2. POLICY STATEMENT
3. DEFINITIONS OF TERMS USED IN THIS POLICY
4. PURPOSE AND SCOPE OF THE POLICY
5. PRIVACY COMPLIANCE FRAMEWORK
6. INFORMATION GOVERNANCE
7. INFORMATION PROCESSING PRINCIPLES
8. COOKIES POLICY
9. REVIEW OF POLICY
1.1 The Company: Trafalgar Property Management (Pty) Ltd
1.2 Registration number: 1989/003678/07
1.3 Email address: email@example.com
2. POLICY STATEMENT
2.1. Every person has rights with regard to how their personal information is handled and protected. In order to carry out its business and provide its services, the company set out in item 1 of the Schedule (“Company”) may collect, store and process personal information about:
2.1.4. service providers / suppliers; and
2.1.5. business contacts.
2.2. The Company recognises the need to treat this information in an appropriate and lawful manner. The Company is committed to complying with its obligations in this regard in respect of all personal information it handles, in a manner which maintains the confidence of the Company’s customers, service providers / suppliers, business contacts and employees.
2.3. The Protection of Personal Information Act no. 4 of 2013 (“POPIA”) and regulations (2018) relate to identifiable, living, natural persons and identifiable, existing, juristic persons.
2.4. The types of information that the Company may be required to handle include details of current, past and prospective employees, service providers / suppliers, customers, consumers and other business contacts that the Company communicates with. The information would typically include names, addresses, email addresses, dates of birth, identity / passport numbers, phone numbers, private and confidential information and, potentially, special personal information. In addition, the Company may occasionally be required to collect and use certain additional types of personal information to comply with the requirements of the law.
2.5. The information may be stored on paper, electronically or by other media and is subject to certain legal safeguards specified in POPIA and potentially other applicable acts and regulations. The provisions of POPIA impose restrictions on how the Company may collect and process the personal information in question.
3. DEFINITIONS OF TERMS USED IN THIS POLICY
3.1. POPIA Definitions
3.1.1. “data subject” means all living, identifiable natural or juristic persons about whom the Company holds personal information or special personal information;
3.1.2. “operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
3.1.3. “personal information” means information relating to an identifiable, living, natural or juristic person, including (i) factual information, such as identity and passport numbers, names, addresses, phone numbers, email addresses and the like, or (ii) opinions regarding a data subject, such as a performance appraisal;
3.1.4. “processing” means any operation or activity, whether or not by automatic means, concerning personal information, including the:
188.8.131.52. collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use of personal information;
184.108.40.206. dissemination of such information by means of transmission, distribution or making available in any other form; or
220.127.116.11. merging, linking, as well as restriction, degradation, erasure or destruction of information;
3.1.5. “responsible party” means a public or private body, or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information; and
3.1.6. “special personal information” means more sensitive information about an individual that pertains to racial or ethnic origins, political, religious or philosophical beliefs, health or sexual life, trade union membership or political persuasion, biometric information or criminal behaviour (to the extent that such criminal behaviour relates to the alleged commission by a data subject of an offence or any proceedings in respect of any offence allegedly committed by a data subject, which can only be processed under strict conditions and will usually require the express written consent of the data subject concerned.
4. PURPOSE AND SCOPE OF THE POLICY
4.1. This Policy sets out the Company’s general rules and the important legal conditions that must be satisfied in relation to the collecting, obtaining, handling, processing, storage, transportation and destruction of identifiable personal and special personal information.
4.2. This Policy also describes the privacy compliance framework and information governance of the Company in detail.
4.3. This Policy is applicable to all (i) employees, (ii) contractors, (iii) visitors, and / or (iv) other persons authorised to access and use the Company’s systems (“Users”).
5. PRIVACY COMPLIANCE FRAMEWORK
5.1.1. To ensure compliance with the requirements of relevant privacy legislation such as POPIA, the focus areas that must be addressed to be compliant are as follows:
18.104.22.168. process; and
5.2. PRIVACY COMPLIANCE FRAMEWORK
5.2.1. Focus on governance
22.214.171.124. The Company undertakes to take accountability for its actions by implementing good corporate governance.
126.96.36.199. The focus on governance means that the Company will establish an Information Governance Committee (“IGC”) and other structures to ensure that data protection compliance is an ongoing process and that continued management of information processes takes place.
5.2.2. Focus on process
188.8.131.52. The Company undertakes to implement processes to ensure that personal information is processed in line with relevant legislation.
