PROTECTION OF PERSONAL INFORMATION POLICY
- Introduction
- Reris Insurance Brokers (“Reris”) an authorised financial services provider.
-
The Protection of Personal information Act, 4 of 2013 (“the POPI Act”), has eight conditions that require that personal information (PI) of both individuals and juristic entities is sufficiently protected and also used in a manner that facilitates transparency around the following:
- What is done with the personal information;
- Why and how it is processed (i.e. this covers all phases of a typical information management lifecycle – from collection, to usage, sharing, disposal, archiving, etc.);
- Who the personal information is shared with (i.e. third parties – both localy and internationally, other legal entities – sometimes within the same group or company, etc.); and
- What types of personal information is processed and for what purpose.
-
With the enactment of the POPI Act, RERIS is required to bring all of its policies and procedures in line with the letter, spirit and relevance of the POPI Act in order to:
- Promote the protection of personal information of our data subjects;
- Introduce certain conditions establishing minimum requirements for the processing of personal information;
- Provide for the rights of persons regarding unsolicited electronic communications and automated decision making; and
- Regulate the flow of personal information within our Group of Companies and across the borders of the Republic.
- The POPI Act requires RERIS to ensure that all personal information collected and processed is protected from various unauthorised access and criminal activity such as fraud, identity theft, unauthorised advertising, unauthorised distribution, etc.
-
This POPI Act applies to the processing of personal information:
- Entered in a record by or for a responsible party by making use of automated or non- automated means; and
-
Where RERIS is:
- Domiciled in the Republic; or
- Not domiciled in the Republic but makes use of automated or non-automated means in the Republic.
- Policy objectives
-
This policy aims to give effect to give to the eight information protection principles:
- Accountability – RERIS must ensure that the principles of the POPI Act are complied with. This includes assigning of responsibility to an individual or function to provide oversight on compliance with the principles of the policy.
- Processing Information – RERIS must process information in a fair and lawful manner, with the consent of persons or unless otherwise authorised by legislation.
-
This policy aims to give effect to give to the eight information protection principles:
- Definitions
- Data subject means a customer, employee and/or contractor whose personal information is collected and processed by RERIS.
- Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
- Personal information means information relating to an identifiable, living, natural person and a company, including, but not limited to:
- Information relating to the race, gender, sex, pregnancy, marital Status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- The biometric information of the person;
- The personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- The views or opinions of another individual about the person; and
- The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
- Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including: –
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- Dissemination by means of transmission, distribution or making available in any other form; or
- Merging, linking, as well as restriction, degradation, erasure or destruction of information.
- Special personal information means-
- The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
-
The criminal behaviour of a data subject if that information relates to –
- The alleged commission by a data subject of any offence; or
- Any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
- Responsible party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
- Exclusions
- This policy does not apply to the processing of personal information that has been de-identified to the extent that it cannot be re-identified again.
-
De-identified information is information that should not be capable of being:
- Used or manipulated by a reasonably foreseeable method to identify the data subject; or
- Linked by a reasonably foreseeable method to other information that identifies the data subject.
- Data subjects’ rights
-
A data subject has the following rights:
-
The right to be informed that:
- Personal information is being collected; and
- Personal information has been accessed or obtained by an unauthorised person;
- The right to enquire whether RERIS holds personal information and to request access to that information as provided for in terms of paragraph 12.1 of this policy;
- The right to request the correction, destruction or deletion of personal information as provided for in terms of paragraph 12.1. of this policy;
-
A data subject may object at any time, to the processing of personal information:
- If the reason for such processing is in terms of paragraphs 6.2.1.4, 6.2.1.5 and 6.2.1.6 of this policy, on reasonable grounds relating to his or her particular situation, unless legislation provides for such processing; or
- For purposes of direct marketing by means of unsolicited electronic communications and related policies in subsidiaries;
- Once the data subject has objected in writing to the processing of personal information, RERIS may no longer process the personal information.
- The right not to be subject to a decision which is based solely on the basis of the automated processing of personal information intended to result in legal consequences for the data subject, (for example, sending a bulk SMS requiring confirmation from our customers);
- The right to submit a complaint to the Regulator regarding the alleged interference with the protection of personal information;
- The right to institute civil proceedings regarding the alleged interference with the protection of personal information; and
- The right to withdraw consent. The data subject may withdraw his, her consent, at any time, provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information will not be affected.
-
The right to be informed that:
-
A data subject has the following rights:
- Processing limitations
-
Conditions for lawful processing of personal information.
- RERIS may only use a data subject’s personal information for the purpose for which it was collected. Therefore, processing of personal information must only be done to the extent necessary and consented to by the data subject to achieve the purpose of the processing.
-
Consent, justification and objection.
-
Personal information may only be processed if:
- The data subject consents to the processing;
- Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- Processing complies with an obligation imposed by law on RERIS;
- Processing protects a legitimate interest of the data subject;
- Processing is necessary for the proper performance of a public law duty by a public body; or
- Processing is necessary for pursuing the legitimate interests of RERIS or of a third party to whom the information is supplied.
