POPI COMPLIANCE DOCUMENT
i) This document describes processes, procedures and guidelines applied by the Company during the collection, retention, use, disclosure and other processing of personal information, including special personal information, in terms of the Protection of Personal Information Act 4 of 2013 (POPI).
i) Section 14 of the Constitution of the Republic of South Africa provides that everyone has the right to privacy, and this right includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. POPI seeks to give effect to this right.
ii) The objective of this document is to govern the procedures relating to the collection, retention, use, disclosure and processing of personal information within the Company.
iii) This document seeks to follow the principles and guidelines set out in POPI. It is not, however, a comprehensive statement of all the provisions of POPI and should not be taken as such. All provisions of POPI must be complied with by the Company regardless of whether or not they are addressed in this document. In this regard, all Data Handlers are to familiarise themselves with the provisions of POPI.
iv) In terms of POPI, all personal information held by the Company must be collected, retained, used, disclosed and otherwise processed properly, lawfully and transparently. The Company is responsible for protecting any personal information it holds.
v) This document applies to:
a) All employees of the Company;
b) The Company’s service providers; and
vi) This document is a high-level statement of intent. The Information Officer referred to in clause 9 (v), acting jointly with the Board of Directors, may from time to time produce more detailed procedures or documents as required to facilitate the implementation of POPI and this document. All Data Handlers are to familiarise themselves with any documents so produced.
vii) This document may be changed/ amended/ withdrawn from time to time at the sole discretion of the Company.
i) POPI was passed by Parliament in November 2013 and certain sections of POPI were brought into effect by way of a notice dated 11 April 2014.
ii) In December 2018, the Information Regulator published regulations; however, the commencement date of such Regulations is yet to be announced and after such announcement may require further revision, change or amendment to this document.
iii) As of 1 July 2020, the remaining sections of POPI came into effect. From this date, South African businesses have 12 months to comply with POPI.
|Legislation||Protection of Personal Information Act 4 of 2013 (POPI)|
|Constitution of the Republic of South Africa|
|Labour Relations Act 66 of 1995 (LRA)|
|Forms||ITD-FO-XXX Consent to Collection and Processing of Personal Information|
|Company||Bophelong Construction (Pty) Ltd T/A BopCons|
|Data Handlers||Any person handling personal information which is either managed by the Company or by a third party on behalf of the Company pursuant to a written agreement|
|Data Subject||A person, natural or juristic, to whom personal information relates, and in relation to the Company refers predominately to employees, management, suppliers and clients, but may also refer to Data Handlers or other persons|
|Information Officer||The Information Steering Committee currently comprising the Chief Financial Officer (CFO), Commercial Director, Safety, Health and Environment (SHE) Director, Human Resources (HR) Executive, and Legal and Compliance Officer|
Refers to any information capable of identifying a Data Subject and includes, but is not limited to:
· name and surname;
· identity number;
· marital status, race, gender, and age;
· address, contact details and bank details;
· medical records;
· financial records;
· copies of any private or confidential correspondence between the Data Subject and the Company, its administrators or any service provider;
and includes personal information and special personal information as those terms are defined in section 1 of POPI
|POPI||Protection of Personal Information Act 4 of 2013|
|Processing||Includes any operation concerning personal information including, but not limited to, the collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking as well as blocking, degradation, erasure or destruction of information|
|Regulator||The regulator established in terms of Part A of Chapter 5 of POPI|
|Special Personal Information||Personal information as defined in section 1 read with section 26 of POPI|
· Ensure that all personal and special personal information of Data Subjects is processed lawfully and in accordance with this document.
· Report any breaches in data security and ensure that any risks of breaches are identified and reported.
|Data Subject||Comply with provisions of this Code of Conduct.|
· Ensure the implementation of this document and any procedures produced under this document.
· Ensure compliance by the Company and Data Handlers with the provisions of POPI.
|Information Steering Committee||Refer to responsibilities of the Information Officer|
i) The rights of Data Subjects are contained in Annexure A. The Company must respect and facilitate the exercise of these rights in all interactions with Data Subjects.
