POPI Act Company Policy for: Organisation Development International (Pty) Ltd
Protection of Personal Information Privacy Policy
BACKGROUND
The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 (“POPIA”). POPIA aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner. Through the provision of quality goods and services, the organisation is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of learners, clients, customers, employees and other stakeholders. A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions. Given the importance of privacy, the organisation is committed to effectively managing personal information in accordance with POPIA’s provisions.
INTRODUCTION
Personal information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:
- Race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- The biometric information of the person;
- The personal opinions, views or preferences of the person;
- Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- The views or opinions of another individual about the person, and
- The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
PURPOSE
The purpose of this policy is to protect ODI from the compliance risks associated with the protection of personal information which includes:
- Breaches of confidentiality. For instance, ODI could suffer loss in revenue where it is found that the personal information of learners has been shared or disclosed inappropriately.
- Reputational damage. For instance, ODI could suffer a decline in shareholder value following an adverse event such as personal information of learners has been shared or disclosed inappropriately.
- This policy demonstrates ODI commitment to protecting the privacy rights of learners in the following manner:
- Through stating desired behaviour and directing compliance with the provisions of POPIA and best practice.
- By cultivating an organisational culture that recognises privacy as a valuable human right.
- By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information.
- By creating business practices that will provide reasonable assurance that the rights of learners are protected and balanced with the legitimate business needs of ODI.
- By raising awareness through training and providing guidance to individuals who process personal information.
PERSONAL INFORMATION COLLECTED
Section 9 of POPI states that “Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.”
ODI has appointed an Information Officer, as well as a Deputy Information Officer, who will ensure that all personal details are protected at all times, and only used for the execution of our work with you.
ODI collects and processes learner and client personal information pertaining to the registration requirements by the QCTO/QAP/SETA to be able to register and issue the client with a certificate for qualifications and part qualifications.
The type of information will depend on the need for which it is collected and will be processed for that purpose only. Whenever possible, ODI will inform the learner or client as to the information required and the information deemed optional.
Examples of personal information we collect include, but is not limited to:
- Identity number/passport number (whichever is applicable);
- Name and surname;
- Contact details such as postal and physical address, contact numbers and email address;
- Employer details;
- Highest qualification and institution name;
- Marital status and number of dependents, and
- Race, gender and disability status.
ACCOUNTABILITY
Failing to comply with POPIA could potentially damage the ODI’ reputation or expose the organisation to a civil claim for damages. The protection of personal information is therefore employee’s responsibility. The organisation will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, ODI will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.
EMPLOYEES AND OTHER PERSONS ACTING ON BEHALF OF THE ORGANISATION
During the course of the performance of their services, ODI employees may gain access to and become acquainted with the personal information of learners, clients, suppliers and other employees. Employees and other persons acting on behalf of ODI are required to treat personal information as a confidential business asset and to respect the privacy of learners. Employees and other persons acting on behalf of the organisation may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within the organisation or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties. Employees and other persons acting on behalf of the organisation must request assistance from their immediate manager or a ODI director if they are unsure about any aspect related to the protection of a data subject’s personal information.
Employees and other persons acting on behalf of the organisation will only process personal information where:
- The processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
- The processing complies with an obligation imposed by law on the responsible party;
- The processing protects a legitimate interest of the data subject, and
- The processing is necessary for pursuing the legitimate interests of the organisation or of a third party to whom the information is supplied such as the QCTO/QAP/SETA.
Furthermore, personal information will only be processed where the learner/client:
- Clearly understands why and for what purpose their personal information is being collected;
- Has granted the organisation with written or verbal consent to process their personal information;
Employees and other persons acting on behalf of the organisation will under no circumstances:
- Process or have access to personal information where such processing or access is not a requirement to perform their respective work-related tasks or duties;
- Save copies of personal information directly to their own private computers, laptops or other mobile devices like tablets or smart phones. All personal information must be accessed and updated from the organisation’s computers, laptops, central database or a dedicated server;
- Share personal information informally. Where access to personal information is required, this may be requested from the immediate manager or a ODI director, and
- Transfer personal information outside of South Africa without the express permission from the learner/client.
Employees and other persons acting on behalf of the organisation are responsible for:
- Keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy;
- Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created;
- Ensuring that personal information is encrypted prior to sending or sharing the information electronically. The IT Manager will assist employees and where required, other persons acting on behalf of the organisation, with the sending or sharing of personal information to or with authorised external persons;
- Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons.;
- Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks;
- Ensuring that where personal information is stored on removable storage medias such as external drives, CDs or DVDs that these are kept locked away securely when not being used;
- Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer or cupboard;
- Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer;
- Taking reasonable steps to ensure that personal information is kept accurate and up to date. For instance, confirming a learner/client’s contact details when they phone or communicate via email. Where the information is found to be out of date, authorisation must first be obtained from the immediate manager or a ODI director to update the information accordingly;
- Taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal information is no longer required, it will be destroyed or shredded, and
- Undergoing POPI Awareness training from time to time. Where an employee, or a person acting on behalf of the organisation, becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of personal information, they must immediately report this event or suspicion to the immediate manager and a director of ODI.
POPI AUDIT
The ODI Quality Assurance Manager will schedule periodic POPI Audits.
The purpose of a POPI audit is to:
- Identify the processes used to collect, record, store, disseminate and destroy personal information;
- Determine the flow of personal information throughout the organisation;
- Redefine the purpose for gathering and processing personal information;
- Ensure that the processing parameters are still adequately limited;
- Ensure that new learners are made aware of the processing of their personal information;
- Re-establish the rationale for any further processing where information is received via a third party;
- Verify the quality and security of personal information;
- Monitor the extend of compliance with POPIA and this policy, and
- Monitor the effectiveness of internal controls established to manage the organisation’s POPI related compliance risk.