184.108.40.206. This will include performing a Personal Information Impact Assessment (“PIIA”), as required by regulations promulgated under POPIA, and also developing and implementing the necessary policies and procedures and other control measures to ensure compliance with the relevant privacy legislation.
5.2.3. Focus on people
220.127.116.11. Most information security breaches involve people in one way or another. The Company undertakes to ensure that Users are made aware of their responsibilities in relation to processing personal information.
18.104.22.168. Users must undergo privacy and information security training at least annually and all new employees must be appropriately trained within 3 (Three) months of commencing employment with the Company.
5.2.4. Focus on technology
22.214.171.124. The Company undertakes to implement technology with appropriate security safeguards. The reference to” technology” includes software, hardware and data specific requirements. Appropriate security technological safeguards must be in place where personal information is processed, stored and destroyed. The Company undertakes to appoint a specialist in information technology (“IT”) to set up and manage the Company’s technology. This will be done either by in-house employees or by outsourcing this IT function to a compliant third party.
5.2.5. Review and audit
126.96.36.199. Review and continuous monitoring: The Company will ensure that the following is reviewed and monitored on an ongoing basis:
188.8.131.52.1. That the Company’s Governance Processes are functioning as intended and that an IGC has been established;
184.108.40.206.2. That the Company’s processes have been reviewed on a regular basis and that all policies and procedures have been reviewed and updated at least annually;
220.127.116.11.3. That the Company’s other control measures that have been implemented are functioning as intended and that they are adequate and effective;
18.104.22.168.4. That the Company’s management and employees have been made aware and kept aware of how to process personal information and that a privacy awareness campaign has been developed and implemented;
22.214.171.124.5. That the Company’s safety and security technology areas have undergone annual vulnerability assessments and, where applicable, that penetration testing has been done. This also includes information security management.
126.96.36.199. Identify the gaps
188.8.131.52.1. On a regular basis, gaps or weaknesses (“Gap/s”) should be identified and actions to mitigate such Gaps should be recorded in a Privacy Implementation Action Plan (“PIAP”).
184.108.40.206.2. The Gaps should be prioritised and an accountable person should be appointed to rectify the Gaps.
220.127.116.11.3. A due date should be set by when the Gaps should be rectified.
18.104.22.168. Action the gaps
22.214.171.124.1. The Gaps should be actioned in accordance with the PIAP.
126.96.36.199.2. A specific responsible person should be identified to co-coordinate or perform an action and a due date to complete the action in question should also be set.
188.8.131.52.3. Where there is a specific due date set, the progress to address the Gaps should be reported to the IGC.
184.108.40.206. Audit the implementation
220.127.116.11.1. The Company undertakes to review the efficacy of the controls implemented to address and rectify the Gaps that have been identified.
18.104.22.168.2. The Company undertakes to ensure that the abovementioned review is conducted by an independent party not involved in the initial implementation. Where it is not possible to appoint an independent party within the Company then the review may be outsourced to independent third-party auditors.
22.214.171.124. Assess the outcome
126.96.36.199.1. The Company undertakes to assess the outcome of the audit and determine what action must be taken, if any, to address the Gaps. Where the Gap has been addressed and rectified, it must be noted. Where there is additional work required to be done, it must be added to the PIAP.
188.8.131.52. Continuous reporting
184.108.40.206.1. The Company undertakes to continuously report the status of the management of personal information to the IGC and, at least on a quarterly basis, to the board of directors of the Company.
6. INFORMATION GOVERNANCE
6.1. INFORMATION OFFICER
6.1.1. The responsibilities of the Information Officer designated in terms of the POPIA include:
220.127.116.11. the encouragement of compliance, such as awareness and training, by the Company, taking into consideration all of the conditions for the lawful processing of personal information;
18.104.22.168. ensuring compliance by the Company with the provisions of POPIA;
22.214.171.124. dealing with requests made to the Company in terms of POPIA, such as requests made from data subjects to update or view their personal information;
126.96.36.199. working with the information regulator (“Regulator”) in relation to investigations; and
188.8.131.52. the designation and delegation of relevant duties to deputy Information Officers appointed by the Company.