7 Lawful Processing of Information
i) POPI sets out 8 Conditions for the lawful processing of Personal and Special Personal information, namely:
a) accountability, addressed at clause 8;
b) processing limitation, addressed at clause 9;
c) purpose specification, addressed at clause 10;
d) further processing limitation, addressed at clause 11;
e) information quality, addressed at clause 12;
f) openness, addressed at clause 13;
g) security safeguards, addressed at clause 14; and
h) Data Subject participation, addressed at clause 15.
ii) The Company and all Data Handlers must ensure that all personal and special personal information of Data Subjects is processed in accordance with the Conditions.
iii) Failure by a Data Handler to adhere to the provisions of this document may result in disciplinary or other action being taken.
i) The Company holds ultimate responsibility to ensure that the provisions of POPI are complied with for the processing of personal and special personal information.
ii) In particular, the Company is responsible for ensuring that the Conditions and all measures that give effect to the Conditions are complied with.
iii) This places substantial and ultimate accountability on the Company and its Data Handlers to ensure that personal and special personal information is processed in a lawful manner.
iv) The Company remains responsible for the processing of information regardless of whether or not the information is passed on to a third party.
v) In order to ensure that the provisions of POPI are adhered to by Data Handlers and that there is compliance with POPI, the Company must appoint an Information Officer/s.
vi) The Information Officer/s must conduct a personal information impact assessment to ensure that the Company has adequate measures and protocols in place to comply with the conditions of lawful processing of personal information.
vii) The Information Officer/s is/are responsible for ensuring the implementation of this document and any procedures produced under this document, as well as for ensuring compliance by the Company and Data Handlers with the provisions of POPI.
viii) A substantial amount of personal information is stored in electronic form. The Company is responsible for providing the tools to manage and safeguard information stored in electronic form.
ix) Data Handlers are accountable to the Company to report any breaches in data security and to ensure that any risks of breaches are identified and reported.
i) Personal information must be processed lawfully and in a manner which is reasonable and does not infringe the privacy of the Data Subject.
ii) The notion of reasonableness incorporates the requirements of balance and proportionality. Data Handlers must take into account the interests and reasonable expectations of Data Subjects as well as all of the provisions of this document when assessing the reasonableness of the processing of personal information.
iii) The processing of personal information must be adequate, relevant and not excessive given the purpose for which it is processed together with the consent of the Data Subject.
iv) Personal information may only be processed if:
a) the Data Subject consents to the processing of personal information. The consent must be voluntary and clear and should be in writing. Data Handlers must ensure that the Data Subject has provided his, her or its consent when they request personal information. The Data Subject may at any time withdraw consent, on reasonable grounds, to the processing of its personal information. If a Data Subject withdraws consent, the personal information must be deleted or de-identified so that it will no longer be associated with that Data Subject;
b) the processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party;
c) the processing complies with an obligation imposed by law on the Company;
d) the processing protects a legitimate interest of the Data Subject;
e) the processing is necessary for pursuing the legitimate interest of the Company or of a third party to whom the information is supplied.
v) Data Handlers must, where possible, ensure that the Data Subject signs a consent form (COR-FO-003 Consent to Collection and Processing of Personal Information) prior to the processing of any personal information of the Data Subject.
vi) Where it is not possible to have the Data Subject sign the consent document prior to the processing of personal information, the Data Subject’s email consent to the processing must be obtained prior to the processing and email receipt confirmed by the Data Handler. The consent document must be signed at the earliest possible opportunity thereafter.
vii) The Information Officer must ensure that a Register is maintained by the Company listing all signed consent documents. (COR-FO-004 Data Collection and Processing Consent Register).
viii) The processing of personal information in terms of clause 10 (iv) (c) or 10 (iv) (d) must be specially authorised by the Information Steering Committee or generally authorised in terms of clause 2 (vi).
ix) Personal information must be collected directly from the Data Subject, except if:
a) the information is a matter of public record;
b) the Data Subject has consented to the collection of the information from another source;
c) the collection of the information from another source would not prejudice a legitimate interest of the Data Subject;
d) the collection of the information from another source is necessary to comply with an obligation imposed by law or for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
e) the collection of the information from another source is necessary to maintain the legitimate interests of the responsible party or a third party to whom the information is supplied;
f) compliance would prejudice a lawful purpose of the collection; or
g) compliance is not reasonably practicable in the circumstances.
