Privacy Policy

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

PRIVACY POLICY

Organisation SMSWEB (the Company)
Scope of Policy This policy applies to all paid representatives, consultants, employees, contractors, agents and/or service providers and all other parties who deals with data received from the customers/clients of the Company (hereinafter referred to as ‘company members’). This includes but is not limited to the appointed auditor, and its employees, as well as all other professional services needed from time to time.
Policy operational date April 2022
Policy Prepared by Rianna Willemse Solms Attorneys
Information Officer Andre Roux at compliance@smsweb.co.za
Date Approved by the information officer. April 2022
Next Policy Review date May 2022 (one year later)

Introduction

Purpose of the Policy The Purpose of this policy is to enable the Company to:

  • Comply with the law in respect of the data it holds about individuals;
  • Follow good practice;
  • Protect the Company’s clients and customers, and other individuals
  • Protect the organization from the consequences of a breach of its responsibilities;
  • Take reasonable measures to prevent cyber crime by unauthorized access to, interception of, or interference with any data on its network and under its control.
Personal Information This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act,2013 (hereinafter POPI Act)
Policy Statement The Company will:

  • Comply with both the law and good practice
  • Respect individuals’ rights
  • Be open and honest with individuals whose data is held.
  • Provide training and support to company members who handle personal data, so that they can act confidently and consistently.

The Company recognizes that its first priority, under the POPI act, is to avoid causing harm to individuals.  This means:

  • Keeping information securely in the right hands, and;
  • Retention of good quality information.

Second priority, the Act aims to ensure that the legitimate concern of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, the Company will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.

Key Risks The company has identified the following potential key risks, which the policy is designed to address:

  • Breach of confidentiality (information being given out inappropriately and/or hacking of any of such information or data bases)
  • Insufficient clarity about the range of uses to which data will be put – leading to individuals being insufficiently informed.
  • Breach of security by allowing unauthorized access
  • Harm to individuals if personal data is not up to date
  • Data use contracts with company members and other users

Information Officer Responsibilities

Scope The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and chapter 5, Part B
Information Officer responsibility The Information Officer has the following responsibilities:

  • Developing, publishing, and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act, including but not limited to the following:
  • Reviewing the POPI Act and periodic updates as published;
  • Ensuring that POPI Act induction training takes place for all company members;
  • Ensuring that periodic communication awareness on POPI Act responsibilities takes place;
  • Ensuring that Privacy Notices for internal and external purposes are developed and published;
  • Handling data access requests;
  • Approving unusual or controversial disclosures of personal data;
  • Approving contracts with Data Operators;
  • Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information;
  • Ensuring that appropriate Security Safeguards, in line with the POPI Act for personal information, are in place;
  • Handling all aspects of relationship with the Regulator as foreseen in the POPI Act;
  • Provide direction to any Deputy Information Officer, if and when appropriate.
Appointment The appointment of the Information Officer will be done by the Directors.  The need for a Deputy Information officer to be decided upon, if necessary.

Processing Limitations

Scope The scope is defined by the provisions of the POPI Act, condition 2
Processing limitations The Company undertakes to comply with the POPI Act, Condition 2 in terms of the processing limitations, sections 9 to 12, subject to the forms of consent.
Forms of consent The company undertakes to gain written consent where appropriate.
Nature of personal information In terms of the Act, personal information is data that can be used to identify a person. It is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”
This information about a person includes, but is not limited to:
  

  • Race
  • Gender/Sex
  • Pregnancy
  • Marital status
  • National / ethnic / social origin
  • Sexual orientation
  • Age
  • Physical or mental health
  • Disability
  • Religion / beliefs / culture
  • Language
  • Educational / medical / financial / criminal or employment history
  • ID number
  • Email address
  • Physical address
  • Telephone number
  • Location
  • Biometric information
  • Personal opinions, views or preferences

Processing Specifications

Scope The scope is defined by the provision of the POPI Act, condition 3.
Purpose specifications The Company undertakes to comply with the POPI Act, condition 2 in terms of processing limitations, section 13 and 14, subject to the retention periods.
Retention periods The Company will establish retention periods for at least the following Company members, but not limited, data categories:

  • Directors
  • Sales Representatives (Reps)
  • Consultants
  • Employees
  • Customers
  • Contractors

Further processing limitation

The Company undertakes to comply with the POPI Act, condition 2 in terms of limitation, section 15.

