Protection of Personal Information Policy
(POPI Act No 4 of 2013)
Table of Contents page
- Introduction………………………………………………………………… 3
- Definitions………………………………………………………………….. 3
- Scope………………………………………………………………………… 4
- Policy Statement………………………………………………………… 4
- Processing of Personal Information………………………………. 4
- Eight Processing Conditions…………………………………………. 5
- Operational Considerations…………………………………………. 7
- Operating Controls…………………………………………………….. 7
- Destruction of Documents………………………………………….. 8
PROTECTION OF PERSONAL INFORMATION POLICY
Fitness Breakthru is committed to compliance with, and adheres to, the Protection of Personal Information Act (POPI) South Africa, and confirm that we comply with this legislation
This policy and compliance framework establishes measures and standards for the protection and lawful processing of personal information within our organisation and provides principles regarding the right of individuals to privacy and to reasonable safeguarding of their personal information.
The Information Compliance Officer is responsible for:
- Conducting a preliminary assessment;
- The development, implementation and monitoring of this policy and compliance framework;
- Ensuring that this policy is supported by appropriate documentation;
- Ensuring that documentation is relevant and kept up to date;
- Ensuring this policy and subsequent updates are communicated to relevant managers, representatives, staff and associates, where applicable.
All employees, departments and individuals directly associated with Fitness Breakthru are responsible for adhering to this policy and for reporting any security breaches or incidents to the Information Compliance Officer.
Any service provider that provides information technology services, including data storage facilities, to the company must adhere to the requirements of the POPI No 37067 Act 4 of 2013 to ensure adequate protection of personal information held by them on our behalf. Written confirmation to this effect must be obtained from relevant service providers.
- Personal Information
Personal Information is any information that can be used to reveal a person’s identity. Personal Information relates to an identifiable, living, natural person, and where applicable an identifiable, existing juristic person (such as a company), include, but not limited to information concerning:
- Race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical, or mental health, disability, religion, conscience belief, culture, language and birth of a person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, email address, physical address, telephone number location number, online identifier or other particular assignment to the person;
- The biometric information of the person – includes facials.
- Data subject
This refers to the natural or juristic person to whom personal information relates, such as an employee, client, customer or a company that supplies the organisation with products or other goods.
2.3 Responsible Party
The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case the company is the responsible party.
2.4 Information Compliance Officer
The Information Compliance Officer is responsible for ensuring the company’s compliance with the POPIA and must be registered with the SA Information Regulator established under Section 39 of the POPIA Act.
- SCOPE OF POLICY
The Policy applies to all Employees, Directors, Sub-Contractors, Agents and appointees and applies
to both on and off-site processing of personal information.
- POLICY STATEMENT
The Company collects and uses personal information of the individuals and corporate entities with whom it works in order to operate and carry out it’s business effectively and lawfully in Compliance with POPI. The Company will ensure the lawful collection and processing personal information in order to establish confidence between it and the above individuals and entities and maintain good business practice.
- PROCESSING OF PERSONAL INFORMATION
5.1 Purpose of Processing
- Administration of Agreements
- Staff Administration
- Providing goods and Services to Clients
- Detection and Prevention of Fraud
- Marketing and Sales
- Legal Proceedings
- To comply with Legal and Regulatory Requirements
- Keeping of accounts and records
5.2 Types of Data Subjects
- Natural Persons
- Cusomers – Juristic Persons and Entities
- Contracted Service Providers
- Employees and Directors
5.3 Recipients for processing of Personal Information
- Personal Information may be shared with any party or affiliate who may use this information to render goods and services.
- Capturing and Organising data
- Storing of data
- Sending of emails and other correspondence to customers
- Conducting Due Dilligence
- Administration of Medical and pension schemes
5.4 Trans-border Flows of Personal Information
- Personal Information may be shared trans-border with authorised Customers and Suppliers.
- The Company will endeavour to ensure that these customers and suppliers will make all reasonable efforts to protect and secure this information.
5.5 Retention of Personal Information Records
These will be stored and recorded in accordance to the extent permitted by law.
5.6 Information Security Measures
The Company makes use of the following methods to ensure confidentiality, security and integrity and availability of the Personal information in it’s care.
- Virus Protection Software
- Secure set-up of hardware and software
- Locked cabinets and safes for hard copies.
- Eight Processing Conditions
Principle 1: Accountability
- A Personal Information Compliance Officer and the company must take reasonable steps to ensure that personal information obtained from data subjects is stored safely and securely which includes data backup and saving of personal information.