- RERIS must be able to provide proof of the data subject’s consent to the Regulator upon request. For example, a completed and signed marketing options declaration form, a recording of the data subject’s consent over the telephone or an opt-in SMS received from the data subject.
-
Personal information may only be processed if:
-
Collection directly from data subject.
-
Personal information must be collected directly from the data subject unless:
- The information is contained in or derived from a public record or has deliberately been made public (for example unrestricted Social Media accounts) by the data subject;
- Collection of the information from another source would not prejudice a legitimate interest of the data subject;
- Collection of the information from another source is necessary:
-
To comply with an obligation imposed by law;
- For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; and
- In the interests of national security.
- Compliance would prejudice a lawful purpose of the collection; or
- Compliance is not reasonably practicable in the circumstances of the particular case.
-
Personal information must be collected directly from the data subject unless:
-
Conditions for lawful processing of personal information.
- Further processing limitation
-
Further processing of personal information must be done in accordance with or be compatible with the purpose for which it was collected if:
- The data subject has consented to the further processing of the information;
- The information is available in or derived from a public record or has deliberately been made public by the data subject;
-
Further processing is necessary:
- To avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;
- To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue for the benefit of SARS;
- For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
- In the interests of national security.
- The information is used for historical, statistical or research purposes and RERIS ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form.
-
In order to assess whether further processing is compatible with the purpose of collection, RERIS must take account of:
- The relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
- The nature of the information concerned;
- The consequences of the intended further processing for the data subject;
- The manner in which the information has been collected; and
- Any contractual rights and obligations between the parties.
-
Further processing of personal information must be done in accordance with or be compatible with the purpose for which it was collected if:
- Quality of information
- RERIS must take reasonable steps to ensure that personal information is complete, accurate and that it is updated regularly.
- Purpose specific
-
Collection for specific purpose.
- Personal information may only be collected for a specific, detailed, defined and lawful purpose which is related to a function or activity of RERIS.
- The data subject must be made aware of the purpose of the collection of the information.
-
Retention and restriction of records.
-
Subject to paragraphs 9.2.1.2 and 9.2.3, records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
- Retention of the record is required or authorised in terms of any law (see the retention of records policy and accompanying schedules);
- Retention of the record is required by a contract between the parties thereto; or
- The data subject has consented to the retention of the record for an extended period of time.
- RERIS must properly destroy documentation and/or delete a record of personal information or de-identify it as soon as reasonably practicable after RERIS is no longer authorised to retain the record.
-
RERIS must restrict processing of personal information if:
- Its accuracy is contested by the data subject, for a period enabling RERIS to verify the accuracy of the information;
- RERIS no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof, in which case, such records may not be kept for longer than 5 years unless regulated by legislation;
- The data subject opposes its destruction or deletion and requests the restriction of its use instead; or
- The data subject requests to transmit the personal data into another automated processing system (for example change from email to SMS).
- Where processing of personal information is restricted pursuant to paragraph 9.2.3, RERIS must inform the data subject before lifting the restriction on processing.
-
Subject to paragraphs 9.2.1.2 and 9.2.3, records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
-
Collection for specific purpose.
- Openness
-
Notification to the data subject when collecting personal information.
-
If personal information is collected, RERIS must take steps to ensure that the data subject is aware of:
- The information being collected and where the information is not collected directly from the data subject, the source from which the information is collected;
- The name and address of RERIS;
- The purpose for which the information is being collected;
- Whether or not the supply of the information by that data subject is voluntary or mandatory;
- The consequences of failure to provide the information;
- Any particular law authorising or requiring the collection of the information;
- The fact that, where applicable, RERIS intends to transfer the information to a third-party country or international organization and the level of protection afforded to the information by that third-party country or international organisation;
- The data subject’s right to lodge a complaint to the Regulator and the contact details of the Regulator.
- The steps referred to above must be taken before the information is collected if the personal information is collected directly from the data subject.
- In the event that RERIS has previously taken the above steps then, RERIS need not repeat these steps in relation to the subsequent collection of the same information or similar information and if the purpose of collection of the information has not changed.
-
It is not necessary for RERIS to comply with the requirements in paragraph 10.1.1 if:
- The data subject has provided consent for the non-compliance; and
- The information will not be used in a form in which the data subject may be identified.
-
If personal information is collected, RERIS must take steps to ensure that the data subject is aware of:
-
Notification to the data subject when collecting personal information.
- Security safeguard
-
-
Security measures on integrity and confidentiality of personal information.
-
RERIS must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
- Loss of, damage to or unauthorised destruction of personal information; and
-
RERIS must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
-
Security measures on integrity and confidentiality of personal information.
-
-
-
- Unlawful access to or processing of personal information.
-
In order to give effect to paragraph 11.1.1, RERIS must take reasonable measures to:
- Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
- Establish and maintain appropriate safeguards against the risks identified;
- Regularly verify that the safeguards are effectively implemented; and
- Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
- RERIS must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
-
-
Third party operator obligations.