Information Quality

Scope The scope is defined by the provisions of the POPI Act, condition 5, section 16.
Accuracy The Company will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

  • IT systems will be designed where possible, to encourage accurate data;
  • Data on individuals will be kept in as few places as necessary, and all company members will be discouraged from establishing unnecessary additional sets;
  • Effective procedures will be in place so that all relevant systems are updated when information about any individual changes;
  • Company members who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
Updating The Company will review all personal information on a quarterly basis.
Archiving Archived electronic records will be securely off site. Paper record archiving will be held off site. All shredded items will be signed off by 2 (two) company members

Openness

Scope As defined by the provisions of the POPI Act, condition 6
Openness In line with Conditions 6 and 8 of the Act the Company is committed to ensure that individuals are aware that their data is being processed and:

  • For what purpose it is being processed;
  • What types of disclosure are likely; and
  • How to exercise their rights in relation to the data.
Procedure Ways of informing:

  • Company members: through this policy
  • Individuals: through the privacy notice

Whenever data is collected, the number of mandatory fields will be kept to a minimum and company members will be informed to which data is mandatory and why.

Security Safeguards

Scope This section only addresses the security issues relating to personal information.
Specific Risks The Company has identified the following risks:

  • Company members with access could misuse it;
  • Company members may be tricked into giving out information
  • Company may be hacked by a third-party or outside source (e.g., cybercrime through unauthorized access to, interception of, or interference with any data on its network and under its control.)
Setting Security Levels Access to information on the main computer system will be controlled by means of administrator login credentials (administrator username and password)
Security measures The Company will ensure that all necessary controls are in place in terms of access to personal information by keeping logs of all user/administrator logins and changes to data fields on the main database.
Business continuity The Company will take all adequate steps to provide business continuity in an event of an emergency.

Data Subject Participation

Scope Defined by the provision of the POPI Act, condition 8, sections 23 to 25
Responsibility Information Officer (Andre Roux)
Procedure for making request All requests must be in writing and passed on to the Information Officer, who will take the necessary steps as per the POPIA procedures.
Provision for verifying identity All identities will be verified before handing over any information
Charging Fees for access will be handled in compliance with the PAIA Act
Granting access Granting access will be made in terms of the PAIA Act

Processing of Personal Information of Children

Scope The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part C, sections 34 and 35. Processing of Personal Information of Children.                The Company has the policy of adhering to the process of Special Personal Information of children. This applies to under-18 (eighteen) individuals, so an age check is required for all personal information records.
Responsibility Information Officer (Andre Roux)
Procedure for making request General authorization concerning personal information of children only applies where under-18’s (eighteens) are involved.
Provision for verifying identity General authorization concerning personal information of children only applies where under-18’s (eighteens) are involved.
Charging Fees for access will be handled in compliance with the PAIA Act
Granting access Granting access will be made in terms of the PAIA Act

Processing of Special Personal Information

Scope Defined by the provisions of the POPI Act, Part B, sections 26 to 33
Processing of Special Personal Information The Company and company members will at all times adhere to the POPI Act in terms of special Information relating to:

  • Religious or Philosophical beliefs
  • Ethnic origin
  • Political persuasion
  • Health
  • Sexual orientation
  • Criminal behaviour

Training & acceptance of responsibilities

Scope In support of the provisions of the POPI Act, chapter 5, Part B
Documentation Information for company members is contained.
Induction The Information Officer will ensure that company members who have access to personal information which will have their responsibilities outlined.
Continuing training Training will be on-going, and included in team meetings, and supervisions, as schedule and announced by the Information Officer.
Procedure for staff signifying acceptance of policy Company members will be required to accept this policy in writing (POPIA Agreement).

Policy Review

Responsibility Information officer (Andre Roux)
Procedure Relevant Stakeholders will be consulted as part of the annual review.  The annual review must be completed prior to the policy anniversary date.