6.1.2. The responsibilities of the Information Officer have been expanded upon in the regulations promulgated under POPIA on 14 December 2018. In this regard, the Information Officer must ensure that:
184.108.40.206. a compliance framework is developed, implemented, monitored and maintained;
220.127.116.11. a PIIA is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
18.104.22.168. a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act 2 of 2000;
22.214.171.124. internal measures are developed, together with adequate systems, to process requests for information or access thereto; and
126.96.36.199. internal awareness sessions are conducted regarding (i) the provisions of POPIA, (ii) regulations promulgated in terms of POPIA, (iii) relevant industry codes of conduct, or (iv) information obtained from the Regulator.
6.2. INFORMATION GOVERNANCE COMMITTEE RESPONSIBILITES
6.2.1. Strategic: The oversight of the full information lifecycle for both structured and unstructured information, including:
188.8.131.52. endorsement of information policies, principles and procedures in relation to information management;
184.108.40.206. assisting with ensuring compliance with the provisions of POPIA, where applicable, which include the following:
220.127.116.11.1. The security and integrity of data/information held by, or on behalf of, the Company;
18.104.22.168.2. The dissemination of the Company’s data/information to third parties;
22.214.171.124.3. Information and data confidentiality and availability;
126.96.36.199.4. Information and data quality, including completeness, accuracy and ensuring that information is up to date;
188.8.131.52.5. Information sharing arrangements with other parties;
184.108.40.206.6. Retention and destruction of information practices;
220.127.116.11.7. Document management, including the digitisation of documents; and
18.104.22.168.8. Discussing and identifying the areas where consent will be needed for the processing of personal information.
22.214.171.124. assisting with the integration of people, technologies, information and processes across the Company;
126.96.36.199. identifying and assessing the information risks and provide input to the Company’s enterprise-wide risk management process;
188.8.131.52. ensuring that there is proactive monitoring of data/information breach incidents and review the response to these incidents;
184.108.40.206. reviewing and provide oversight to ensure that the information architecture supports confidentiality, integrity and availability of information;
220.127.116.11. endorsing information-related strategies and roadmaps;
18.104.22.168. prioritising information-related initiatives;
22.214.171.124. establishing information-related metrics and oversight of results;
126.96.36.199. directing efforts to resolve issues in relation to information management;
188.8.131.52. assisting with advice on the leverage of information to sustain and enhance the Company’s intellectual capital; and
184.108.40.206. reviewing and assessing the actions taken to monitor the effectiveness of information management and how the outcomes were addressed.
6.2.2. Operational: The IGC will:
220.127.116.11. establish structures needed to support information governance in the Company;
18.104.22.168. delegate authorities for the implementation of decisions;
22.214.171.124. co-ordinate information management responsibilities across the Company to ensure complete coverage of the information lifecycle;
126.96.36.199. make the Users aware of the IGC and its roles and responsibilities;
188.8.131.52. promote good information management practices and publish the names of the Information Asset Owners (“IAO’s”) for easy reference so they can be notified of particular issues relating to their domain; and
184.108.40.206. train and mentor IAOs to enable them to fulfil their roles.
7. INFORMATION PROCESSING PRINCIPLES
7.1. POPIA: The Company fully supports and complies with the 8 (Eight) protection principles of POPIA which are summarised below:
7.1.1. Accountability: a responsible party must ensure that the information processing principles are complied with;
7.1.2. Processing limitation: personal information must be processed lawfully and in a reasonable manner;
7.1.3. Purpose specification: personal information must be obtained/processed for specific lawful purposes;
7.1.4. Further processing limitation: further processing of personal information must be in accordance or compatible with the purpose/s for which it was originally collected;
7.1.5. Information quality: personal information must be complete, accurate, not misleading and kept up to date;
7.1.6. Openness: personal information may only be processed by a responsible party who has taken reasonable steps to notify the data subject;
7.1.7. Security safeguards: personal information must be kept secure, and its confidentiality and integrity must be maintained; and
7.1.8. Data subject participation: a data subject has the right to request the responsible party to confirm, free of charge, whether or not the responsible party holds personal information, together with a description of the personal information held by such responsible party.
7.2.1. The provisions of POPIA are intended not to prevent the processing of personal information, but to make sure that a responsible party ensures that the information processing principles as set out in POPIA, and all the measures that give effect to the principles, are complied with.
7.2.2. The data subject must be told the identity of the responsible party (in this case, the Company) and the purpose for which personal information is to be processed by the Company.
7.2.3. This Policy, developed by the Company to protect privacy, is available at the Company premises and is also accessible online at the Company’s website. This Policy outlines the Company’s commitment to privacy.