- An operator or anyone processing personal information on behalf of RERIS, must process such information in accordance with the related contract’s management policy and the guidelines on outsourcing agreements and other related subsidiary policies.
-
Process of notification of security compromises.
- Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the operator must notify RERIS immediately within 24 hours of the suspected unauthorised access.
-
The RERIS must notify:
- The Regulator; and
- The data subject, unless the identity of such data subject cannot be established.
-
The above notification must be in writing and communicated to the data subject in at least one of the following ways:
- Mailed to the data subject’s last known physical or postal address;
- Sent by e-mail to the data subject’s last known e-mail address; placed in a prominent position on RERIS’s website;
- Published in the news media; or
- As may be directed by the Regulator.
-
The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the suspected unauthorised access, including:
- A description of the possible consequences of the security compromise;
- A description of the measures that RERIS intends to take or has taken to address the security compromise;
- A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- If known to RERIS, the identity of the unauthorized person who may have accessed or acquired the personal information.
- RERIS may only delay notification of the data subject if the South African Police Service (SAPS) or any other regulator or the Regulator determines that notification will impede a criminal investigation by the SAPS or that regulator.
-
- Data subject requests
-
Request to access to personal information.
- A data subject may request access to his/her personal information held by RERIS by completing the Access to Information Request Form available on the RERIS external website and providing adequate identification.
-
The data subject has the right to request RERIS:
- To confirm, free of charge, whether or not RERIS holds personal information about the data subject; and
-
To furnish him/her with the record or a description of the data subject’s personal information held by RERIS, including information about the identity of all third parties, who have, or have had, access to the information:
- Within a reasonable time (no longer than 30 days);
- In a reasonable manner and format; and
- In a format that is understandable.
- RERIS may or must refuse, as the case may be, to disclose any information requested.
- If a request for access to personal information is made to RERIS and part of that information may or must be refused in terms of paragraph 12.1.3, every other part must be disclosed.
-
Correction of personal information.
-
A data subject may request RERIS:
-
To correct or delete personal information about the data subject in its possession that is:
- Inaccurate,
- Irrelevant,
- Excessive,
- Out of date,
- Incomplete,
- Misleading or
- Obtained unlawfully; or
- To destroy or delete a record of personal information about the data subject that RERIS is no longer authorised to retain.
-
To correct or delete personal information about the data subject in its possession that is:
-
On receipt of a request, RERIS must, within 30 days:
- Correct the information;
- Destroy or delete the information;
- Provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
- Where agreement cannot be reached between RERIS and the data subject, and if the data subject so requests, take such reasonable steps, to attach a notice to the data subject’s information recording that a correction of the information has been requested but has not been made.
- If RERIS has attached a notice referred to under paragraph 12.2.2 and that notice results in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, RERIS must inform each person or body to whom the personal information has been disclosed of that notice.
- RERIS must notify a data subject, who has made a request in terms of paragraph 12.2.1, of the action taken as a result of the request.
-
A data subject may request RERIS:
-
Request to access to personal information.
- Processing of special personal information
-
Prohibition on processing of special personal information.
-
Unless the provisions of paragraph 13.2 are complied with, RERIS may not process personal information concerning:
- The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
-
The criminal behaviour of a data subject if such information relates to: –
- The alleged commission by a data subject of any offence; or
- Any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
-
Unless the provisions of paragraph 13.2 are complied with, RERIS may not process personal information concerning:
-
General authorisation concerning special personal information.
-
The prohibition on processing personal information, specified in paragraph 13.1 of this policy, does not apply if the:
- Processing is carried out with the consent of a data subject;
- Processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- Information has deliberately been made public by the data subject (for example, unrestricted Social Media); or
- Provisions of paragraph 13.3 of this policy are, as the case may be, complied with.
-
The prohibition on processing personal information, specified in paragraph 13.1 of this policy, does not apply if the:
-
Authorisation of data subject’s special personal information concerning:
-
Religious or philosophical beliefs.
- RERIS may not process this personal information as only spiritual or religious organisations to which the data subject belongs are permitted to process such personal information.
- RERIS may not supply this personal information to third parties without the consent of the data subject.
-
Race or ethnic origin.
-
Processing may only be done to:
- Identify data subjects and only when this is essential for that purpose; and
- Comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination (for example compliance with the Employment Equity Act).
-
Processing may only be done to:
-
Trade union membership.
- Processing may only be done if a data subject’s personal information relating to his or her membership or affiliation with a trade union or the trade union federation to which that trade union belongs is necessary to achieve the aims of the trade union or trade union federation.
- In the cases referred to under 13.3.3.1, no personal information may be supplied to third parties without the consent of the data subject.
-
Political persuasion.
- RERIS may not process a data subject’s personal information relating to his, her or its political persuasion.
-
Health or sex life.
-
RERIS may not process a data subject’s personal information relating to his or her health or sex life unless processing is done by:
- Insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing; the performance of an insurance or medical scheme agreement; or the enforcement of any contractual rights and obligations; or
- Administrative bodies, pension and provident funds, employers or institutions working for them, if such processing is necessary for the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.