x) The collection of personal information in terms of clauses 8 (ix) (c), 8 (ix) (d), 8 (ix) (e), 8 (ix) (f) or 8 (ix) (g) must be specially authorised by the Information Steering Committee or generally authorised in terms of a document published under clause 2 (vi).
i) The collection of the personal information must be for a specific, explicitly defined and lawful purpose related to a function or activity of the Company.
ii) The purpose of the collection and processing of personal information influences every aspect of the processing of the information, including the manner of its collection, periods of retention, further processing and disclosure to third parties.
iii) The Data Subject must be made aware of and have explained to him, her or it the purpose of the collection of the personal information. This enables the Data Subject to make an informed decision as to whether the personal information should be made available to the Company.
iv) Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or processed. The Company will determine, with regard to the circumstances surrounding the collection of the personal information, the length of time personal records are to be kept for and implement procedures in order to ensure that records are destroyed or de-identified as soon as reasonably practicable when no longer required.
v) The Information Officer shall, within a reasonable period of the adoption of this document, produce a document governing the retention and de-identification of personal information.
vi) In the event that the personal information is retained for a period which is longer than necessary for achieving the purpose for which the information was collected, the Data Subject must consent to the retention.
vii) Where the Company has used a record of personal information to make a decision about a Data Subject, the record must be retained for any periods prescribed by law or a code of conduct or, if there is no such prescription, for a period which will afford the Data Subject a reasonable opportunity to request access to the record.
viii) Where the Company collects information relating to a Data Subject’s health as part of any incapacity enquiry as set out in any incapacity policy or as envisaged in Schedule 8 of the Labour Relations Act 66 of 1995 (LRA), the Company may not use this information for any purpose except for that which is was collected.
i) Any further processing of the personal information must be compatible with the purpose for which the personal information was initially collected.
ii) If the Company wishes to process personal information for a purpose not compatible with the purpose for which it was initially collected, the consent of the Data Subject must be obtained.
iii) To assist in determining whether further processing is compatible with the initial purpose of collection, the Data Handler must take account of:
a) the relationship between the purpose for which the information was originally collected and the intended purpose of any further processing;
b) the nature of the information concerned;
c) the consequences of further processing;
d) the manner in which the information was collected; and
e) contractual rights and obligations between the parties.
i) The Data Handler responsible for the processing of personal information must take reasonably practical steps to ensure that the information is complete, accurate, not misleading and updated where necessary.
ii) Appropriate information security measures safeguarding the integrity of the personal information are to be used.
i) Personal information must be processed in a transparent and fair manner.
ii) A list of the information set out in section 18(1) of POPI, which a Data Subject must be made aware of when personal information is collected is contained in Annexure B. Data Handlers must ensure that Data Subjects are made aware of this information before their personal information is collected, unless the Data Subject has consented to not receiving the information or one of the other conditions set out in section 18(4) of POPI is met.
iii) The Data Handler responsible for the processing of personal information must maintain all documentation regarding the processing operations.
i) The Company must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent its loss, damage, unauthorised destruction or unlawful access or processing.
ii) Reasonable measures to protect the personal information include identify possible security risks, establish and maintain safeguards against the risks, verify the safeguards from time to time and update those measures. These may include, and are not limited to, anti-virus software programs, computer backups and off-site storage.
iii) Anyone processing personal information on behalf of the Company must do so only with the knowledge and express authorisation of the Company and must treat the personal information as confidential.
iv) Where a third party processes information for the Company, a written contract must be concluded between the Company and the third party which ensures that the third party establishes and maintains the security measures required by section 19 of POPI.
v) Data Handlers have a duty to ensure that personal information is not mislaid or inadvertently disclosed by, for example, leaving it displayed on a computer screen or leaving printouts at the printer.
vi) Any personal information which is processed or accessed outside the office premises of the Company must be encrypted to protect against theft.
vii) All hard copies of documents must be shredded once the documents are no longer required.
