Introduction

You may be aware that South Africa has introduced a new law called the Protection of Personal Information Act, or POPIA. This law has introduced many requirements for organisations to act responsibly when using individuals’ personal information. POPIA calls these individuals, data subjects. Failure to comply with POPIA could severely impact our organisation’s reputation and possibly lead to litigation with, potentially, serious financial consequences. This document outlines our organisation’s intent with regards the implementation and maintenance of our on-going Personal Information Protection Program.

As an employee, you are a data subject and we use your personal information such as your name, identification, address and banking details’ or perhaps sensitive data such as your health status or trade union membership. Our clients and customers are also data subjects. POPIA states that this personal information must be protected, it must remain fresh and valid and that data subjects must be able to access their personal information.

Requirements

We expect our leadership to:

Understand the requirements of POPIA, especially for areas under their influence and especially where they have responsibilities as information owners

Drive the adoption of the appropriate behaviours throughout our organisation

Understand and regularly assess and respond to any privacy risk to their areas of operation

Policy Statement

This Policy defines the responsibilities and expected behaviours of all our employees, contractors and relevant organisation partners which will uphold a data subject’s right to have his or her personal information processed in accordance with the requirements of the Protection of Personal Information Act.

Scope

This Policy applies to:

the personal information of all data subjects with whom we interact all types of and uses for personal information within our organisation

all our employees and organisation partners, especially those who deal directly with personal information all our organisation’s processes and all systems (both manual and digital, internal and external) that process personal information

all our data processing locations, whether in, or out of country

Data Protection Rules

We shall:

Only process personal information which is relevant to our organisational needs Together with our data subjects, keep their personal information up to date

Not keep personal information in the hope that it may become useful later on Only grant access to the data to people who need to use it for their jobs Protect the data from accidental loss or theft

Where required, always seek the data subject’s consent

Where required, always seek the consent of a competent person in respect of a child

Only process sensitive personal information where we are legally able or required to do so

When communicating with our data subjects, always be open and transparent, using language that is easily understandable

Be aware of possible data subjects requests to access and manage their personal information and how to respond to such requests

Be aware of possible compromises in the security of personal information and how to respond to such security compromises

Be aware of and respond timeously to any training and awareness programs and communications within our organisation