POPI COMPLAINTS PROCEDURE
Learners and clients have the right to complain in instances where any of their rights under POPIA have been infringed upon. ODI takes all complaints very seriously and will address all POPI related complaints in accordance with the following procedure:
- POPI complaints must be submitted to the organisation in writing. Where so required, the director will provide the learner/client with a complaint form;
- Where the complaint has been received by any person other than the director, that person will ensure that the full details of the complaint reach the ODI director within 5 working days;
- The director will provide the complainant with a written acknowledgement of receipt of the complaint within 5 working days;
- The director will carefully consider the complaint and address the complainant’s concerns in an amicable manner. In considering the complaint, the director will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA;
- The director must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the organisation’s learners and clients, and
- Where the director has reason to believe that the personal information of learners has been accessed or acquired by an unauthorised person, the director will revert to the complainant with a proposed solution with the option of escalating the complaint to the training committee within 7 working days of receipt of the complaint. In all instances, the organisation will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines.
The director response to the data subject may comprise any of the following:
- A suggested remedy for the complaint;
- A dismissal of the complaint and the reasons as to why it was dismissed;
- An apology (if applicable) and any disciplinary action that has been taken against any employees involved;
- Where the learner/client is not satisfied with the directors suggested remedies; the data subject has the right to complain to the Information Regulator, and
- The director will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting.
DISCIPLINARY PROCEDURES
Non-compliance of this policy will be documented in the employee’s performance review and may result in disciplinary action.
Where a POPI complaint or a POPI infringement investigation has been finalised, ODI may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.
In the case of ignorance or minor negligence, the organisation will undertake to provide further awareness training to the employee.
Any gross negligence or the wilful mismanagement of personal information will be considered a serious form of misconduct for which the organisation may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence. Examples of immediate actions that may be taken subsequent to an investigation include:
- A recommendation to commence with disciplinary action.
- A referral to appropriate law enforcement agencies for criminal investigation.
- Recovery of funds and assets in order to limit any prejudice or damages caused.
PRIVACY POLICY FOR THE WEBSITE
Organisation Development International (ODI) is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. This Statement of Privacy applies to the ODI (www.odi.co.za) site, and governs data collection and usage. By using ODI’s site, you consent to the data practices described in this statement.
ODI has appointed an Information Officer, as well as a Deputy Information Officer, who will ensure that all personal details are protected at all times, and only used for the execution of our work with you.
Please note that all personal information collected via our social media and communication channels will be governed by the POPI Act.
Collection of Your Personal Information
Organisation Development International (ODI) collects personally identifiable information, such as your email address, name, home or work address, or telephone number. ODI also collects anonymous demographic information, which is not unique to you, such as your ZIP code, age, gender, preferences, interests and favourites.
There is also information about your computer hardware and software that is automatically collected by ODI. This information can include your IP address, browser type, domain names, access times, and referring website addresses. This information is used by ODI for the operation of the service to you, to maintain quality of the service, and to provide general statistics regarding use of the ODI site.
Please keep in mind that if you directly disclose personally identifiable information or personally sensitive data through
ODI message boards, this information may be collected and used by others. Note: ODI does not read any of your private online communications. ODI encourages you to review the privacy statements of Websites you choose to link to from ODI, so that you can understand how those Websites collect, use and share your information.
ODI is not responsible for the privacy statements or other content on Websites outside of the ODI Websites.
Use of Your Personal Information
ODI collects and uses your personal information to operate the ODI Website, and to deliver the services you have requested. ODI also uses your personally identifiable information to inform you of other products or services available from ODI and its affiliates.
ODI may also contact you via surveys to conduct research about your opinion of current services, or of potential new services that may be offered. ODI does not sell, rent or lease its customer lists to third parties. ODI may, from time to time, contact you on behalf of external business partners about a particular offering that may be of interest to you. In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is not transferred to the third party. In addition, ODI may share data with trusted partners to help us perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information, except to provide these services to ODI, and they are required to maintain the confidentiality of your information.
ODI does not use or disclose sensitive personal information, such as race, religion, or political affiliations, without your explicit consent.
ODI keeps track of the Websites and pages our customers visit within ODI, in order to determine what ODI services are the most popular. This data is used to deliver customized content and advertising within ODI to customers whose behaviour indicates that they are interested in a particular subject area.
The ODI Website will disclose your personal information, without notice, only if required to do so by law, or in the good faith belief that such action is necessary.
Use of Cookies
ODI Web site use “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a Web page server. Cookies cannot be used to run programmes, or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalize ODI pages, or register with the ODI site or services, a cookie helps ODI to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on. When you return to the same ODI Website, the information you previously provided can be retrieved, so you can easily use the ODI features that you customized.
You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the ODI services or Websites you visit.
Security of Your Personal Information
ODI secures your personal information from unauthorized access, use or disclosure. ODI secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. ODI does not collect or transmit sensitive information (such as a credit card number). When and where personal information (such as a phone number) is collected and transmitted, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
Changes to This Statement
ODI will occasionally update this Privacy Policy to reflect company and customer feedback. ODI encourages you to periodically review this Privacy Policy to be informed of how ODI is protecting your information.
Contact Information
ODI welcomes your comments regarding this Statement of Privacy. If you believe that we have not adhered to this Statement, please contact ODI at www.odi.co.za