Privacy Policy
PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013
PRIVACY POLICY
Organisation | SMSWEB (the Company) |
Scope of Policy | This policy applies to all paid representatives, consultants, employees, contractors, agents and/or service providers and all other parties who deals with data received from the customers/clients of the Company (hereinafter referred to as ‘company members’). This includes but is not limited to the appointed auditor, and its employees, as well as all other professional services needed from time to time. |
Policy operational date | April 2022 |
Policy Prepared by | Rianna Willemse Solms Attorneys |
Information Officer | Andre Roux at compliance@smsweb.co.za |
Date Approved by the information officer. | April 2022 |
Next Policy Review date | May 2022 (one year later) |
Introduction |
|
Purpose of the Policy | The Purpose of this policy is to enable the Company to:
|
Personal Information | This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act,2013 (hereinafter POPI Act) |
Policy Statement | The Company will:
The Company recognizes that its first priority, under the POPI act, is to avoid causing harm to individuals. This means:
Second priority, the Act aims to ensure that the legitimate concern of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, the Company will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used. |
Key Risks | The company has identified the following potential key risks, which the policy is designed to address:
|
Information Officer Responsibilities |
|
Scope | The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and chapter 5, Part B |
Information Officer responsibility | The Information Officer has the following responsibilities:
|
Appointment | The appointment of the Information Officer will be done by the Directors. The need for a Deputy Information officer to be decided upon, if necessary. |
Processing Limitations |
|
Scope | The scope is defined by the provisions of the POPI Act, condition 2 |
Processing limitations | The Company undertakes to comply with the POPI Act, Condition 2 in terms of the processing limitations, sections 9 to 12, subject to the forms of consent. |
Forms of consent | The company undertakes to gain written consent where appropriate. |
Nature of personal information | In terms of the Act, personal information is data that can be used to identify a person. It is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” This information about a person includes, but is not limited to:
|
Processing Specifications |
|
Scope | The scope is defined by the provision of the POPI Act, condition 3. |
Purpose specifications | The Company undertakes to comply with the POPI Act, condition 2 in terms of processing limitations, section 13 and 14, subject to the retention periods. |
Retention periods | The Company will establish retention periods for at least the following Company members, but not limited, data categories:
|
Further processing limitation |
|
The Company undertakes to comply with the POPI Act, condition 2 in terms of limitation, section 15. | |
Information Quality |
|
Scope | The scope is defined by the provisions of the POPI Act, condition 5, section 16. |
Accuracy | The Company will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
|
Updating | The Company will review all personal information on a quarterly basis. |
Archiving | Archived electronic records will be securely off site. Paper record archiving will be held off site. All shredded items will be signed off by 2 (two) company members |
Openness |
|
Scope | As defined by the provisions of the POPI Act, condition 6 |
Openness | In line with Conditions 6 and 8 of the Act the Company is committed to ensure that individuals are aware that their data is being processed and:
|
Procedure | Ways of informing:
Whenever data is collected, the number of mandatory fields will be kept to a minimum and company members will be informed to which data is mandatory and why. |
Security Safeguards |
|
Scope | This section only addresses the security issues relating to personal information. |
Specific Risks | The Company has identified the following risks:
|
Setting Security Levels | Access to information on the main computer system will be controlled by means of administrator login credentials (administrator username and password) |
Security measures | The Company will ensure that all necessary controls are in place in terms of access to personal information by keeping logs of all user/administrator logins and changes to data fields on the main database. |
Business continuity | The Company will take all adequate steps to provide business continuity in an event of an emergency. |
Data Subject Participation |
|
Scope | Defined by the provision of the POPI Act, condition 8, sections 23 to 25 |
Responsibility | Information Officer (Andre Roux) |
Procedure for making request | All requests must be in writing and passed on to the Information Officer, who will take the necessary steps as per the POPIA procedures. |
Provision for verifying identity | All identities will be verified before handing over any information |
Charging | Fees for access will be handled in compliance with the PAIA Act |
Granting access | Granting access will be made in terms of the PAIA Act |
Processing of Personal Information of Children |
|
Scope | The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part C, sections 34 and 35. Processing of Personal Information of Children. The Company has the policy of adhering to the process of Special Personal Information of children. This applies to under-18 (eighteen) individuals, so an age check is required for all personal information records. |
Responsibility | Information Officer (Andre Roux) |
Procedure for making request | General authorization concerning personal information of children only applies where under-18’s (eighteens) are involved. |
Provision for verifying identity | General authorization concerning personal information of children only applies where under-18’s (eighteens) are involved. |
Charging | Fees for access will be handled in compliance with the PAIA Act |
Granting access | Granting access will be made in terms of the PAIA Act |
Processing of Special Personal Information |
|
Scope | Defined by the provisions of the POPI Act, Part B, sections 26 to 33 |
Processing of Special Personal Information | The Company and company members will at all times adhere to the POPI Act in terms of special Information relating to:
|
Training & acceptance of responsibilities |
|
Scope | In support of the provisions of the POPI Act, chapter 5, Part B |
Documentation | Information for company members is contained. |
Induction | The Information Officer will ensure that company members who have access to personal information which will have their responsibilities outlined. |
Continuing training | Training will be on-going, and included in team meetings, and supervisions, as schedule and announced by the Information Officer. |
Procedure for staff signifying acceptance of policy | Company members will be required to accept this policy in writing (POPIA Agreement). |
Policy Review |
|
Responsibility | Information officer (Andre Roux) |
Procedure | Relevant Stakeholders will be consulted as part of the annual review. The annual review must be completed prior to the policy anniversary date. |