Elementor #23690

Protection Of Personal Information Policy

Introduction

MarkIT Solutions [hereby referred to as “The Company”] is obliged to comply with the Protection of Personal Information Act (No. 4 of 2013) (“POPI”) as well as the Promotion of Access to Information Act (No. 2 of 2000) (“PAIA”), given that it processes the personal information of its employees, suppliers, clients and other data subjects from time to time as well as that there may be requesters of information relating to the company and its operations.

The company guarantees its commitment to protecting data subject privacy as well as ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws. This is in line with the Constitutional provisions.

POPI requires the company to inform its data subjects as to how their personal information is collected, processed, secured, disclosed and destroyed. This Policy sets out the manner in which the Company deals with such personal information as well as stipulates the general purpose for which such information is used. It also addresses the standards expected of employees of the company in respect of their conduct in this regard.

The Information Officer shall ensure that a PAIA guide is posted on the website in all official languages (as provided by the Information Regulator) and that the said Guide is available at each of its offices for public inspection. The list of records that are voluntarily disclosable and/ or available without a requester having to request access thereto shall be kept and updated monthly and/ or whenever the contents change. The said list shall be posted on the website, registered with the Information Regulator and kept in hard copy at the offices of the company. A requester who requests access to a record under PAIA statute shall complete the necessary form and follow the protocols required.

Appropriate stakeholders should be made aware of the contents of this Policy when their consent is requested for the processing of their personal information or when there are interactions with data subjects.

The provisions of this policy must be read along with the relevant practices and procedures that are used to operationalise the purpose hereof.

Collection of personal information

The company collects stores and processes personal information pertaining to data subjects including its employees, suppliers, clients and other stakeholders. The type of information collected and processed will depend on the purpose for which it is collected and will be processed for that scope of application only. Whenever appropriate, the company will inform the data subject of the information required, the purpose thereof, the rights of participation and the other relevant provisions contained at law.

The company must indicate to the data subject the consequence of failing to provide such personal information.  For example, the company may not be able to employ an individual without certain personal information relating to that individual or the company may not be in a position to render services to a client in the absence of certain information which is required.

Examples of the personal information the company collects includes, but is not limited to information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person –

  1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  2. information relating to the education or the medical, financial, criminal or employment history of the person;
  3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person
  4. the biometric information of the person;
  5. the personal opinions, views or preferences of the person;
  6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  7. the views or opinions of another individual about the person; and
  8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Collection of employee information

For the purposes of this Policy, “employees” include potential, past and existing employees of the company.

The company will, when appointing new employees, require information, including, but not limited to that listed above, from the prospective employee in order to process the employee’s information on the company’s system. Such information is reasonably necessary for the company’s record purposes as well as to ascertain if the prospective employee meets the requirements for the position to which he or she is being appointed and is suitable for such appointment.

The company will use and process such employee information, as set out below, for purposes including, but not limited to, its employment records and to make lawful decisions in respect of that employee and its business.

Use of Employee Information

Employees’ personal information will only be used for the purpose for which it was collected and intended. This would include, but is not limited to:

  1. submissions to the Department of Employment and Labour
  2. submissions to the Receiver of Revenue
  3. for audit and recordkeeping purposes
  4. in connection with legal proceedings
  5. in connection with and to comply with legal and regulatory requirements
  6. in connection with any administrative functions of the Company
  7. disciplinary action or any other action to address the employee’s conduct or capacity
  8. in respect of any employment benefits that the employee is entitled to
  9. pre-and post employment checks and screening
  10. any other relevant purpose to which the employee has been notified of
  11. any compliance requirements at law.

Should information be processed for any other reason that is not in the legitimate interests of the employee, the company will inform the employee accordingly.

The company acknowledges that personal information may only be processed if certain conditions are met which, depending on the merits include –

  1. The employee consents to the processing
  2. The processing is necessary to attend to justifiable rights and obligations, for example contractual fulfilment
  3. The processing complies with an obligation imposed by law on the company
  4. Processing protects a legitimate interest of the employee
  5. Processing is necessary for pursuing the legitimate interests of the company or of a third party to whom information is supplied.

Collection of CLIENTS and/ or supplier information

For purposes of this Policy, clients include potential, past and existing clients.

