Policy: Protection of Personal Information

Name of policy: FRTC Policy on Protection of Personal Information

Reference number: FRTC/POPI/COMPLIANCE

Custodian: Information Officer

POLICY STATEMENT

  1. Background
    1. Felix Risk Training Consultants CC is a private higher education institution in terms of the Higher Education Act No. 101 of 1997 and Companies Act as such it is committed to comply with all laws of South Africa, in particular the Companies Act, Access to Information Act, and the Promotion of Personal Information Act (hereinafter referred to as POPI Act) emanating from the right of privacy as explicitly entrenched in section 14 of the Constitution of the Republic of South Africa.
    2. This policy specifically deals with Felix Risk Training Consultants CC compliance with the Protection of Personal Information Act No. 4 of 2013 but also incorporating requirements imposed by the Promotion of Access to Information Act No. 2 of 2000 (“PAIA”) and not forgetting section 26 of the Companies Act.
    3. Therefore, by nature of Felix Risk Training Consultants CC being an educational business it processes personal information of its employees, members, clients, agents, representatives, students, and other data subjects from time to time, the purpose of this policy, therefore, is to incorporate requirements imposed by the Promotion of Access to Information Act No. 2 of 2000 (“PAIA”) on everyday business but also not interfering with the Protection of Personal Information Act No. 4 of 2013 (“POPI Act”), as well as Companies Act of 2008.
    4. This Policy outlines the manner in which Felix Risk Training Consultants CC will deal with personal information provided for by any data subject for the purposes of business and similarly to provides clarification on the general purpose for which the information is used, as well as how data subjects can participate in this process in relation to their personal information.
    5. Furthermore, Felix Risk Training Consultants CC has also developed a manual and made it available as prescribed by the PAIA Act, where the parties / requesters can submit requests for information disclosure in terms of this manual, internal measures have also been developed together with adequate systems to process requests for information or access thereto.
  2. Objectives
      1. To ensure that Felix Risk Training Consultants CC complies with all the legislations in place (such as POPI Act and PAIA Acts) in respect of all personal information that it collects and processes for the purposes of business.
      2. To inform employees, students, facilitators, and clients as to how their personal information is used, disclosed and destroyed.
      3. To ensure that personal information is only used for the purposes for which it was collected.
      4. To prevent unauthorised access and use of personal information.
  3. Definition of terms (extracted from the POPI Act, No. 4 of 2013)
    1. Biometrics:
      means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
    2. Child:
      means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.
    3. Competent person:
      means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
    4. Consent:
      means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.
    5. Data subject:
      means the person to whom personal information relates.
    6. De-identify:
      in relation to personal information of a data subject, means to delete any information that—
      1. identifies the data subject;
      2. can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
      3. can be linked by a reasonably foreseeable method to other information that identifies the data subject, and “de-identified” has a corresponding meaning.
    7. Direct marketing:
      means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of—
        1. promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
        2. requesting the data subject to make a donation of any kind for any reason.
    8. Information officer:
      in relation to a private body: the head of a private body as contemplated in Section 1 of PAIA.
    9. Operator:
      means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
    10. Person:
      means a natural person or a juristic person.
    11. Personal information:
      means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
      1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
      2. information relating to the education or the medical, financial, criminal or employment history of the person;
      3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
      4. the biometric information of the person;
      5. the personal opinions, views or preferences of the person;
      6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
      7. the views or opinions of another individual about the person; and
      8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
    12. Processing:
      means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
        1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
        2. dissemination by means of transmission, distribution or making available in any other form; or
        3. merging, linking, as well as restriction, degradation, erasure or destruction of information.
    13. PAIA:
      refers to the Promotion of Access to Information Act 2 of 2000.
    14. Record:
      means any recorded information—
      1. regardless of form or medium, including any of the following—
        1. Writing on any material;
        2. information produced, recorded or stored by means of any tape-
          recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
        3. label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
        4. book, map, plan, graph or drawing;
        5. photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
      2. in the possession or under the control of a responsible party;
      3. whether or not it was created by a responsible party; and
      4. regardless of when it came into existence.
    15. Re-identify:
      in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that—
        1. identifies the data subject;
        2. can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
        3. can be linked by a reasonably foreseeable method to other
          information that identifies the data subject, and “re-identified” has a corresponding meaning.
    16. Responsible party:
      means Information Officer.