- This includes CV’s, Resumes, References, Qualifications, Integrity Checks and any other personal information that may be obtained for the purpose of Employment.
- All persons, whether employees, volunteers, or board or committee members who collect, process, or use personal information shall be accountable for such information to the Information Compliance Officer. They must be advised thereof in writing by the Information Compliance Officer together with a copy of this policy.
- Any personal information transferred to a third party for processing is subject to this Policy. The Information Compliance Officer shall use the contractual or other appropriate means to protect personal information at a level comparable to this Policy while a third party is processing this information.
- Any person who believes the company uses personal information collected, retained, or used for purposes other than those that the person explicitly approved may contact the Information Compliance Officer to register a complaint or to manage any related inquiry.
- Upon receiving a complaint from any person regarding the collection, retention, or use of personal information, the Information Compliance Officer shall promptly investigate the complaint and notify the person who complained about his/her findings and the corrective action taken, if any.
- Upon receiving the response from the Information Compliance Officer, the person who filed the complaint may, if he/she is not satisfied, appeal to the company Review Committee to review and determine the disposition of the complaint at issue.
- The determination of the Review Committee shall be final, and the Information Compliance Officer shall abide by and implement any of its recommendations.
- The Information Compliance Officer shall communicate and explain this policy and give training regarding it to all employees and volunteers who might be in a position to collect, retain, or make use of personal information.
- The Information Compliance Officer shall prepare and disseminate information to the public which explains the company’s protection of personal information policies and procedures.
Principle 2: Processing Limitation
2.1 Processing of Personal Information is only Lawful if one of the following exists
- Data subject consents to processing
- Conclusion or performance of a contract with the data subject
- Processing complies with Legal responsibility
- Protects a legitimate Interest of the Data Subject, the Company or third party to whom the information is supplied
- All data subjects have the right to refuse or withdraw their consent to the processing of their Personal Information
Your Personal Information is defined by the Protection of Personal Information Act (the Act) as:
“means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to— (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person”.
Principle 3: Limitation on further processing
3.1 Personal information may not be processed further in a way that is incompatible with the purpose for which the information was collected initially. The Personal Information Compliance Officer will monitor the collection of personal information for employment and it will only be used for that purpose.
Principle 4: Purpose Specific
The Company will only process Personal Information for the specific purposes as laid out in 5.1
Principle 5: Information quality
5.1 The Personal Information Compliance Officer is responsible for ensuring that Personal information is complete, up to date and accurate before we use it. This means that it may be necessary to request employees, Customers and Suppliers from time to time, to update their information and confirm that it is still relevant. If we are unable to reach a data subject for this purpose their information will be deleted from our records.
Principle 6: Transparency/openness
6.1 Where personal information is collected from a source other than directly from an employee (EG Social media, portals) we are responsible for ensuring that the employee is aware:
- That their information is being collected;
- Who is collecting their information by giving them our details;
- Of the specific reason that you are collecting their information.
Principle 7: Security safeguards
7.1 The Personal Information Compliance Officer will ensure technical and organisational measures to secure the integrity of personal information, and guard against the risk of loss, damage or destruction thereof. Personal information must also be protected against any unauthorised or unlawful access or processing. We are committed to ensuring that information is only used for legitimate purposes with the data subject’s consent and only by authorised employees of Fitness Breakthru I.T. / Server requirements.
Principle 8: Participation of individuals
8.1 Data Subjects are entitled to know particulars of their personal information held by us, as well as the identity of any authorised employees of Fitness Breakthru that had access thereto. They are also entitled to correct any information held by us.
- OPERATIONAL CONSIDERATIONS
Management and the Information Compliance Officer are responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedures, notices, consents and appropriate related documents and processes. All employees, subsidiaries, departments and individuals directly associated with us are to be trained, according to their functions, in the regulatory requirements, policies and guidelines that govern the protection of personal information. We will conduct periodic reviews and audits, where appropriate, to ensure compliance with this policy and guidelines.
- OPERATING CONTROLS
We shall establish appropriate standard operating procedures that are consistent with this policy and regulatory requirements. This will include:
- Allocation of information security responsibilities;
- Incident reporting and management;
- User ID addition or removal
- Information security training and education;
- Data backup.
- DESTRUCTION OF DOCUMENTS
- Documents may be destroyed after the termination of the retention period specified by law.
- Documents may be destroyed by a previously approved document disposal Company
- Deletion of Electronic records must be done in consultation with the IT department or IT Company to ensure that deleted information cannot be reconstructed or recovered.