The company collects and processes its clients’ personal information, such as that mentioned hereunder. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Further examples of personal information collected from clients include, but is not limited to:

  1. The client’s identity number, name, surname, address, postal code
  2. The client’s residential and postal address
  3. Contact information
  4. Banking details
  5. Company registration number
  6. Full name of the legal entity
  7. Tax and/or VAT number
  8. Details of the person responsible for the client’s account

The company also collects and processes clients’ personal information for marketing purposes in order to ensure that our products and services remain relevant to our clients and potential clients.

Use of client and supplier information:

The client’s personal information will only be used for the purpose for which it was collected and as agreed, if any such agreement is required at law. This may include, but not be limited to:

  1. Providing products and/ or services to clients
  2. In connection with sending accounts and communication in respect of services rendered
  3. Referral to other service providers
  4. Confirming, verifying and updating client details
  5. Conducting market or customer satisfaction research
  6. For audit and record keeping purposes
  7. In connection with legal proceedings
  8. In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.

The company acknowledges that personal information may only be processed if any of the conditions set out hereunder are met:

  1. Client consents to the processing
  2. The processing is necessary to attend to rights and obligations that are justifiable, including fulfilling contractual provisions
  3. The processing complies with an obligation imposed by law on the company
  4. Processing protects a legitimate interest of the party
  5. Processing is necessary for pursuing the legitimate interests of the company or of a third party to whom information is supplied.

Disclosure of personal information

Subject to legislative provisions providing the contrary, the company may share data subject’s personal information with third parties as well as obtain information from such third parties for reasons set out above.

The Company may also disclose data subject’s information where there is a duty or a right to disclose in terms of applicable legislation, a contractual obligation, the law or where it may be necessary to protect the company’s rights.

Safeguarding personal information and consent

It is a requirement of POPI to adequately protect the personal information the company holds and to avoid unauthorised access and use of personal information.

The company shall review its technical and operational security controls and processes on a regular basis to ensure that personal information is secure.

The Company shall appoint an Information Officer who is responsible for the encouragement of compliance with the conditions of the lawful processing of personal information and other provisions of POPI and PAIA.

Each new employee will be required to sign an employment contract containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPI.

Every employee currently employed within the Company will be required to sign an addendum to their employment contract containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPI.

The Company’s suppliers who fall within the definition of “operators” will be required to enter into a written agreement guaranteeing their commitment to the Protection of Personal Information.

Consent to process client information is obtained from data subjects (or a person who has been given authorisation from the client to provide the client’s personal information) during the introductory, appointment and needs analysis stage of the relationship.

Security breaches

Should the company detect a security breach on any of its systems that contain personal information, the company shall take the required steps to assess the nature and extent of the breach in order to ascertain if any information has been compromised.

The company shall activate its Incident Response Plan which includes the notification of the affected parties and the Information Regulator should it have reason to believe that personal information has been compromised. Such notification shall only be made where the company can identify the data subject to which the information relates.  Where it is not possible it may be necessary to consider website publication and whatever else the Information Regulator prescribes.

Notification will be provided in writing by means of either:

  • email
  • registered mail
  • place on our website.

The notification shall provide the following information where possible:

  1. description of possible consequences of the breach,
  2. measures taken to address the breach,
  3. recommendations to be taken by the data subject to mitigate adverse effects,
  4. the identity of the party responsible for the breach.

In addition to the above, the company shall notify the Regulator of any breach and/or compromise to personal information in its possession and work closely with and comply with any recommendations issued by the Regulator.

The following provisions will apply in this regard –

  1. The Information Officer will be responsible for overseeing the investigation;
  2. The Information Officer will be responsible for reporting to the Information Regulator within 2 working days of a breach/ compromise to personal information;
  3. The Information Officer will be responsible for reporting to the Data Subject(s) within 2 working days of a breach/ compromise to personal information;
  4. The timeframes above are guidelines and depending on the merits of the situation may require earlier or later reporting.

Access and correction of personal information

Data subjects have the right to request access to any personal information that the company holds about them.

Data subjects have the right to request the Company to update, correct or delete their personal information on reasonable grounds. Such requests must be made to the company’s Information Officer (see details above) or to the Company’s head office (see details below) or submitted via the website “Information Officer Portal”.

Where an employee or client objects to the processing of their personal information, the Company may no longer process said personal information. The consequences of the failure to give consent to process the personal information must be set out before the employee or client confirms his/her objection.

The data subject must provide reasons for the objection to the processing of his/her personal information.

