The definitions of the Protection of Personal Information Act 4 of 2013 (“POPI Act”) and Regulations relating to the Protection of Personal Information (“Regulations”) are used in this policy. The following is an extract from the POPI Act of relevant definitions used in this policy. All the definitions used in this document will be in italics for ease of reference.
‘‘code of conduct’’ means a code of conduct issued in terms of Chapter 7;
‘‘consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
‘‘competent person’’ means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child
‘‘data subject’’ means the person to whom personal information relates;
“information officer’’ of, or in relation to, a—
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;
‘‘operator’’ means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
‘‘person’’ means a natural person or a juristic person;
‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information;
‘‘Regulator’’ means the Information Regulator established in terms of section 39;
‘‘responsible party’’ means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
“special personal information” means personal information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sex life, biometric information or criminal behaviour;
The Constitution of the Republic of South Africa provides that every person has a right to privacy, which includes your right to have your personal information protected. The POPI Act aims to do exactly this, to protect your personal information. This policy sets out how we will comply with the POPI Act when we collect, process, or further handle your personal information.
Our Information is as follows:
Name: South African Butler Academy
Registration Number: 2010/104113/23
Address: 34 Suikerbos Crescent, Plattekloof 3, Cape Town
Telephone: (021) 000 1477
2. Information officer
Our information officer is responsible for ensuring that we stay compliant with the POPI Act. All requests regarding your personal information in our possession can be directed at him/her.
Name: Adriaan Coetzer
Telephone: (021) 000 1477
3. The personal information record of the data subject
You are the data subject and we are the responsible party, meaning we collect and store your personal information (see definition clause above). As the data subject you have certain rights that we as the responsible party must adhere to:
- We may only collect and process your personal information if we have your consent;
- You may enquire about your personal information record;
- You may request the correction or deletion of your personal information record or part thereof;
- You may withdraw your consent;
- All above-mentioned enquiries or requests may happen at any time and must be free of charge.
However, you need to inform us as soon as possible of any changes that need to be made to your personal information record held by us. This will ensure that your personal information record stays accurate and up to date.
4. Collection of Personal information
We collect your personal information so that we can fulfil our obligations towards you, provide you with an appropriate and accurate service and/or product, to obtain a mandate from you, communicate with you, and to be informed of any changes or to inform you of any changes or results. Our employees will always inform you why your personal information is collected.
In some instances, the Financial Intelligence Centre Act 38 of 2001 places a duty upon us to establish and verify the identity of our clients. We therefore also collect and process your personal information to adhere to legislative duties placed upon us.
The collection of personal information may happen either automatically through our website or manually through other means, but we will always first obtain your consent to collect and process it. You will always be informed when your personal information is collected, and we will always honour your rights as set out in clause 3 above.
We will only collect and process the minimum personal information required to deliver to you the specific product and/or service you requested. Our employees will specifically inform you what personal information is needed and for what purpose it will be used.
5. Processing and use of personal information
When you first disclosed your personal information to us, you did so for a specific purpose, you gave us a mandate (including in terms of an agreement) to deliver a service and/or product to you. We will only process your personal information in line with that specific and legitimate purpose or mandate. When the mandate has been completed, we will either store, delete or de-identify your information (depending on the specific circumstances) as set out in clause 8 below.
If any further processing of your personal information is necessary, we may and will only do so if the further processing is in line with the initial mandate that you have given us. If further processing is not compatible with the initial mandate, then we will first acquire your consent before any further processing.
We do reserve the right to process your personal information for other legitimate purposes as set out in clause 11. However, we shall notify you if we process your personal information regardless of our justification.
6. Storage and Safeguards
Electronic records of personal information
We make use of IT-Specialists to design and implement a security framework on all our devices and servers to keep all electronic records of your personal information safe. Our IT Specialists are seen as our operator by definition of the POPI Act (see definition clause above) as they maintain and upgrade our IT systems and security. They only perform functions as mandated by us and are prohibited from processing your personal information, unless it is in line with the mandate that you in turn gave to us.
These functions are:
- Implementing necessary cyber security systems to detect, investigate and effectively respond to threats to personal information or its systems.
- Optimising cloud services (for example Office 365) and the way in which personal information is stored and processed to be in line with the POPI Act.