- In the cases referred to under paragraph 13.3.5.2, the information may only be processed by RERIS and other responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between RERIS and the data subject.
- In processing personal information relating to the health or sex life of a data subject, RERIS must at all times, treat such personal information with confidentiality unless RERIS is required by law or in connection with their duties to communicate the information to other parties who are authorised to process such information.
-
RERIS may not process a data subject’s personal information relating to his or her health or sex life unless processing is done by:
-
Criminal behaviour or biometric information.
- The processing must be carried out by the SAPS, prosecutors and courts of law or by responsible parties who have obtained that information in accordance with the law (for example, attorneys).
- The processing of information concerning personnel in the service of RERIS must take place in accordance with the rules established in compliance with labour legislation.
-
Religious or philosophical beliefs.
-
Prohibition on processing of special personal information.
- Processing of personal information of children
-
A child is a person who is under the age of eighteen (18) years.
- RERIS may not process personal information concerning a child without the prior consent of the child’s parent or legal guardian;
- RERIS may not, under any circumstances, collect or process personal information concerning a child for direct marketing purposes.
-
A child is a person who is under the age of eighteen (18) years.
- Rights of data subjects direct marketing
-
Direct marketing by means of unsolicited electronic communications.
-
RERIS may not process personal information of a data subject (customer/lead) for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail unless the data subject:
-
In the case of a customer:
- The customer has given his or her explicit consent to receive direct marketing and the customer’s consent is obtained when the personal information is collected during the conclusion of the sale;
- The customer’s consent must be requested in the prescribed manner and form.
- The content of the direct marketing is limited to similar goods/services sold by RERIS; and
- The customer must be given a reasonable opportunity to object to receipt of direct marketing both when the data was first collected (during the sale) and on each occasion when direct marketing is made to the customer.
-
In the case of a lead/prospective customer:
- RERIS must first get the lead’s contact details to approach the lead for consent. Unless these contact details were in the public domain, such as a telephone directory, merely obtaining the contact details (for example through a company that sells data lists) could be an infringement of the POPI Act.
- A lead who has not withheld consent may be approached only once in order to request the consent of that lead/prospective customer.
- The lead must be given a reasonable opportunity to object to receipt of direct marketing.
- In the event that the lead gives his/her consent to receive direct marketing, then the lead must be given a reasonable opportunity to object to receipt of direct marketing on each occasion when direct marketing is made to the lead.
-
In the case of a customer:
-
Any communication for the purpose of direct marketing must contain:
- Details of the identity of the sender or the person on whose behalf the communication has been sent; and
- An address or other contact details to which the customer may send a request to stop receiving such communication.
-
RERIS may not process personal information of a data subject (customer/lead) for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail unless the data subject:
-
Direct marketing by means of unsolicited electronic communications.
- Transborder information flows
-
Transfers of personal information outside the Republic of South Africa.
-
RERIS may not transfer personal information about a data subject to a third party who is in a foreign country unless
- That third party is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection;
- The data subject consents to the transfer;
- The transfer is necessary for the performance of a contract between the data subject and RERIS; or
-
The transfer is for the benefit of the data subject, and
- It is not practical to obtain the consent of the data subject to that transfer; and
- If it were reasonably practical to obtain such consent, the data subject would be likely to give it.
-
RERIS may not transfer personal information about a data subject to a third party who is in a foreign country unless
-
Transfers of personal information outside the Republic of South Africa.
- Administrative fines
-
Administrative fines.
- If RERIS is alleged to have committed an offence in terms of the POPI Act, the Regulator may deliver, by hand, to RERIS an infringement notice. This notice must immediately be forwarded to the Information Protection Officer.
- The information protection officer must, within 30 days of receipt of the infringement notice by RERIS, respond to the Regulator as required in terms of the infringement Notice.
-
Administrative fines.
- Offences and penalties
-
RERIS shall be guilty of an offence if:
- It fails to comply with an enforcement notice;
-
In compliance with an information notice served by the Regulator,
- Makes a statement knowing it to be false; or
- Recklessly makes a statement which is false, in a material respect.
-
Any person (employee) is guilty of an offence if:
- He/she knowingly or recklessly, without the consent of RERIS, obtains or discloses or offers to sell personal information of a data subject such as account number, ID, bank statements and address details.
-
RERIS shall be guilty of an offence if:
-
-
Penalties.
- The maximum penalty for a person (including RERIS) who is found guilty of an offence in terms of the POPI Act is a fine of up to R10 million or imprisonment for a period of up to 10 years, or both.
-
Penalties.
- Authority and mandate
- The Protection of Personal Information Policy is approved by way of approved resolution of RERIS’ directors. The management is responsible for the adherence to and implementation of this Protection of Personal Information Policy.
PROTECTION OF PERSONAL INFORMATION POLICY
- Introduction
- Reris Insurance Brokers (“Reris”) an authorised financial services provider.
