TABLE OF CONTENTS

  1. INTRODUCTION
  2. DEFINITIONS
  3. POLICY PURPOSE
  4. SCOPE
  5. RIGHTS OF DATA SUBJECTS
  6. GENERAL GUIDING PRINCIPLES
  7. INFORMATION OFFICERS
  8. SPECIFIC DUTIES AND RESPONSIBILITIES
  9. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE
  10. POPI COMPLAINTS PROCEDURE
  11. DISCIPLINARY ACTION
  12. DATA BREACH

1. INTRODUCTION

This policy outlines our commitment to protecting personal information in accordance with the Protection of Personal Information Act (POPIA) of 2013. This policy applies to all employees, contractors, and agents who collect, use, or store personal information on behalf of The Bonus Group.

2. DEFINITIONS

  • The document defines various terms related to the Protection of Personal Information Act (POPIA) in South Africa.
  • Personal information refers to any information that can identify a living person or company.
  • The data subject is the person or company to whom the personal information relates.
  • The responsible party is the organisation that needs the personal information for a particular reason and decides how to process it.
  • An operator processes personal information for a responsible party without being directly under their authority.
  • The information officer is responsible for ensuring the organisation complies with POPIA. Processing information includes any activity or set of operations related to personal information.
  • A record refers to any recorded information, regardless of form or medium.
  • A filing system is a structured set of personal information that can be accessed according to specific criteria.
  • A unique identifier is an identifier that is assigned to a data subject and is used by a responsible party to identify them.
  • De-identifying information means removing any identifying information from personal data.
  • Re-identifying information means restoring any identifying information that has been removed.
  • Consent is voluntary permission given for the processing of personal information.
  • Direct marketing is approaching a data subject to promote goods or services or request a donation.
  • Biometrics is a technique of personal identification based on physical, physiological, or behavioral characteristics.

3. POLICY PURPOSE

The purpose of this policy is to establish our commitment to the protection of personal information in accordance with the requirements of the Protection of Personal Information Act (POPIA) and to ensure that we comply with all applicable laws and regulations relating to the protection of personal information. This policy protects the organisation from the compliance risks associated with the protection of personal information which includes:

  • breaches of confidentiality
  • failing to offer choice.
  • reputational damage.
  • through stating desired behavior and directing compliance with the provisions of POPIA and best practice.
  • by cultivating an organisational culture that recognises privacy as a valuable human right.
  • by developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information.
  • by creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate businessneeds of the organisation.
  • by assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer and where necessary in order to protect the interests of the organisation and data subjects.
  • By raising awareness through training and providing guidance to individuals who process personal information so that they can act confidently and consistently.

4. SCOPE

This policy applies to all personal information that is collected, used, or stored by our business, including information about employees, customers, suppliers, and other individuals. The policy’s guiding principles find application in all situations and must be read in conjunction with POPIA as well as the organisation’s PAIA Policy as required by the Promotion of Access to Information Act (Act No 2 of 2000).

The legal duty to comply with POPIA’s provisions is activated in any situation where there is a processing of personal information entered into a record-by or for a responsible person who is domiciled in South Africa. POPIA does not apply in situations where the processing of personal information is concluded in the course of purely personal or household activities, or where the personal information has been de-identified.

5. RIGHTS OF DATA SUBJECTS

Where appropriate, the organisation will ensure that its clients and customers are made aware of the rights conferred upon them as data subjects. The organisation will ensure that it gives effect to the following rights.

  • The Right to Access Personal Information: Data subjects have the right to know if the organisation possesses personal information about them and may request access to it.
  • The Right to have Personal Information Corrected or Deleted: Data subjects have the right to request corrections or deletion of their personal information when necessary and the organisation is no longer authorized to retain it.
  • The Right to Object to the Processing of Personal Information: Data subjects can object to the processing of their personal information for reasonable grounds, and the organisation will consider their request and the requirements of POPIA. The organisation may cease to use or disclose the data subject’s personal information and may also approve the destruction of the personal information, subject to any statutory and contractual record keeping requirements.
  • The Right to Object to Direct Marketing: Data subjects have the right to object to the use of their personal information for direct marketing purposes by means of unsolicited electronic communications.
  • The Right to Complain to the Information Regulator: Data subjects have the right to lodge a complaint with the Information Regulator regarding any infringement of their rights under POPIA and to take legal action in the event of non-compliance with the protection of their personal information.
  • The Right to be Informed: Data subjects have the right to be informed by the organisation when their personal information is being collected. They also have the right to be notified if the organisation suspects that their personal information has been accessed or acquired by an unauthorized person.

