Aquilla Wellness Solutions (Pty) LTD [AWS] Protection of Personal Information Policy (POPI)
Objective
The objective of this policy is to protect the information assets of the Aquilla Wellness Solutions (Pty) Ltd [AWS] against threats, be it internal or external, whether with intent or accidental. This is necessary to ensure business continuation, curbing of losses and maximising of business opportunities.
This policy sets the standard for suitable protection of personal information in AWS. It provides the principles regarding the right for individuals to privacy and reasonable protection of personal information.
Scope
The policy applies to AWS, Associated Service Providers, their sole owners, key persons, representatives and other personnel in AWS. The sole owners, key personnel and management of AWS are eventually responsible for proper control of information security.
AWS’s Information Control Officer
The responsibilities of the AWS Information Officer are as follows:
- the development and updating of this policy;
- ensuring that this policy is supported with applicable documentation and procedural instructions;
- assuring that documentation is relevant and kept up to date;
- communicating the content of the policy, and consequential updating, to the relevant managers, representatives, personnel and associates concerned.
The company, key personnel, representatives and personnel of AWS are obliged to comply with the provisions of this policy. Any deviations from this policy or breach thereof or incidents that may relate to such a possibility, must be reported to the Information Officer.
External individuals, involved in information technology under contract to AWS, will be subjected to the same information security policy as applicable to AWS. A separate contract will have to be signed confirming commitment to the policy and will include an assurance that security measures are in place when personal information is processed.
Core Principles
The company, key personnel, representatives as well as personnel of AWS are committed to the following principles:
- AWS will always maintain and develop reasonable protective measures against risks such as loss, unauthorised access, destruction, use, alteration or revelation of personal information.
- AWS will at all times comply with restrictions and other requirements applicable to the international transfer of information.
AWS upholds the requirements of the legislation on POPI and maintains an approach of transparency of operational procedures that control collection and processing of personal information.
- AWS is committed to complying with all applicable regulatory requirements related to the collection and processing of personal information.
- AWS undertakes to collect personal information legally and reasonably and to process the personal information obtained from clients only for the purpose for which it was obtained in the first place.
- Processing of personal information obtained from clients will not be undertaken in an insensitive or wrongful way that can intrude on the privacy of the client.
- AWS undertakes not to request or process information related to race, religion, medical situation, political preference, trade union membership, sexual certitude or criminal record. AWS will also not process information about juveniles.
- AWS will ensure that correct and sufficient information is on record of its clients. Non-relevant information will be removed. Only the latest information related to the training process will be recorded.
- Information will be directly obtained from the client.
- AWS also undertakes not to provide any documentation to a third party or service provider without the consent of the client except where it is necessary for the proper execution of the service as expected by the client, in compliance with the education provided, with the proviso that AWS will at all times ensure that the third party also complies with the stipulations and requirements of the POPI legislation as well as when documents are requested by institutions as prescribed by law.
- AWS is compelled to keep an effective record of personal information and undertakes not to keep information for a period longer than that prescribed by the relevant educational legislation. Information will be destroyed at the end of the prescribed period in such a way that it cannot be reconstructed.
- AWS will provide the necessary security of data and keep it under prescribed legislation.
- Should information be lost, that is not under the control of AWS anymore, it will immediately be brought to the attention of the client and the regulator.
- In the event of data loss, the client will receive sufficient information to restrict possible risk that may result from the loss.
- Clients may at all times inquire about information kept and may also request the removal or destruction of information which is not relevant anymore.
- AWS will ensure that all service providers and other role-players involved, comply with the expectations of the POPI legislation of 2013.
- The management of AWS gives the assurance that representatives and staff understand the requirements and expectations of the act and comply with the content thereof and that training will take place on an ongoing basis.
- AWS’s policy regarding private information will continuously be updated to comply with legislation, thereby ensuring that personal information will be secure.
Monitoring
The management as well as the information officer of AWS, are responsible for the implementation, administration and supervision of this policy. This function includes the provision of supporting guidelines, standardised operational procedures, notices, applicable documents and processes.
The sole owner, key personnel, representatives and staff of AWS will be trained to be conversant with their functions regarding the regulatory requirements, policy and guidelines related to the protection and control of personal information. The Facilitators, Assessors and Moderators of AWS will undertake periodic revision and auditing to ensure compliance with the policy, guidelines and the application of the principle of privacy of information.
Operational controls
AWS will implement suitable operational controls to ensure the privacy of information in compliance with this policy and the regulatory requirements. These control measures will comprise of:
- allocation of responsibilities for information security;
- incident reporting and management;
- user ID inclusion or removal;
- information security training and education;
- data backup.
Implementation
This policy is implemented by the Management and staff of AWS. All stakeholders namely shareholders, directors, key personnel, representatives and staff of AWS assigned with the duty to collect and process personal information, must comply with the requirements of the policy.
Non-compliance to this policy will lead to disciplinary action such as a possible change of mandate or dismissal.
Last updated: 30 August 2020
IMPLEMENTATION CHECKLIST
Companies can assess the amount of preparation needed to ready themselves for the implementation of the Protection of Personal Information Bill (“POPI”) by considering the following minimum requirements:
- Audit the processes used to collect, record, store, disseminate and destroy personal information: in particular, companies must ensure the integrity and safekeeping of personal information in their possession or under their control. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.
- Define the purpose of the information gathering and processing: personal information must be collected for a specific, explicitly defined and lawful purpose that is related to a function or activity of the company concerned.
- Limit the processing parameters: the processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.
- Take steps to notify the ‘data subject’: the individual whose information is being processed has the right to know this is being done and why. The data subject must be told the name and address of the company processing their information. Besides, he or she must be informed as to whether the provision of the information is voluntary or mandatory.
- Check the rationale for any further processing: if the information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.
- Ensure information quality: the company processing the information must make sure the information is complete, accurate, up to date and not misleading.
- Notify the Information Protection Regulator: when the POPI is enacted and a Regulator established, organisations processing personal information will have to notify the Regulator about their actions.
- Accommodate data subject requests: the POPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information. A data subject can also ask for a record of the information concerned.
- Retain records for required periods: personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved. However, a record of the information must be retained if an organisation has used it to decide on the data subject. The record must be kept for a period long enough for the data subject to request access to it.
- Cross border data transfer: there are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa. The applicable restrictions will depend on the laws of the country to whom the data is transferred or from where the data is returned, as the case may be.