viii) Once personal information is no longer required or processing of personal information is no longer authorized, the records related to that personal information must be destroyed, deleted or de-identified.
ix) Where there are reasonable grounds to believe that personal information has been accessed or acquired by unauthorised person, the Company must as soon as reasonably possible notify the Regulator and the Data Subject.
i) A Data Subject has the right to request the Company to confirm, free of charge, whether the Company holds personal information about the Data Subject.
ii) The Data Subject may request the Company to provide it with a description of the personal information held by it or by a third party within a reasonable time. Any fees charged for providing the Data Subject with the information required shall not be excessive and shall be disclosed in a written estimate prior to the provision of the information.
iii) If the Company provides information pursuant to a request, it must advise the Data Subject that the personal information may be corrected upon request.
iv) A Data Subject has the right to request a correction or deletion of personal information. The Company and its Data Handlers each have a duty to investigate the request and to respond thereto.
v) If there are circumstances where the Company believes that the information is accurate and no agreement between the Data Subject and the Company can be reached to amend the information, the Company is obliged to link the personal information in dispute, in such a manner that it will always be read, with an indication that the correction of the personal information has been requested by the Data Subject but has not been made.
vi) In instances where changes have been made which may impact on decisions taken using personal information, POPI imposes a duty on the Company to advise, if reasonably practical, any third parties to whom the information may have been disclosed.
i) The following is a non-exhaustive list of personal information which the Company as an employer is likely to process:
a) Personal information of potential job applicants/candidates including but not limited to Curriculum Vitae, identity documents, educational qualifications and academic transcripts, interview forms, psychometric test results, contact information, criminal or background checks.
b) Employment contracts / letters of appointment, residential address, next of kin contact details, medical aid details, biometrics, banking account details, pay slips and tax records.
c) COVID19 screening records, employee personnel file, disciplinary records, leave forms, medical certificates/ medical notes, drug and alcohol test results, performance reviews and the processing of information related to Trade Union membership.
i) The Information Officer shall review this document at least every three years, or more frequently as needed, to respond to changes in the regulatory and legislative environment, as well as technological advancement in privacy protection. The document may be amended from time to time without prior notification.
COR-FO-003 Consent to Collection and Processing of Personal Information
COR-FO-004 Data Collection and Processing Consent Register
Written contract between the Company and any third party which processes information for the Company
Annexure A: Rights of Data Subjects
Section 5 of the Protection of Personal Information Act 4 of 2013 (POPI)states that a Data Subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information, including the right:
ii) to be notified that:
a) personal information about them is being collected as provided for in terms of section 18, or
b) their personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
iii) to establish whether a responsible party holds personal information of that Data Subject and to request access to their personal information as provided for in terms of section 23;
iv) to request, where necessary, the correction, destruction or deletion of their personal information as provided for in terms of section 24;
v) to object, on reasonable grounds relating to their particular situation, to the processing of their personal information as provided for in terms of section 11(3)(a);
vi) to object to the processing of their personal information:
a) at any time for purposes of direct marketing in terms of section 11(3)(b); or
b) in terms of section 69(3)(c);
vii) not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
viii) not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of their personal information intended to provide a profile of such person as provided for in terms of section 71;
ix) to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any Data Subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
x) to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.
Annexure B: Information which must be provided to Data Subjects when Collecting Personal Information
Section 18(1) of Protection of Personal Information Act 4 of 2013 (POPI) states that if personal information is collected, the responsible party must take reasonably practicable steps to ensure that the Data Subject is aware of:
i) the information being collected and where the information is not collected from the Data Subject, the source from which it is collected;
ii) the name and address of the responsible party;
iii) the purpose for which the information is being collected;
iv) whether or not the supply of the information by that Data Subject is voluntary or mandatory;
v) the consequences of failure to provide the information;
vi) any particular law authorising or requiring the collection of the information;
vii) the fact that, where applicable, the responsible party intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation; and
viii) any further information such as the:
a) recipient or category of recipients of the information;
b) nature or category of the information;
c) existence of the right of access to and the right to rectify the information collected;
d) existence of the right to object to the processing of personal information as referred to in section 11 (3); and
e) right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator,
which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the Data Subject to be reasonable.