6. GENERAL GUIDING PRINCIPLES

All employees and persons acting on behalf of the organisation will at all times be subject to, and act in accordance with, the following guiding principles:

  • Accountability

Non-compliance with POPIA can have serious consequences for the organisation, such as reputational damage or civil claims for damages. Therefore, protecting personal information is the responsibility of everyone in the organisation. The organisation will promote compliance with POPIA and the principles outlined in this policy, but it will also take appropriate measures, including disciplinary action, against individuals who intentionally or negligently fail to comply with the principles and responsibilities set out in this policy.

  • Processing Limitation

The organisation must handle personal information fairly, lawfully, and in a non-excessive manner, and only with the informed consent of the data subject, and only for a specifically defined purpose. Prior to processing personal information, the organisation will inform the data subject of the reasons for collecting their personal information and obtain their written consent. If services or transactions are conducted over the phone or electronically, the organisation will keep a voice recording of the stated purpose for collecting the personal information and the data subject’s subsequent consent. The organisation will never distribute or share personal information with anyone who is not directly involved in facilitating the original purpose for which the information was collected, including separate legal entities, associated organisations, or individuals. If applicable, the data subject must be informed of the possibility that their personal information will be shared with other parts of the organisation’s business and provided with the reasons for doing so. We will only disclose personal information when it is necessary for these purposes and will ensure that appropriate measures are in place to protect the personal information.

  • Purpose Specification

The principle of transparency should be applied across all the organisation’s business units and operations. The organisation will only process personal information for legitimate, specific, and clearly defined purposes, and will inform data subjects of these purposes before collecting or recording their personal information.

  • Further Processing Limitation

The organisation won’t use personal information for any other purpose than the one it was collected for, unless it’s compatible with the original purpose. If the organisation wants to use the personal information for a different purpose, and it’s not compatible with the original purpose, the organisation will obtain additional consent from the data subject before processing the information for the secondary purpose.

  • Open Communication

The organisation is responsible for informing data subjects that their personal information is being collected and for what purpose. Contact can be made with the organisation via email addresses such as XXX@The Bonus Group.co.za to inquire about whether personal information is being held, request access to personal information, request updates or corrections to personal information, or make a complaint about the processing of personal information.

  • Security Safeguards

The organisation will ensure that the filing system’s security is managed effectively to protect personal information from loss, unauthorised access, disclosure, interference, modification, or destruction. Security measures will be context-specific, and the organisation will continuously review its security controls and conduct regular testing to combat cyber-attacks.

The organisation will store all paper and electronic records containing personal information securely and limit access to authorised individuals only. New employees will sign employment contracts containing terms for using and storing employee information, including confidentiality clauses to reduce the risk of unauthorised disclosures.

Existing employees will sign an addendum to their employment agreement containing the relevant consent and confidentiality clauses after the required consultation process. Operators and third-party service providers will be required to enter into service level agreements with the organisation, pledging mutual commitment to POPIA and the lawful processing of any personal information under the agreement.

Personal Information will be protected by means of physical measures including but not limited to locked filing cabinets, restricting access to offices and premises and an alarm system with active response team. the utilisation of up-to-date technological tools such as passwords Protection, File encryption and up to date firewalls. The orginisation will implement organisational controls such as background checks on all employees with the MIE System, limiting access, staff training and non-disclosure agreements.     

7. INFORMATION OFFICERS

The organisation will appoint an Information Officer.

The organisation’s Information Officer is responsible for ensuring compliance with POPIA.