-
The Protection of Personal information Act, 4 of 2013 (“the POPI Act”), has eight conditions that require that personal information (PI) of both individuals and juristic entities is sufficiently protected and also used in a manner that facilitates transparency around the following:
- What is done with the personal information;
- Why and how it is processed (i.e. this covers all phases of a typical information management lifecycle – from collection, to usage, sharing, disposal, archiving, etc.);
- Who the personal information is shared with (i.e. third parties – both localy and internationally, other legal entities – sometimes within the same group or company, etc.); and
- What types of personal information is processed and for what purpose.
-
With the enactment of the POPI Act, RERIS is required to bring all of its policies and procedures in line with the letter, spirit and relevance of the POPI Act in order to:
- Promote the protection of personal information of our data subjects;
- Introduce certain conditions establishing minimum requirements for the processing of personal information;
- Provide for the rights of persons regarding unsolicited electronic communications and automated decision making; and
- Regulate the flow of personal information within our Group of Companies and across the borders of the Republic.
- The POPI Act requires RERIS to ensure that all personal information collected and processed is protected from various unauthorised access and criminal activity such as fraud, identity theft, unauthorised advertising, unauthorised distribution, etc.
-
This POPI Act applies to the processing of personal information:
- Entered in a record by or for a responsible party by making use of automated or non- automated means; and
-
Where RERIS is:
- Domiciled in the Republic; or
- Not domiciled in the Republic but makes use of automated or non-automated means in the Republic.
- Policy objectives
-
This policy aims to give effect to give to the eight information protection principles:
- Accountability – RERIS must ensure that the principles of the POPI Act are complied with. This includes assigning of responsibility to an individual or function to provide oversight on compliance with the principles of the policy.
- Processing Information – RERIS must process information in a fair and lawful manner, with the consent of persons or unless otherwise authorised by legislation.
-
This policy aims to give effect to give to the eight information protection principles:
- Definitions
- Data subject means a customer, employee and/or contractor whose personal information is collected and processed by RERIS.
- Operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
- Personal information means information relating to an identifiable, living, natural person and a company, including, but not limited to:
- Information relating to the race, gender, sex, pregnancy, marital Status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- The biometric information of the person;
- The personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- The views or opinions of another individual about the person; and
- The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
- Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including: –
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- Dissemination by means of transmission, distribution or making available in any other form; or
- Merging, linking, as well as restriction, degradation, erasure or destruction of information.
- Special personal information means-
- The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
-
The criminal behaviour of a data subject if that information relates to –
- The alleged commission by a data subject of any offence; or
- Any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
- Responsible party means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
- Exclusions
- This policy does not apply to the processing of personal information that has been de-identified to the extent that it cannot be re-identified again.
-
De-identified information is information that should not be capable of being:
- Used or manipulated by a reasonably foreseeable method to identify the data subject; or
- Linked by a reasonably foreseeable method to other information that identifies the data subject.
- Data subjects’ rights
-
A data subject has the following rights:
-
The right to be informed that:
- Personal information is being collected; and
- Personal information has been accessed or obtained by an unauthorised person;
- The right to enquire whether RERIS holds personal information and to request access to that information as provided for in terms of paragraph 12.1 of this policy;
- The right to request the correction, destruction or deletion of personal information as provided for in terms of paragraph 12.1. of this policy;
-
A data subject may object at any time, to the processing of personal information:
- If the reason for such processing is in terms of paragraphs 6.2.1.4, 6.2.1.5 and 6.2.1.6 of this policy, on reasonable grounds relating to his or her particular situation, unless legislation provides for such processing; or
- For purposes of direct marketing by means of unsolicited electronic communications and related policies in subsidiaries;
- Once the data subject has objected in writing to the processing of personal information, RERIS may no longer process the personal information.
- The right not to be subject to a decision which is based solely on the basis of the automated processing of personal information intended to result in legal consequences for the data subject, (for example, sending a bulk SMS requiring confirmation from our customers);
- The right to submit a complaint to the Regulator regarding the alleged interference with the protection of personal information;
- The right to institute civil proceedings regarding the alleged interference with the protection of personal information; and
- The right to withdraw consent. The data subject may withdraw his, her consent, at any time, provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information will not be affected.
-
The right to be informed that:
-
A data subject has the following rights:
- Processing limitations
-
Conditions for lawful processing of personal information.
- RERIS may only use a data subject’s personal information for the purpose for which it was collected. Therefore, processing of personal information must only be done to the extent necessary and consented to by the data subject to achieve the purpose of the processing.
-
Consent, justification and objection.
-
Personal information may only be processed if:
- The data subject consents to the processing;
- Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party;
- Processing complies with an obligation imposed by law on RERIS;
- Processing protects a legitimate interest of the data subject;
- Processing is necessary for the proper performance of a public law duty by a public body; or
- Processing is necessary for pursuing the legitimate interests of RERIS or of a third party to whom the information is supplied.
- RERIS must be able to provide proof of the data subject’s consent to the Regulator upon request. For example, a completed and signed marketing options declaration form, a recording of the data subject’s consent over the telephone or an opt-in SMS received from the data subject.