- Regular wiping of ‘free space’ on storage devices to make sure deleted personal information is irrecoverable.
- Implementing access control methods and mechanisms to ensure that only authorised users have access to your personal information.
- Upgrade our system and devices regularly.
We further maintain, update and implement a strict password policy on all our devices and train our employees accordingly.
Physical records of personal information
All active physical copies of personal information records are kept behind locked doors and secured by an alarm system installed in the building. All archived physical copies of personal information records are kept behind locked doors in a secure facility that can only be accessed by authorized employees in line with the mandate that you have given us.
7. Security Breaches
If there are reasonable grounds to believe that your personal information has been accessed by an unauthorised person or entity, then we will notify you and the Information Regulator as soon as reasonably possible. The notice will be sufficiently detailed in order for you to take all the necessary protective measures.
8. Retaining and Deletion of Personal information
We only keep your personal information records for as long as it is needed to fulfil the initial or a further mandate that you have given us. Therefore, if you do not give us a new mandate to use your existing personal information record, we will delete your personal information record.
We will delete your personal information record 30 days after we completed the mandate given by you, unless we have an agreement with you to the contrary. We implement regular “wipes” of our storage devices after which any deleted personal information record will be completely irrecoverable. During this 30 day period you may elect to not have your personal information record deleted in order to make future business transactions easier or for any other legitimate purpose.
Where it is required by law or a Regulatory body that we must retain your personal information record for a specific period we will not delete it after the completed mandate as described above, but only after the period that the law or Regulatory body prescribes has lapsed. We will inform you of the relevant legislation and/or rules of the Regulatory body and the prescribed time period. During this period, we may archive your personal information with the necessary safeguards as stated in clause 6 above.
Where your personal information is of value for historical, statistical or research purposes, then we may permanently de-identify your personal information in order to use the remaining data for the above-mentioned purposes.
9. Child and Special personal information
Special personal information
The POPl Act prohibits the processing of your special personal information (see definition clause above), subject to the following exceptions:
- the processing is carried out with the consent of the data subject;
- the processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- the processing is necessary to comply with an obligation of international public law;
- the processing is for historical, statistical or research purposes subject to certain requirements being met;
- the information has deliberately been made public by the data subject; or
- the provisions of sections 28 to 33 of the POPI Act (as may be applicable) are complied with (these provisions state how authorisation to process specific special personal information may be obtained).
Please note that we generally do not collect your special personal information, because it is not needed. If there are exceptional circumstances that require us to process your special personal information we will only do so according to the law.
Personal information of a child
The POPI Act prohibits the processing of the personal information of a child, subject to the following exceptions:
- prior consent of a competent person is obtained;
- processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- personal information is being used for historical, statistical or research purposes if it serves a public interest and it appears impossible or would involve a disproportionate effort to ask for consent.
- If the child has deliberately made the personal information public with the consent of a competent person.
Please note that we generally do not process personal information of children, but in the exceptional circumstance that it is required we will do so according to the law.
10. Marketing of our products and/or services
We may occasionally send you marketing information regarding our products and/or services that might be useful for you. There will always be an option for you to opt-out from receiving marketing information in the future.
Please further note that we will never send you marketing information without your consent if we do not have an existing relationship with you.
Please note the following exceptions where we do not need your express consent to process your personal information:
- For the conclusion or performance of a contract to which you are a party;
- Where it is required by law;
- Where it protects a legitimate interest of yourself;
- Where it is needed to protect our legitimate interests or that of an authorized third-party.
- Where the personal information is already public knowledge.
Please also consult our PAIA Manual for requests to information records in terms of The Promotion of Access to Information Act 2 of 2000.
12. Revision of POPI Policy
We will annually review and update our POPI Policy to ensure that it stays relevant and matures as the need for the protection of personal information increases. We will continuously attempt to identify new risks to the security, integrity and confidentiality of the personal information held by us and update our POPI Policy accordingly.
The Information Regulator has not yet released a code of conduct with industry-specific standards for the processing of personal information. We will review and update our POPI policy as and when such industry specific code of conduct or similar document is released.
13. Concerns or objections
Please address all requests, concerns and/or objections with regard to the processing of your personal information to our Information officer (see clause 2). You may also lodge a complaint with the Information Regulator, whose contact details can be found on their website at https://www.justice.gov.za/inforeg/contact.html.