8. SPECIFIC DUTIES AND RESPONSIBILITIES

  • Governing Body

The governing body of the organisation is ultimately responsible for ensuring that the organisation complies with the legal requirements of POPIA. This accountability cannot be delegated, but the governing body can assign some responsibilities to capable individuals or management. The governing body’s responsibilities include appointing an Information Officer, ensuring that all individuals who handle personal information are properly trained and aware of their contractual obligation to protect personal information. They are also responsible for informing data subjects of the procedure to follow to make inquiries about their personal information and scheduling periodic POPI audits to assess the organisation’s processes related to personal information, including collection, use, sharing, disclosure, destruction, and processing.

  • Information Officer

The Information Officer of the organisation has several responsibilities related to ensuring compliance with POPIA. This includes keeping the governing body informed about the organisation’s information protection responsibilities and notifying them in the case of a security breach. The Information Officer must continually analyze privacy regulations and align them with the organisation’s personal information processing procedures. The Information officer will review and update this policy on an annual basis to ensure ongoing compliance with POPIA and other relevant laws and regulations. Changes to this policy will be communicated to employees, contractors, and agents in a timely manner. They are also responsible for scheduling and conducting regular POPI Audits, making it convenient for data subjects to update their personal information or submit POPI-related complaints, and approving contracts with operators, employees, and third parties that may impact the personal information held by the organisation. The Information Officer must encourage compliance with the conditions required for the lawful processing of personal information and ensure that employees are fully aware of the associated risks and security controls. They must also oversee awareness training and address any POPIA-related questions, requests, or complaints from employees and data subjects. Finally, the Information Officer works with the Information Regulator on ongoing investigations and serves as the organisation’s contact point for issues related to the processing of personal information.

  • IT Manager

The IT Manager of the organisation has various responsibilities related to ensuring the security of personal information. This includes ensuring that the IT infrastructure, filing systems, and other devices used for processing personal information meet acceptable security standards. They must ensure that electronically held personal information is kept only on designated drives and servers and uploaded only to approved cloud computing services. Additionally, they must ensure that servers containing personal information are located in a secure location away from general office space, and that all electronically stored personal information is regularly backed up and protected from unauthorized access, accidental deletion, and malicious hacking attempts. The IT Manager is responsible for ensuring that personal information being transferred electronically is encrypted and that all servers and computers containing personal information are protected by a firewall and the latest security software. Regular IT audits must be performed to ensure the proper functioning of the organisation’s hardware and software systems, and to verify whether any unauthorized persons have accessed or acquired electronically stored personal information. The IT Manager must also conduct a proper due diligence review prior to contracting with operators or any other third-party service providers to process personal information on behalf of the organisation, such as cloud computing services.

9. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE (Data subject rights)

Individuals whose personal information is held by the organisation have certain rights, including the right to request what personal information the organisation holds about them and the reason for its collection. They also have the right to request access to their personal information and to be informed about how to keep their personal information up to date.

To make an access to information request, data subjects can send an email to the Information Officer. The Information Officer will provide a “Personal Information Request Form” to the data subject, which must be completed and submitted. Before handing over any personal information, the Information Officer will verify the identity of the data subject. All requests will be processed within a reasonable time frame.

10. POPIA COMPLAINTS PROCEDURE

Complaints may be filled via email to [email protected]

11. DISCIPLINARY ACTION

After a POPI complaint or infringement investigation has concluded, the organisation may suggest appropriate administrative, legal, and/or disciplinary actions to be taken against any employee who is reasonably suspected of engaging in non-compliant activities outlined in this policy. If an employee is found to have acted in ignorance or with minor negligence, the organisation will provide additional awareness training. However, if an employee has engaged in gross negligence or willful mismanagement of personal information, this will be considered a serious form of misconduct, and the organisation may dismiss the employee summarily. If there is sufficient evidence to support an employee’s gross negligence, disciplinary procedures will begin. After an investigation, the organisation may take immediate actions, such as recommending disciplinary action, referring the matter to law enforcement agencies for criminal investigation, or recovering funds and assets to limit any harm or damage caused.

12. DATA BREACH

In the event of a data breach, we will explore and identify the cause of the breach, notifying affected individuals, and implementing measures to prevent future breaches. We will report the breach to the Information Regulator as required by section 22 of POPIA. All processes will be based on the POPI act to ensure total compliance.

Scroll to Top