7.3. PROCESSING LIMITATION
7.3.1. For personal information to be processed lawfully, certain conditions have to be met. These may include, amongst other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the responsible party or the party to whom the personal information is disclosed. When special personal information is being processed, in most cases the data subject’s explicit consent to the processing of such special personal information will be required.
7.3.2. A responsible party must collect personal information directly from the data subject unless (i) information is in a public record, (ii) the data subject has consented, (iii) the collection of personal information does not prejudice the legitimate interest of the data subject, or (iv) collection is necessary to comply with, or to avoid prejudice with or to the maintenance of, laws; to enforce legislation concerning the collection of revenue; for purposes of proceedings in a court; or in the interest of national security.
7.4. PURPOSE SPECIFICATION
7.4.1. Personal information may only be processed for a specific and lawful purpose, or for any other purpose specifically permitted by POPIA, and steps must be taken to ensure that the data subject is aware of the purpose of the collection of the personal information. The Company undertakes not to (i)collect personal information for one purpose and then use the personal information for another purpose, or (ii) retain personal information for any longer than is necessary for achieving the purpose for which the information was collected.
7.4.2. Personal information should only be collected to the extent that it is required for the specific purpose communicated to the data subject. Any personal information which is not necessary for that purpose should and will not be collected by the Company.
7.4.3. If it becomes necessary to change the purpose for which the personal information is processed, the data subject will be informed of the new purpose before any processing occurs. Any employee personal information collected by the Company will be used for ordinary human resources purposes. Where there is a need to collect employee personal information for any other purpose, the Company will notify the employee in question of this and, where it is appropriate and practicable, the Company will get the employee’s consent prior to such processing.
7.4.4. Where the Company collects personal information directly from a data subject, the personal information collected and processed by the Company, such as identity number, proof of address and the like, will only be used for the required purpose.
7.5. FURTHER PROCESING LIMITATION
7.5.1. Personal information should not be kept longer than is necessary for the purpose for which it was collected. For guidance in relation to a particular personal information retention period, a User should contact the Company. The Company has various legal obligations to keep certain personal information of Users for a specified period of time. In addition, the Company may need to retain personal information for a period of time to protect its legitimate commercial and other interests.
7.5.2. The Company will not use any personal information for any purpose other than that for which it received the information in the first place, unless any further processing of such information is compatible with the original purposes for which the information was collected.
7.6. INFORMATION QUALITY
7.6.1. Personal information must be complete, accurate, and kept up to date. Personal information which is incorrect or misleading is not accurate and steps will be taken to check the accuracy of any personal information at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date personal information will be destroyed. Employees should ensure that they notify their manager / human resources of any relevant changes to their personal information so that it can be updated and maintained accurately.
7.6.2. All personal information which is in paper form should be destroyed only by shredding. If the personal information is held electronically, the Company must ensure that a reputable service provider destroys the personal information so that there is no future record of the information and the Company must obtain an undertaking from the applicable service provider in this regard.
7.7.1. Personal information may only be processed by the Company if the Company has notified the data subject that the Company has obtained the information from legitimate sources.
7.7.2. In cases where the Company works directly with a data subject, the Company will take reasonable, practicable steps to ensure that the data subject is aware of the following:
220.127.116.11. What information is being collected and, where it is not collected from the data subject, the source of the information;
18.104.22.168. The full name and addresses of the Company;
22.214.171.124. The purpose for which the information is being collected;
126.96.36.199. Whether supplying the personal information to the Company is voluntary or mandatory;
188.8.131.52. The consequences of failure to provide the information;
184.108.40.206. The applicable law authorising or requiring the collection of the information;
220.127.116.11. The right to lodge a complaint against the Company with the Information Regulator; and
18.104.22.168. Any further relevant information, such as recipient or category of recipients of information, nature of information, existence of the right of access and the right to rectify information collection.
7.8. SECURITY SAFEGUARDS
7.8.1. The Company and its employees must ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal information, and against the accidental loss of, or damage to, personal information.
7.8.2. The Company will put in place procedures and technologies to maintain the security of all personal information. Personal Information may only be transferred to an operator if the operator has agreed to comply with those procedures and policies or has adequate security measures in place.
7.8.3. Users may refer to the Company’s information security and related policies for further information concerning the Company’s security safeguards.