    17. Special personal information:
      1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
      2. the criminal behaviour of a data subject to the extent that such information relates to—
        1. the alleged commission by a data subject of any offence; or
        2. any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
  4. Scope
    1. This document applies to all personal information, whether belonging to a natural or juristic person that may be collected, requested, retained and subsequently destroyed, pertaining to the various stakeholders of Felix Risk Training Consultants CC.
  5. The Policy
    1. Lawfulness of Processing, Minimality and Collection for a Specified Purpose
      1. When processing personal information, Felix Risk Training Consultants CC must ensure that such processing takes place for a specified purpose (which relates to the activities of the Felix Risk Training Consultants CC), lawfully and in a reasonable manner whilst not infringing on the rights of the data subject.
      2. Any personal information that is obtained and retained by the Felix Risk Training Consultants CC must be used only for the purposes as notified to the data subject.
      3. The data subject must also be provided with the relevant and mandatory notification as required for by the POPI Act Regulations and Guidelines.
    2. Consent, Collection of Personal Information and Notification to the Data Subject
      1. Personal information may only be processed by Felix Risk Training Consultants CC where the data subject (or in the case where the data subject is a child, from a competent person) has consented to such processing and such information must be collected directly from the data subject (or the competent person, as the case may be).
      2. The data subject must be made aware of the reasons for the necessity to provide the requested personal information and the consequences of not consenting and/or objecting to the processing of the relevant personal information e.g., not being able to proceed with an application for admission or employment.
      3. Felix Risk Training Consultants CC may only require an information that is necessary and directly related to a particular cause with which needed for.
    3. Retention; Restriction of Records; Security of information
      1. Felix Risk Training Consultants CC may retain personal information:
        1. for as long as the lawful purpose for which it requires the personal information remains; and/or
        2. as a practice of good governance; and/or
        3. as proof that the that the objective for which the personal information was obtained and subsequently processed has been achieved; and/or
        4. for historical, statistical and/or research purposes of Felix Risk Training Consultants CC.
      2. Felix Risk Training Consultants CC may retain the personal information in the above circumstances, for periods in excess of those required of legislation, so long as appropriate security measures are in place and/or implemented, for both electronic and paper-based formats that may be utilised for processing personal information, to avoid any and all instances of security breaches.
      3. Personal information may only ever be processed by person (s) authorised to do so by the Felix Risk Training Consultants CC and must always be kept in a confidential, safe and secure manner so as to avoid exposure to unauthorised persons.
      4. It is therefore, recommended that where relevant, staff sign non-disclosure agreements to ensure the confidentiality of information.
      5. All personal information processed by the Felix Risk Training Consultants CC, and which remains in active use by the Felix Risk Training Consultants CC must be maintained in an archival facility within the division that is utilising the information.
      6. The personal information must be properly categorised and stored for ease of reference and retrieval. Where practicable, the use of hardcopy formats of information should be limited, to streamline the process of maintaining the confidentiality and integrity of the information.
      7. Such archival points must be maintained in such a manner to ensure that the personal information is kept in a confidential, safe and secure manner so as to avoid exposure to unauthorised persons.
      8. When the personal information is no longer in active use, and the Felix
        Risk Training Consultants CC is still required to retain same (by applicable legislation or as a good governance practice), such information must be sent to a centralised archival point where same must be properly categorised and stored for ease of reference and retrieval.
      9. Such centralised archival point must be maintained in such a manner so as to ensure that the personal information is kept in a confidential, safe and secure manner so as to avoid exposure to unauthorised persons.
      10. Once the personal information may no longer be retained for the reasons mentioned above, same must be destroyed/de-identified (the process must still facilitate and maintain the confidentiality of the information), by persons authorised to do so by the Felix Risk Training Consultants CC in a manner that ensures that the personal information cannot be reconstructed or re-identified.
      11. Felix Risk Training Consultants CC will follow any guidelines and/or directions as issued by the Information Regulator and/or KwaZulu Natal Provincial Archivist’s Office that pertain to retention and/or destruction practices. Therefore, Felix Risk Training Consultants CC must ensure that the proof and or record of destruction of the personal information.
  6. Rights of the Data Subject
    1. The data subject or competent person where the data subject is a child, may withdraw his/her or its consent to procure and process his/ her or its personal information, at any time, providing that the lawfulness of the processing of personal information before such withdrawal.
    2. A data subject may object, at any time, to the processing of personal information-
      1. in writing, on reasonable grounds relating to his/ her or its situation, unless legislation provides for such processing; or
      2. for purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.