-
Personal information may only be processed if:
-
Collection directly from data subject.
-
Personal information must be collected directly from the data subject unless:
- The information is contained in or derived from a public record or has deliberately been made public (for example unrestricted Social Media accounts) by the data subject;
- Collection of the information from another source would not prejudice a legitimate interest of the data subject;
- Collection of the information from another source is necessary:
-
To comply with an obligation imposed by law;
- For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; and
- In the interests of national security.
- Compliance would prejudice a lawful purpose of the collection; or
- Compliance is not reasonably practicable in the circumstances of the particular case.
-
Personal information must be collected directly from the data subject unless:
-
Conditions for lawful processing of personal information.
- Further processing limitation
-
Further processing of personal information must be done in accordance with or be compatible with the purpose for which it was collected if:
- The data subject has consented to the further processing of the information;
- The information is available in or derived from a public record or has deliberately been made public by the data subject;
-
Further processing is necessary:
- To avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;
- To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue for the benefit of SARS;
- For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
- In the interests of national security.
- The information is used for historical, statistical or research purposes and RERIS ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form.
-
In order to assess whether further processing is compatible with the purpose of collection, RERIS must take account of:
- The relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
- The nature of the information concerned;
- The consequences of the intended further processing for the data subject;
- The manner in which the information has been collected; and
- Any contractual rights and obligations between the parties.
-
Further processing of personal information must be done in accordance with or be compatible with the purpose for which it was collected if:
- Quality of information
- RERIS must take reasonable steps to ensure that personal information is complete, accurate and that it is updated regularly.
- Purpose specific
-
Collection for specific purpose.
- Personal information may only be collected for a specific, detailed, defined and lawful purpose which is related to a function or activity of RERIS.
- The data subject must be made aware of the purpose of the collection of the information.
-
Retention and restriction of records.
-
Subject to paragraphs 9.2.1.2 and 9.2.3, records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
- Retention of the record is required or authorised in terms of any law (see the retention of records policy and accompanying schedules);
- Retention of the record is required by a contract between the parties thereto; or
- The data subject has consented to the retention of the record for an extended period of time.
- RERIS must properly destroy documentation and/or delete a record of personal information or de-identify it as soon as reasonably practicable after RERIS is no longer authorised to retain the record.
-
RERIS must restrict processing of personal information if:
- Its accuracy is contested by the data subject, for a period enabling RERIS to verify the accuracy of the information;
- RERIS no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof, in which case, such records may not be kept for longer than 5 years unless regulated by legislation;
- The data subject opposes its destruction or deletion and requests the restriction of its use instead; or
- The data subject requests to transmit the personal data into another automated processing system (for example change from email to SMS).
- Where processing of personal information is restricted pursuant to paragraph 9.2.3, RERIS must inform the data subject before lifting the restriction on processing.
-
Subject to paragraphs 9.2.1.2 and 9.2.3, records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
-
Collection for specific purpose.
- Openness
-
Notification to the data subject when collecting personal information.
-
If personal information is collected, RERIS must take steps to ensure that the data subject is aware of:
- The information being collected and where the information is not collected directly from the data subject, the source from which the information is collected;
- The name and address of RERIS;
- The purpose for which the information is being collected;
- Whether or not the supply of the information by that data subject is voluntary or mandatory;
- The consequences of failure to provide the information;
- Any particular law authorising or requiring the collection of the information;
- The fact that, where applicable, RERIS intends to transfer the information to a third-party country or international organization and the level of protection afforded to the information by that third-party country or international organisation;
- The data subject’s right to lodge a complaint to the Regulator and the contact details of the Regulator.
- The steps referred to above must be taken before the information is collected if the personal information is collected directly from the data subject.
- In the event that RERIS has previously taken the above steps then, RERIS need not repeat these steps in relation to the subsequent collection of the same information or similar information and if the purpose of collection of the information has not changed.
-
It is not necessary for RERIS to comply with the requirements in paragraph 10.1.1 if:
- The data subject has provided consent for the non-compliance; and
- The information will not be used in a form in which the data subject may be identified.
-
If personal information is collected, RERIS must take steps to ensure that the data subject is aware of:
-
Notification to the data subject when collecting personal information.
- Security safeguard
-
-
Security measures on integrity and confidentiality of personal information.
-
RERIS must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
- Loss of, damage to or unauthorised destruction of personal information; and
-
RERIS must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
-
Security measures on integrity and confidentiality of personal information.
-
-
-
- Unlawful access to or processing of personal information.
-
In order to give effect to paragraph 11.1.1, RERIS must take reasonable measures to:
- Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
- Establish and maintain appropriate safeguards against the risks identified;
- Regularly verify that the safeguards are effectively implemented; and
- Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
- RERIS must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
-
-
Third party operator obligations.
- An operator or anyone processing personal information on behalf of RERIS, must process such information in accordance with the related contract’s management policy and the guidelines on outsourcing agreements and other related subsidiary policies.
