Profile Personnel Privacy Policy in terms of the Protection of Personal Information Act, No. 4 2013 (South Africa)

Organization: Profile Personnel

Scope of Policy: This policy applies to the business of Profile Personnel wherever it is conducted, but based at the registered office. It applies to paid staff.

 

1. Introduction
   • Purpose of policy. The purpose of this policy is to enable Profile Personnel to:

• Comply with the law in respect of the data it holds about individuals;
• Follow good practice;
• Protect the Profile Personnel staff and other individuals
• Protect the organisation from the consequences of a breach of its responsibilities.
  • Personal Information

This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act, 2013 (hereinafter POPI Act).

• Policy statement. Profile Personnel will:

• Comply with both the law and good practice
• Respect individuals’ rights
• Be open and honest with individuals whose data is held
• Provide training and support for staff who handle personal data, so that they can act confidently and consistently.

Profile Personnel recognizes that its first priority under the POPI Act is  to avoid causing harm to individuals, this means:

• Keeping information securely in the right hands, and
• Retention of good quality information.

Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Profile Personnel will seek to give individuals as much choice as is possible and be reasonable over what data is held and how it is used.

• Key Risks. Profile Personnel has identified the following potential key risks, which this policy is designed to address:

• Breach of confidentiality (Information being given out inappropriately).
• Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed.
• Failure to offer choice about data use when appropriate.
• Breach of security by unauthorised access.
• Harm to individuals if personal data is not up to date.
• This list is not exhaustive, more risks may potentially arise in future and will be added to the list.

 

 

2. Information Officer Responsibilities
   • Scope. The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and Chapter 5, Part B.
   • Information Officer Responsibilities. The Information Officer has the following responsibilities:Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act, including but not limited to the following:

• • Reviewing the POPI Act and periodic updates as published
  • Ensuring that POPI Act induction training takes place for all staff
  • Ensuring that periodic communication awareness on POPI Act responsibilities takes place
  • Ensuring that Privacy Notices for internal and external purposes are developed and published
  • Handling data subject access requests
  • Approving unusual or controversial disclosures of personal data
  • Approving contracts with Data Operators
  • Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information
  • Ensuring that appropriate Security Safeguards in line with the POPI Act for personal information are in place
  • Handling all aspects of relationship with the Regulator as foreseen in the POPI Act
  • Provide direction to any Deputy Information Officer if and when appointed
  • Appointment. Consideration will be given an annual basis of the re-appointment or replacement of the Information Officer or the need for any Deputy to assist the Information Officer.

 

3. Processing Limitation
   • Scope The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 2.
   • Processing Limitation Profile Personnel undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 9 to 12, subject to the following stipulation (Forms of Consent).
   • Forms of Consent Profile Personnel undertakes to gain written consent where appropriate; alternatively, a recording must be kept of verbal consent.
   • Nature of Personal Information Profile Personnel has identified all instances of personal information in the organisation. Each department head will be responsible for the enforcement of the Protection of Personal Information Act.

 

4. Purpose Specification
   • Scope The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 3.
   • Purpose Specification Profile Personnel undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 13 and 14, subject to the following stipulation (Retention periods).
   • Retention Periods Retention periods for the following categories of data will be 60 Months:
   • Directors
   • Staff
   • Customers
   • Suppliers

 

5. Further Processing Limitation
   • Scope The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 4.
   • Further Processing Limitation Profile Personnel undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, section 15.

 

6. Information Quality

• Scope The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 5. Profile Personnel will comply with all of the aspects of Condition 5, section 16.
• Accuracy Profile Personnel will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:

• Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
• Quarterly paper audit will be conducted and any unnecessary documents will be destroyed using a shredder. Further to this a Shredding register will be implemented for all documents shredded.
• Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
• Staff who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.

• Updating Profile Personnel will review all personal information on an annual basis in March of each year.
• Archiving Archived electronic records of Profile Personnel are stored securely off site.

 

7. Openness
   • Scope The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 6.
   • Openness In line with Conditions 6 and 8 of the Act, Profile Personnel is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
   • for what purpose it is being processed;
   • what types of disclosure are likely; and
   • how to exercise their rights in relation to the data.

• Procedure. Data Subjects will generally be informed in the following ways:
• Staff: through this policy.
• Customers and other interested parties: through the Profile Personnel Privacy Notice
• Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why

 

8. Security Safeguards
   • Scope. The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 7, section 19 to 22. This section of the policy only addresses security issues relating to personal information. It does not cover security of the building, business continuity or any other aspect of security.
   • Specific Risks. Profile Personnel has identified the following risks:
   • Staff with access to personal information could misuse it.
   • Staff may be tricked into giving away information, either about customers / member or colleagues, especially over the phone.
   • Setting Security Levels. Access to information on the main Profile Personnel computer system will be controlled by function. Profile Personnel has used the POPI-Personal Information Diagnostic tool to identify security levels required for each record held which contains Personal Information.
   • Security Measures. Profile Personnel will ensure that all necessary controls are in place in terms of access to personal information.
   • Business Continuity. Profile Personnel will ensure that adequate steps are taken to provide business continuity in the event of an emergency.

 

9. Data Subject Participation
   • Scope. The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 8, sections 23 to 25.
   • Responsibility. Any subject access requests will be handled by the POPI Act Information Officer in terms of Condition 8.
   • Procedure for making request. Subject access requests must be in writing. All staff are required to pass on anything which might be a subject access request to the POPI Act Information Officer without delay. Requests for access to personal information will be handled in compliance with the POPI Act.
   • Provision for verifying identity. Where the individual making a subject access request is not personally known to the POPI Act Information Officer their identity will be verified before handing over any information.

 

 10. Processing of Special Personal Information

• Scope. The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part B, sections 26 to 33.
• Processing of Special Personal Information. Profile Personnel has the policy of adhering to the process of Special Personal Information which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject. Special personal information includes criminal behaviour relating to alleged offences or proceedings dealing with alleged offences. Unless a general authorisation, alternatively a specific authorisation relating to the different types of special personal information applies, a responsible party is prohibited from processing special personal information.

 

11. Processing of Special Personal Information

• Scope. The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.
• Processing of Special Personal Information. Profile Personnel undertakes to comply with the POPI Act Chapter 8, sections 69 to 71.
• Opting in. Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.
• Electronic contact. Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

 

12. Direct Marketing, Directories and Automated Decision Making
    • Scope. The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.
    • Direct Marketing, Directories and Automated Decision Making. Profile Personnel undertakes to comply with the POPI Act Chapter 8, sections 69 to 71.
    • Opting in. Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.
    • Sharing lists. Profile Personnel has the policy of sharing lists (or carrying out joint or reciprocal mailings) only on an occasional and tightly-controlled basis. Details will only be used for any of these purposes where the Data Subject has been informed of this possibility, along with an option to opt out, and has not exercised this option. Profile Personnel undertakes to obtain external lists only where it can be guaranteed that the list is up to date and those on the list have been given an opportunity to opt out.
    • Electronic contact. Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.

13. Staff Training & Acceptance of Responsibilities
    • Scope. The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter 5, Part B.
    • Documentation. Information for staff is contained in this policy document and other materials made available by the Information Officer.
    • Induction. The Profile Personnel Information Officer will ensure that all staff who have access to any kind of personal information will have their responsibilities outlined during their induction procedures.
    • Continuing Training. Profile Personnel will provide opportunities for staff to explore POPI Act issues through training, team meetings, and supervisions.
    • Procedure for staff signifying acceptance of policy. Profile Personnel will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPI Act.