    3. A data subject, having provided adequate proof of identity, has the right to-
      1. request Felix Risk Training Consultants CC to confirm, free of charge, whether or not Felix Risk Training Consultants CC holds personal information about the data subject; and
      2. request from Felix Risk Training Consultants CC a record or a description of the personal information about the data subject held by Felix Risk Training Consultants CC, including information about the identity of all third parties, or categories of third parties, who have, or have had access to the information-
        1. Within a reasonable time;
        2. at a prescribed fee as determined by the Information Officer;
        3. In a reasonable manner and format; and
        4. In a form that is generally understandable.
  7. A data subject may, in the prescribed manner, request Felix Risk Training Consultants CC to-
    1. Correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete or misleading or obtained unlawfully; or
    2. Destroy or delete a record of personal information about the data subject that Felix Risk Training Consultants CC is no longer authorised to retain.
  8. Upon receipt of a request referred to clause 7, Felix Risk Training Consultants CC will, as soon as reasonably practicable-
    1. Correct the information
    2. Destroy or delete the information; provide the data subject, to his/her or it satisfaction, with credible evidence support of the information; or
    3. Where an agreement cannot be reached between Felix Risk Training Consultants CC and the data subject, and if the data subject so requests, take such steps as are reasonable bin the circumstances, to attach to the information in such a manner that it will always be read with the information, and indication that a correction of the information has been requested but has not been made.
    4. Felix Risk Training Consultants CC will inform the data subject, who made a request as set out in clause 7 of the action taken as a result of the request.
  9. Information processing by Operators (including the Transfer of Personal Information outside the Republic)
    1. Should Felix Risk Training Consultants CC engage the services of an operator in relation to the processing and/or destruction of personal information, the Felix Risk Training Consultants CC must ensure that the operator is contractually obligated to comply with the requirements of POPI Act and process and/or destroy the personal information as stipulated by the Act (this application also extends to the instances of further processing as well).
  10. Information processing by Third Parties (including the Transfer of Personal Information outside the Republic)
    1. Personal information that is not de-identified and anonymised may only be provided, on request, to a third party if provision of such information is permitted in terms of POPI Act or any other legislation; is a reporting requirement; and/or the sharing of the information forms part of the scope of the implicit operations of Felix Risk Training Consultants CC.
    2. Without limiting the generality of the foregoing, personal information may be shared with bodies tasked with, inter alia the:
      1. funding students;
      2. programme and/or qualification approval;
      3. the regulation of professions for accreditation;
      4. registration of professionals;
      5. verifying qualifications; and
      6. verifying employment status.
    3. The sharing of students’ personal information with third parties who may be canvassing the student body for candidates for specified bursaries and/or employment may only take place with the explicit consent of the relevant students.
    4. Should a third party wish to obtain student information for the purpose of fund raising that waive an effect on the general student population, only de-identified and fully anonymised information is to be provided.
    5. In the above instances the third parties are to be contractually bound to comply with the requirements of POPI Act (this applies in instances of further processing as well).
  11. Security Breaches
    1. The operator and/or third party must be contractually obligated to immediately inform Felix Risk Training Consultants CC of any and / or all threatened and/or actual security breaches which may / will affect any and all personal information that Felix Risk Training Consultants CC processes itself or via contractual agreement with an operator and/or third party.
    2. Such threatened and/or actual security breaches either within Felix Risk Training Consultants CC environment and/or that of the operator and/or third party must be reported to the Information Officer, acting in the capacity as Deputy Information Officer so that the measures in terms of POPI Act may be instituted.
  12. Quality of Information
    1. The Felix Risk Training Consultants CC is at all times to ensure that the personal information obtained and retained from the data subject is complete, accurate, not misleading and up to date.
    2. In ensuring that the above is facilitated effectively:
      1. Communications of all Felix Risk Training Consultants CC stakeholders may take place to ensure that same are aware of their obligation to ensure that the training school has their correct personal information at all times;
      2. Such stakeholders must be able to access to their personal information to verify the authenticity of same; and
      3. Should such stakeholders wish to correct their information, the Felix Risk Training Consultants CC must provide the platform to enable the correction with the consent of the stakeholder.
      4. All requests for updating personal information must be sent to the information officer Bernadette Felix [email protected] (to enable an objective assessment of such requests to take place.