-
Process of notification of security compromises.
- Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the operator must notify RERIS immediately within 24 hours of the suspected unauthorised access.
-
The RERIS must notify:
- The Regulator; and
- The data subject, unless the identity of such data subject cannot be established.
-
The above notification must be in writing and communicated to the data subject in at least one of the following ways:
- Mailed to the data subject’s last known physical or postal address;
- Sent by e-mail to the data subject’s last known e-mail address; placed in a prominent position on RERIS’s website;
- Published in the news media; or
- As may be directed by the Regulator.
-
The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the suspected unauthorised access, including:
- A description of the possible consequences of the security compromise;
- A description of the measures that RERIS intends to take or has taken to address the security compromise;
- A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- If known to RERIS, the identity of the unauthorized person who may have accessed or acquired the personal information.
- RERIS may only delay notification of the data subject if the South African Police Service (SAPS) or any other regulator or the Regulator determines that notification will impede a criminal investigation by the SAPS or that regulator.
-
- Data subject requests
-
Request to access to personal information.
- A data subject may request access to his/her personal information held by RERIS by completing the Access to Information Request Form available on the RERIS external website and providing adequate identification.
-
The data subject has the right to request RERIS:
- To confirm, free of charge, whether or not RERIS holds personal information about the data subject; and
-
To furnish him/her with the record or a description of the data subject’s personal information held by RERIS, including information about the identity of all third parties, who have, or have had, access to the information:
- Within a reasonable time (no longer than 30 days);
- In a reasonable manner and format; and
- In a format that is understandable.
- RERIS may or must refuse, as the case may be, to disclose any information requested.
- If a request for access to personal information is made to RERIS and part of that information may or must be refused in terms of paragraph 12.1.3, every other part must be disclosed.
-
Correction of personal information.
-
A data subject may request RERIS:
-
To correct or delete personal information about the data subject in its possession that is:
- Inaccurate,
- Irrelevant,
- Excessive,
- Out of date,
- Incomplete,
- Misleading or
- Obtained unlawfully; or
- To destroy or delete a record of personal information about the data subject that RERIS is no longer authorised to retain.
-
To correct or delete personal information about the data subject in its possession that is:
-
On receipt of a request, RERIS must, within 30 days:
- Correct the information;
- Destroy or delete the information;
- Provide the data subject, to his or her satisfaction, with credible evidence in support of the information; or
- Where agreement cannot be reached between RERIS and the data subject, and if the data subject so requests, take such reasonable steps, to attach a notice to the data subject’s information recording that a correction of the information has been requested but has not been made.
- If RERIS has attached a notice referred to under paragraph 12.2.2 and that notice results in a change to the information and the changed information has an impact on decisions that have been or will be taken in respect of the data subject in question, RERIS must inform each person or body to whom the personal information has been disclosed of that notice.
- RERIS must notify a data subject, who has made a request in terms of paragraph 12.2.1, of the action taken as a result of the request.
-
A data subject may request RERIS:
-
Request to access to personal information.
- Processing of special personal information
-
Prohibition on processing of special personal information.
-
Unless the provisions of paragraph 13.2 are complied with, RERIS may not process personal information concerning:
- The religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
-
The criminal behaviour of a data subject if such information relates to: –
- The alleged commission by a data subject of any offence; or
- Any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
-
Unless the provisions of paragraph 13.2 are complied with, RERIS may not process personal information concerning:
-
General authorisation concerning special personal information.
-
The prohibition on processing personal information, specified in paragraph 13.1 of this policy, does not apply if the:
- Processing is carried out with the consent of a data subject;
- Processing is necessary for the establishment, exercise or defence of a right or obligation in law;
- Information has deliberately been made public by the data subject (for example, unrestricted Social Media); or
- Provisions of paragraph 13.3 of this policy are, as the case may be, complied with.
-
The prohibition on processing personal information, specified in paragraph 13.1 of this policy, does not apply if the:
-
Authorisation of data subject’s special personal information concerning:
-
Religious or philosophical beliefs.
- RERIS may not process this personal information as only spiritual or religious organisations to which the data subject belongs are permitted to process such personal information.
- RERIS may not supply this personal information to third parties without the consent of the data subject.
-
Race or ethnic origin.
-
Processing may only be done to:
- Identify data subjects and only when this is essential for that purpose; and
- Comply with laws and other measures designed to protect or advance persons, or categories of persons, disadvantaged by unfair discrimination (for example compliance with the Employment Equity Act).
-
Processing may only be done to:
-
Trade union membership.
- Processing may only be done if a data subject’s personal information relating to his or her membership or affiliation with a trade union or the trade union federation to which that trade union belongs is necessary to achieve the aims of the trade union or trade union federation.
- In the cases referred to under 13.3.3.1, no personal information may be supplied to third parties without the consent of the data subject.
-
Political persuasion.
- RERIS may not process a data subject’s personal information relating to his, her or its political persuasion.
-
Health or sex life.
