of data subjects (account numbers, file numbers or other numbers or codes allocated to data subjects for the purposes of identifying them) for any purpose other than the original intention, or to link the information with information held by others;
- if the company is processing information on criminal behaviour, unlawful or objectionable conduct or for the purposes of credit;
- if the company is transferring special personal information or the personal information of children to a third party in a foreign country, that does not provide adequate protection of that personal information.
- The Information Regulator will be notified of the company’s intention to process any personal information as set out above prior to any processing taking place and the company will not commence with such processing until the Information Regulator has decided in the company’s favour. The Information Regulator has four (4) weeks to decide but may decide that a more detailed investigation is required. In this event the decision will be made in a period as indicated by the Information Regulator, which must not exceed thirteen (13) weeks. If the Information Regulator does not decide within the stipulated time periods, the company will assume that the decision is in the company’s favour and commence processing the information.
-
Transborder Information Flows
- The company will not transfer a data subject’s personal information to a third party in a foreign country, unless:
- the data subject consents to this, or requests it; or
- such third party is subject to a law, binding corporate rules or a binding agreement which protects the personal information in a manner similar to POPIA, and such third party is governed by similar rules which prohibit the onward transfer of the personal information to a third party in another country; or
- the transfer of the personal information is required for the performance of the contract between the company and the data subject; or
- the transfer is necessary for the conclusion or performance of a contract for the benefit of the data subject entered into between the company and the third party; or
- the transfer of personal information is for the benefit of the data subject, and it is not reasonably possible to obtain their consent and if it were possible the data subject would be likely to give such consent.
-
Popia Audit
- The company's information officer will schedule periodic POPIA Audits. The purpose of a POPIA audit is to:
- Identify the processes used to collect, record, store, disseminate and destroy personal information;
- Determine the flow of personal information throughout the company;
- Redefine the purpose for gathering and processing personal information;
- Ensure that the processing parameters are still adequately limited;
- Ensure that new data subjects are made aware of the processing of their personal information;
- Re-establish the rationale for any further processing where information is received via a third party;
- Verify the quality and security of personal information;
- Monitor the extent of compliance with POPIA and this policy; and
- Monitor the effectiveness of internal controls established to manage the company's POPIA related compliance risk.
- In performing the POPIA audits, the information officer will liaise with management in order to identify areas within the company that are most vulnerable or susceptible to the unlawful processing of personal information.
-
Popia Complaints Procedure
- Data subjects have the right to complain in instances where any of their rights under POPIA have been infringed upon. The company will take all complaints very seriously and will address all POPIA related complaints in accordance with the following procedure:
- POPIA complaints must be submitted to the company in writing. Where required, the information officer will provide the data subject with a "Complaint Form".
- Where the complaint has been received by any person other than the information officer, that person will ensure that the full details of the complaint reach the information officer within two (2) working days.
- The information officer will provide the complainant with a written acknowledgement of receipt of the complaint within two (2) working days.
- The information Officer will carefully consider the complaint and address the complainant's concerns in an amicable manner. In considering the complaint, the information officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA.
- The information officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the company's data subjects.
- Where the information officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the information officer will consult with the CEO/managing director whereafter the affected data subjects, and the Information Regulator will be informed of this breach.
- The information officer will revert to the complainant with a proposed solution with the option of escalating the complaint to the company's board within seven (7) working days of receipt of the complaint. In all instances, the company will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines.
- The information officer's response to the data subject must comprise any of the following:
- A suggested remedy for the complaint,
- A dismissal of the complaint and the reasons as to why it was dismissed, or
- An apology (if applicable) and any disciplinary action that has been taken against any employees involved.
- Where the data subject is not satisfied with the information officer's suggested remedies, the data subject has the right to complain to the Information Regulator.
- The information officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPIA related complaints.
- Where a POPIA complaint or a POPIA infringement investigation has been finalised, the company may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.
-
Offences And Penalties
- POPIA provides for serious penalties for the contravention of its terms. Breaches of this compliance manual/policy will also be viewed as a serious disciplinary offence. It is therefore imperative that all employees comply strictly with the terms of this compliance manual/policy.
-
Schedule Of Annexures And Forms
- Annexure A – Objection to the Processing of Personal Information Form
- Annexure B - Request for the correction or deletion of Personal information Form
- Annexure C - Personal Information Request Form
- Annexure D - Complaint Form
- Annexure E - Application for consent to direct marketing
- Annexure F – Notice and Request for correction or deletion of personal information.
-
Policy Adoption
Director
Name
Zane Harpur
Position
Director
Date
18 August 2023
Information Officer
Name
Zane Harpur
Position
Information Officer
Date
18 August 2023