POPI POLICY

by Jul 8, 2021

Policy Statement

    1. To ensure the protection of personal information of employees and clients according to the Protection of Personal Information, 2013 (Act No. 4 of 2013) (“POPIA”) as adapted by the Republic of South Africa on 26 November 2013.
  • Purpose

The purpose of this policy is to enable Automotive Training Academy to:

  • Comply with the law regarding the personal data that it holds of individuals
  • Follow good practice regarding the use and collection of personal data.
  • Protect its employees, staff, and other individuals such as visitors.
  • Protect the organisation from the consequences if a data breach does take place.
  • Scope

The Policy applies to all employees, learners, managers, and visitors of and to the organisation. The Protection of Personal information (POPI) Act is enforced to protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right. The categories pertaining personal information is:

  1. Names
  2. Identifying numbers/symbols
  3. Online identifiers
  4. Contact details
  5. Demographics
  6. Gender and sexuality
  7. Health
  8. Biometrics
  9. History
  10. Beliefs and opinion
  11. Correspondence

Furthermore, we also have to consider with “special personal information” being:

  1. Information regarding the alleged commission of any criminal offence
  2. Race/ethnic origin
  3. Trade union
  4. Religion
  5. Political persuasion
  6. Health/sex life
  7. Biometrics
  • Responsibilities

The entity in need of the personal information for a specific reason, who determines the purpose of and means for processing the personal information. In this case, the organisation and employees are the responsible parties whereby final responsibility lies with the information officer.

  • Scope and Definitions Pertaining to This Policy
    1. Confidential Information

Means all material, non-public, business related information, written or oral that is disclosed or made available to the receiving party, directly or indirectly, through any means of communication or observation. This includes:

  • Sensitive information regarding clients
  • The financial structure and any other financial operations of the client or the organisation.
  • Any arrangements between the client and the company and others with whom they have business arrangements of whatsoever nature, all of which the client and the company regards as secret and confidential.
  1. Personal Information

Means personal information as defined in the Protection of Personal Information Act adopted by the Republic of South Africa on 26 November 2013 and includes but is not limited to:

  1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
  2. Information relating to the education or the medical, financial, criminal or employment history of the person.
  • Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person.
  1. The biometric information of the person.
  2. The personal opinions, views, or preferences of the person.
  3. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
  • The views or opinions of another individual about the person; and
  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
  1. Processing

Means any operation or activity or any set of operations, whether or not by automatic means, concerning personal or any information, including but not limited to:

  2. The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use.
  • Dissemination by means of transmission, distribution or making available in any other form; or
  1. Merging, linking, as well as restriction, degradation, erasure, or destruction of information.
  1. Record

Means any recorded information:

  • Regardless of form or medium.
  • Label describing something.
  • Book, map, plan, graph or drawing.
  • Photograph, film, negative tape or another device containing visual images.
  • In the possession/under control of a Responsible Party.
  • Whether or not created by a Responsible Person; and
  • Regardless of when it came into existence.

Data Subject (consumer) Means

  • The person to whom Personal Information relates.

Consent’ Means:

  • Voluntary, specific, and informed expression of will
  • Terms of which a Data Subject agrees to the processing of Personal Information relating to him or her.
  • Exclusions from the POPI Act
    1. When the purpose of information is purely for personal or household use.
    2. When processing de-identified personal information.
    3. Processing by public bodies involved in national security.
    4. Processing by public bodies involved in law enforcement.
    5. Processing by cabinet or its committees.
    6. Processing relating to the judicial functions of a court.
    7. Processing solely for the purpose of journalistic, library or artistic expression.
  • Policy Application
    1. This policy and its guiding principles apply to:
      1. The company’s governing body.
      2. All branches, business units and divisions of the company.
  • All employees and volunteers; and
  1. All contractors, suppliers and other persons acting on behalf of the company.
  1. This policy process takes place in the following manner:
    1. Collection
    2. Organisation
  • Use
  1. Dissemination (Information transported)
  2. Storage (Back-up on server / files on PC)
  3. Retrieval
  • Modification (When additional information is discovered)
  • Degradation (Degradation in data quality over time)
  1. Restrictions (To withhold from circulation)
  2. Destruction (Physically and electronically)
  1. Processing must take place according to these conditions:
    1. Accountability (for responsible party – ATA)
    2. Processing limitation
      • Lawfulness (Lawful processing)
      • Minimality (must be relevant & not excessive)
      • Consent, justification, and objection (Specific consent requirements)
      • Collection directly from the data subject (No secondary data)
  • Purpose specification
    • Collection for a specific purpose (Inform data subject of the purpose of collection)
    • Restriction (Withhold from circulation, but NOT destroying)
    • Storage limitation (Retention purpose time limits)
    • Destruction (Destroy, delete, or de-identify information)
  1. Further processing limitations
  2. Information quality – information needs to be:
    • Complete
    • Accurate
    • Not misleading
    • Updated where necessary
  3. Openness
    • Documentation
    • Notification (Notify data subject when collecting personal information)
  • Security Safeguards
    • Secure personal information by doing the following:
      • Identify all reasonable and foreseeable risks
      • Establish and maintain appropriate safeguards
      • Regularly verify effective implementation of safeguards.
      • Continually update the safeguards in response to new risks and deficiencies in previous safeguards.
    • Notification of security breaches – content of notification
      • Sufficient information
      • Description of possible consequences
      • Description of measures taken
      • Recommendation regarding measures to be taken by the data subject
    • The identity of the unauthorised person (if known)
  • Data Subject participation
    • The right of access – Data subject may request
      • Confirmation
        • What information we hold
        • Free of charge
      • Copies or a description
        • Information we hold
        • Can charge a fee by means of a quotation
      • Third-party confirmation
        • Identify any third party with access to personal information
        • Can charge a fee by means of a quotation
      • Conditions:
        • Must provide adequate proof of identity
        • Must pay any prescribed fee
      • The right to rectification
        • Data subject can challenge the accuracy and completeness of personal information
        • Data subject could request the correction or deletion of personal information which is:
          • Inaccurate
          • Irrelevant
          • Excessive
          • Out of date
          • Incomplete
          • Misleading
          • Obtained unlawfully
        • A request for rectification should:
          • Be in writing
          • Provide reasons for correction
          • Be in accordance with the form
        • The right to deletion
          • If the data subject requests destruction of personal information
        • Key Management areas to ensure POPI
          1. Get consent and ensure that consent is recorded
            1. Data subject access management
            2. Subject access management
  • Retention management
  1. Security Management
  2. Security breach management – following steps should be taken:
    • Containment
      • Prevent additional breaches and informing data subjects
    • Assessment
      • Assessment of the breach
    • Notification
      • Notify data subjects, the public, and the Information Regulator
    • Review
      • Investigate breach point and strengthen security
    • Tools
      1. Protection of personal information agreement and consent declaration
      2. The flow chart of POPI application