7.8.4. The following principles must be maintained by the Company:
22.214.171.124. Confidentiality: that only people who are authorised to use the personal information in question can access it. The Company will ensure that only authorised persons have access to an employee’s personnel file and any other personal or special information held by the Company. Employees are required to maintain the confidentiality of any personal information and / or special personal information that they have access to.
126.96.36.199. Integrity: that proper security safeguards are in place to ensure the maintenance and assurance, of the accuracy and consistency of information / data over its entire life cycle.
188.8.131.52. Availability: that authorised users should be able to access the personal information if they need it for an authorised purpose.
7.8.5. Examples of security procedures at the Company include:
184.108.40.206. Secure lockable desks and Cupboards – desks and cupboards must be kept locked if they hold confidential personal identifiable information of any kind;
220.127.116.11. Methods of Disposal – paper documents must be shredded. CD-ROMs and USB keys should be physically destroyed when they are no longer required;
18.104.22.168. Equipment – data users must ensure that individual computer monitors do not show confidential information to passers-by and that they log off from their computer when it is left unattended; and
22.214.171.124. User Management – any access to the Company database is logged by the Company through a username and password system. Any changes / updates / uploads to the system are constantly tracked.
7.8.6. Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the Company or any third-party processing personal information under the authority of the Company, must notify the Regulator and the data subject as soon as is reasonably possible, taking into consideration the time that is taken by the Company to determine the scope of the breach and to restore the integrity of its information systems.
7.8.7. Any notification to a data subject must be in writing and communicated to the data subject in at least one of the following ways:
126.96.36.199. Mailed to the data subjects last known physical or postal address;
188.8.131.52. Sent by email to the data subjects last known email address;
184.108.40.206. Placed in a prominent position on the website of the Company;
220.127.116.11. Published in the news media; or
18.104.22.168. As directed by the Regulator.
7.8.8. The notification referred to above must provide sufficient information to all the affected data subjects to take protective measures against the potential consequences of the security compromise including:
22.214.171.124. a description of the possible consequences of the security compromise;
126.96.36.199. a description of the measures that the Company intends to take or has taken to address the security compromise;
188.8.131.52. a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
184.108.40.206. if known to the Company, the identity of the unauthorised person who may have accessed or acquired the personal information in question.
7.9. DATA SUBJECT PARTICIPATION
7.9.1. A formal request from a data subject for information that the Company holds about them must be made in writing, accompanied with adequate proof of identification (in most instances, a certified copy of the individual’s identity document or passport and proof of residence will be sufficient).
7.9.2. Any employees who receive a written request in respect of data held by the Company must forward it to the Information Officer immediately. This should be emailed to firstname.lastname@example.org.
7.9.3. Any individual requesting personal information that may be held by the Company will be referred by the relevant employee to whom the request was made to the Information Officer, who will process the request. The Information Officer will either process the request directly, or will direct such employee to request a certified copy of the individual’s identity document or passport as well as proof of address. Once this is received, the employee will then be authorised to release the personal information to the individual. The employee must:
220.127.116.11. record the request in the request register / system; and
18.104.22.168. safely store the certified copy of the identity document and passport either in a file in a locked cupboard (if in paper format) or online in an encrypted folder which cannot be accessed by unauthorised personnel. Storage of these documents should be kept for 1 (one) year, after which they must be properly destroyed.
7.9.4. Any employee dealing with telephonic enquiries from data subjects should guard against disclosing any personal information held by the Company over the phone. In particular, the employee must:
22.214.171.124. check the identity of the caller to ensure that information will only be given to a person who is entitled to that information – this can be accomplished by confirming: identity number, date of birth, address, cell phone number and the like;
126.96.36.199. request that the caller put their request in writing if the employee is not completely sure about the identity of the caller and in circumstances where the identity of the caller cannot be verified. In these circumstances, the employee should also request that a certified copy of the identity document / passport of the individual is provided before information is released;
188.8.131.52. refer the request to their manager for assistance in difficult situations. No employee should feel forced to disclose personal information; and
184.108.40.206. where a request has been made in terms of this section, and personal information is communicated to the data subject, the data subject must be advised of their right to request the correction of the information.
7.9.5. The data subject may request that the Company correct or delete personal information which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, or to destroy such record of personal information. If such a request is made, the Company must send this request to the appropriate party within the Company who should then correct the information, destroy or delete it, and provide the data subject with credible evidence that this has been done.
8. COOKIES POLICY
9. REVIEW OF POLICY
The Company will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required, taking into account changes in the law and organisational or security changes.