Retention of records

The company shall ensure the safeguarding and protection of all personal information or data. The company is obligated to retain certain information as prescribed by law. This includes but is not limited to the following:

With regard to the Companies Act, No. 71 of 2008 and the Companies Amendment Act No 3 of 2011, hard copies of the documents mentioned below must be retained for 7 years:

  • Any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act
  • Notice and minutes of all shareholders meetings, including resolutions adopted and documents made available to holders of securities
  • Copies of reports presented at the annual general meeting of the company
  • Copies of annual financial statements required by the Act and copies of accounting records as required by the Act.

The Basic Conditions of Employment No. 75 of 1997, as amended requires the Company to retain records relating to its staff for a period of no less than 3 years.

Amendments to this policy

Amendments to this Policy will take place from time to time subject to the discretion of the Company and pursuant to any changes in the law. Such changes will be brought to the attention of employee’s clients where it affects them.

Standards of conduct required of employees

In addition to the provisions contained within this POPI policy, the employment contract, the disciplinary code, the electronic communications and social media policy as well as any other document relating to employees, the following standards of conduct and practice and their accompanying underlying principles must be complied with at all times and a breach thereof may result in serious disciplinary action and even dismissal for a first offence.

 Physical Records and Assets

All physical records containing personal information (PI) as well as any hardware, devices or similar equipment must always be protected from unauthorised access and/ or damage and/ or loss and/ or other prejudice.

Systems and Platforms

Compliance with security requirements in respect of, for example, the following areas is crucial –

  1. Changing, storage and sharing of usernames and passwords
  2. Data back-ups and protection
  3. Limitations on the use of personal devices such as external hard drives or similar storage options, mobile phones and the like

Internal and External Posting of Personal Information of Company Data Subjects

A prohibition on the sharing and/ or posting of Personal Information on any platforms outside of those that are company approved under specific conditions as well as a total ban on posting and/or transmitting Personal Information outside of the company on social media and/or any other similar platform.

Conditions to be observed when collecting or processing Personal Information

The following principles must be complied with when dealing with Personal Information and if there is any doubt, the written authority of the Information Officer must be obtained by the employee prior to the said processing –

Accountability

The employee must ensure that the conditions and all the measures that give effect to such conditions are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.

Processing limitation

Personal information must be processed

  1. lawfully; and
  2. in a reasonable manner that does not infringe the privacy of the data subject.

This includes considerations of minimality and adequacy given the purpose for which it is intended. In addition –

  1. The data subject or a competent person (data subject is a child) consents to the processing; or/ and
  2. The purpose is to carry out actions for the conclusion or performance of a contract; or/ and
  3. Processing complies with an obligation imposed by law on the responsible party; or/ and
  4. Processing protects a legitimate interest of the data subject; or/ and
  5. Processing is necessary for the proper performance of a public law duty by a public body; or/ and
  6. Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied; or/ and
  7. Collection must be directly from the data subject, except as otherwise provided for unless the information is contained in or derived from a public record or has deliberately been made public by the data subject.

Purpose specification

Personal Information is collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

Further processing limitation

Further processing of personal information must be compatible with the purpose for which it was collected and consider –

  1. the consequences of the intended further processing for the data subject
  2. the manner in which the information has been collected; and
  3. any contractual rights and obligations between the parties.

 Security Safeguards

Employees must secure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable technical and organisational measures to prevent—

  1. loss of, damage to or unauthorised destruction of personal information; and
  2. unlawful access to or processing of personal information.

Employees must take reasonable measures to—

  1. identify all reasonably foreseeable internal and external risks to personal information in its possession or under their control;
  2. establish and maintain appropriate safeguards against the risks identified;
  3. regularly verify that the safeguards are effectively implemented; and
  4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Employees must have due regard to generally accepted information security practices and procedures which may apply to the situation generally or be required in terms of specific industry or professional rules and regulations.

Additional security safeguards guidelines to be observed –

  • Only share Personal Information on a need-to-know basis,
  • Security systems including anti-virus and malware detections (and install updates immediately)
  • Secure and back-up files
  • Encryption
  • Password security, protection and authentication
  • Use multifactor identification,
  • BYOD protocols agreed before allowing use
  • Keep mobile devices safe
  • Accessing suspect links, pop-ups and unknown mails prohibited
  • Only use secure Wi-Fi
  • Firewall protection at work and at home
  • Report any security concerns and warnings
  • Limit employee and user access in general
  • Monitor 3rd parties
  • Provide education and training
  • Be cautious with unvetted USB’s
  • Install security software updates
  • Be aware of social engineering.