-
RERIS may not process a data subject’s personal information relating to his or her health or sex life unless processing is done by:
- Insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing; the performance of an insurance or medical scheme agreement; or the enforcement of any contractual rights and obligations; or
- Administrative bodies, pension and provident funds, employers or institutions working for them, if such processing is necessary for the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity.
- In the cases referred to under paragraph 13.3.5.2, the information may only be processed by RERIS and other responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between RERIS and the data subject.
- In processing personal information relating to the health or sex life of a data subject, RERIS must at all times, treat such personal information with confidentiality unless RERIS is required by law or in connection with their duties to communicate the information to other parties who are authorised to process such information.
-
RERIS may not process a data subject’s personal information relating to his or her health or sex life unless processing is done by:
-
Criminal behaviour or biometric information.
- The processing must be carried out by the SAPS, prosecutors and courts of law or by responsible parties who have obtained that information in accordance with the law (for example, attorneys).
- The processing of information concerning personnel in the service of RERIS must take place in accordance with the rules established in compliance with labour legislation.
-
Religious or philosophical beliefs.
-
Prohibition on processing of special personal information.
- Processing of personal information of children
-
A child is a person who is under the age of eighteen (18) years.
- RERIS may not process personal information concerning a child without the prior consent of the child’s parent or legal guardian;
- RERIS may not, under any circumstances, collect or process personal information concerning a child for direct marketing purposes.
-
A child is a person who is under the age of eighteen (18) years.
- Rights of data subjects direct marketing
-
Direct marketing by means of unsolicited electronic communications.
-
RERIS may not process personal information of a data subject (customer/lead) for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail unless the data subject:
-
In the case of a customer:
- The customer has given his or her explicit consent to receive direct marketing and the customer’s consent is obtained when the personal information is collected during the conclusion of the sale;
- The customer’s consent must be requested in the prescribed manner and form.
- The content of the direct marketing is limited to similar goods/services sold by RERIS; and
- The customer must be given a reasonable opportunity to object to receipt of direct marketing both when the data was first collected (during the sale) and on each occasion when direct marketing is made to the customer.
-
In the case of a lead/prospective customer:
- RERIS must first get the lead’s contact details to approach the lead for consent. Unless these contact details were in the public domain, such as a telephone directory, merely obtaining the contact details (for example through a company that sells data lists) could be an infringement of the POPI Act.
- A lead who has not withheld consent may be approached only once in order to request the consent of that lead/prospective customer.
- The lead must be given a reasonable opportunity to object to receipt of direct marketing.
- In the event that the lead gives his/her consent to receive direct marketing, then the lead must be given a reasonable opportunity to object to receipt of direct marketing on each occasion when direct marketing is made to the lead.
-
In the case of a customer:
-
Any communication for the purpose of direct marketing must contain:
- Details of the identity of the sender or the person on whose behalf the communication has been sent; and
- An address or other contact details to which the customer may send a request to stop receiving such communication.
-
RERIS may not process personal information of a data subject (customer/lead) for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail unless the data subject:
-
Direct marketing by means of unsolicited electronic communications.
- Transborder information flows
-
Transfers of personal information outside the Republic of South Africa.
-
RERIS may not transfer personal information about a data subject to a third party who is in a foreign country unless
- That third party is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection;
- The data subject consents to the transfer;
- The transfer is necessary for the performance of a contract between the data subject and RERIS; or
-
The transfer is for the benefit of the data subject, and
- It is not practical to obtain the consent of the data subject to that transfer; and
- If it were reasonably practical to obtain such consent, the data subject would be likely to give it.
-
RERIS may not transfer personal information about a data subject to a third party who is in a foreign country unless
-
Transfers of personal information outside the Republic of South Africa.
- Administrative fines
-
Administrative fines.
- If RERIS is alleged to have committed an offence in terms of the POPI Act, the Regulator may deliver, by hand, to RERIS an infringement notice. This notice must immediately be forwarded to the Information Protection Officer.
- The information protection officer must, within 30 days of receipt of the infringement notice by RERIS, respond to the Regulator as required in terms of the infringement Notice.
-
Administrative fines.
- Offences and penalties
-
RERIS shall be guilty of an offence if:
- It fails to comply with an enforcement notice;
-
In compliance with an information notice served by the Regulator,
- Makes a statement knowing it to be false; or
- Recklessly makes a statement which is false, in a material respect.
-
Any person (employee) is guilty of an offence if:
- He/she knowingly or recklessly, without the consent of RERIS, obtains or discloses or offers to sell personal information of a data subject such as account number, ID, bank statements and address details.
-
RERIS shall be guilty of an offence if:
-
-
Penalties.
- The maximum penalty for a person (including RERIS) who is found guilty of an offence in terms of the POPI Act is a fine of up to R10 million or imprisonment for a period of up to 10 years, or both.
-
Penalties.
- Authority and mandate
- The Protection of Personal Information Policy is approved by way of approved resolution of RERIS’ directors. The management is responsible for the adherence to and implementation of this Protection of Personal Information Policy.