Policy on The Protection of Personal Information Act
No. 4 of 2013 - (“POPIA”/”POPI”)
This policy applies to the employer and its employees wherever its operations is conducted.
This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act, 2013 (POPI Act).
The purpose of this policy is to enable the following:
a) comply with the POPI Act in respect of the specific information that it holds;
b) protect the employers’ staff and other individuals within the workplace;
c) protect the employer from the consequences of a breach of its responsibilities.
The policy states that the employer and its employees will:
a) Will adhere to legislation as per the POPI Act
b) Will protect and respect personal information of employees, service providers and clients;
c) The employer will conduct training where applicable in terms of the POPI Act;
d) The employer will secure all information as protected under the POPI Act;
Identifying off risks:
a) Breach of confidentiality within the workplace regarding any personal information to a third party;
b) Not consulting with employees, clients or service providers regarding consent to safeguard and/or use personal information;
c) Not ensuring that all safeguards and or programs in electronic systems are up to date and valid;
d) Not ensuring the safeguarding of physical documents that include personal information;
e) Not appointing an information officer or a deputy information officer (when applicable).
f) Poor access control to areas where personal information is stored;
Appointment of the information officer:
a) An information officer will formally be appointed and will receive a full duty list as part of the appointment;
b) The information officer will only report to senior management, regarding the POPI Act.
c) Only the information officer will handle requests regarding the disclosure of personal information, with the proper consent.
Obtainment of consent where applicable in terms of the POPI Act:
a) The employer will obtain written consent from employees where applicable regarding the handling of personal information in terms of the POPI Act;
b) Written consent will be obtained from clients and or service providers where applicable or via a recording or other electronic or computerised system;
Processing and or archiving of all data regarding personal information:
a) All personal information will be handled confidentially when processed;
b) All information will be securely filled in a lockable area;
c) All computerised systems or cell phones that are used in the processing of data will be equipped with a valid virus program that will be fully licenced and updated on a daily basis;
d) Documentation that include personal information will be disposed of, when not applicable anymore, in a secure manner to ensure that personal information is not distributed to any third party;
e) Neither the employer or employee may disclose any personal information of any employee, client or service provider to any third party without written consent.
Review of processes, procedures, etc.:
a) The employer will regularly review its procedures, systems, etc. to ensure that all records are correct and correctly used;
b) Additional training will be given to all employees when applicable;
c) Electronic programs or systems will be updated to unsure relevancy and that it functions correctly.
Security Systems
a) The employer will ensure that access control is implemented to all areas where personal information is stored;
b) The employer will ensure that all electronic systems and or computers are equipped with valid and updated virus programs;
c) The employer will ensure that all official cell phones that are used to proses personal information are equipped with a valid and updated virus program;
d) Only authorises employees may be involved in the evaluation and implementing of security systems to ensure that all systems are running properly.
The employer has the right to request the following personal information to conduct operations, with the proper consent
a) Copy of a ID Document
b) Home address or proof thereof
c) Contact details
d) Details of relatives
e) Details of spouse, children or other dependants
f) Any other personal information relevant tom the workplace
General training to employees regarding the POPI Act
a) The employer will ensure that all employees are trained to understand the reason for the POPI Act;
b) The employer will ensure that all employees fully understand the risks when an employee disclose personal information, without the relevant consent;
c) Updated training will be given to employees when relevant.
d) The information officer will take responsibility for more detailed training to employees that have direct access to personal information of employees, clients or service providers to fully understand the parameters of the POPI Act.
Breach in the securing of data
a) The employer will inform all relevant parties if there is a breach in the securing of personal data of any employee;
b) The employer will inform all relevant parties if there is a breach in the securing of personal data of any client or service provider;
c) The employer will inform the Information Regulator, where applicable if there is a breach in the securing of any personal data.
23 June 2021