      5. Regarding any supporting documentation that may be required for the updating of personal information, the Felix Risk Training Consultants CC will follow any applicable guidelines that may be issued by the Office of the Information Regulator as and when same are published.
    3. Where relevant, requests for access to personal information and the correction thereof, must be facilitated via the PAIA process.
  13. Further Processing
    1. Further processing of personal information may only take place if the reason for the further processing is compatible with the reason for which the personal information was originally processed.
    2. For example in a case where a student has graduated from Felix Risk Training Consultants CC, and returns to pursue another course, the personal information processed in the first instance may be used for the subsequent registration.
  14. Special Personal Information
    1. The processing of special personal information may only take place in the following instances:
      1. Processing is carried out with the data subject’s consent (or the competent person, as the case may be);
      2. Processing takes place under the auspices of relevant South African and/or international public law;
      3. Processing takes place for historical, statistical or research purposes, within the Felix Risk Consultants CC context, to the extent that: –
        1. The processing is necessary for the relevant purpose; or
        2. It appears to be impossible or would have a disproportionate effort to ask for consent and Felix Risk Training Consultants CC ensures that the processing does not affect the individual privacy of the data subject to a disproportionate extent; or;
        3. the personal information has been made public by the data subject.
  15. Direct Marketing
    1. Felix Risk Training Consultants CC may only make contact with data subjects for the purposes of direct marketing:
      1. With the consent of the data subject prior to the commencement of direct marketing initiatives and such consent may only be requested once. The prescribed forms must be used to request consent; or
      2. If Felix Risk Training Consultants CC obtained the contact details of the data subject in the context of the sale of a product or service to the data subject (e.g., In the case where the data subject paid for and attended a course offered by the Felix Risk Training Consultants CC which may be construed as the sale of a product by the Felix Risk Training Consultants CC to the data subject);
      3. The purpose of the direct marketing is to offer data subject similar products that Felix Risk Training Consultants CC has on offer.
    2. The data subject, at the time that the personal information was collected and on each subsequent occasion when the data subject is contacted for direct marketing purposes, the data subject is offered a reasonable opportunity to object, free of charge, in a convenient and easily accessible manner, to the direct marketing (e.g., an opt out option via e-mail).
    3. Every marketing communication must clearly identify the Felix Risk Training Consultants CC and stipulate the details for opting out.
  16. Contractual Agreements, Other Documents and Processe
      1. All contractual agreements; documents and/or processes with which Felix Risk Training Consultants CC is a party thereto and / or may utilise to conduct its business, must be inspected by its Lawyers to ensure that it fully complies with the requirements of POPI Act.
  17. Requests for Access to, Processing and/or Destruction of Personal Information
    1. All requests to access / process / destroy personal information must be directed to the Information Office for consideration via the email address: [email protected]
    2. Felix Risk Training Consultants CC must treat every personal information confidentially and may only be processed with the consent of the data subject and/or per the direction of the Information Officer.
  18. Amendment of Personal Information Held by Felix Risk Training Consultants CC
    1. All requests for the amendment, correction and/or deletion of personal information must be directed to Information officer, for an objective assessment to take place.
    2. However, where the request for amendment, correction and/or deletion is declined a note to such effect will be entered into the relevant Felix Risk Training Consultants CC record.
  19. Non-Compliance
    1. Failure to comply with this policy may result disciplinary action.
  20. Review
    1. Felix Risk Training Consultants CC may review this policy document every 5 years from date of approval, with a purpose to align with the changes that might come up in POPI Act.
  21. Information Officer
    Name: Bernadette Felix
    Email Address: [email protected]
    Position: Director
    1. In terms of PAIA, an information officer of a responsible party is in essence
      tasked with:
      1. encouraging and ensuring compliance with PAIA;
      2. .developing, updating and monitoring a PAIA manual for the body (that is if the organisation is required to have such a manual and does not fall under the current exemptions.
      3. assessing and providing outcomes, within the applicable time periods, to application requests which are received by the organisation, on the grounds of PAIA, to be given access to information held by the organisation.
    2. On the other hand, in terms of Section 55 of POPI Act, an information officer has the duty and responsibility to:
      1. encourage compliance by the body with the conditions for the lawful processing of personal information in terms of POPI Act;
      2. deal with requests made to the body in terms of POPI Act;
      3. work with the Information Regulator in relation to investigations conducted in relation to the body; and
      4. otherwise ensure compliance by the body with the provisions of POPI Act.