POPIA Policy

POLICY

Privacy and Protection of Personal Information

for

Integrity Software (Pty) Ltd and its subsidiaries and trading divisions

(hereinafter referred to as Integrity Software)

CONTENT
Clause Page No
1.            Introduction. 3
2.            Purpose and Scope. 3
3.            Definitions. 4
4.            Lawful Processing of Information. 8
5.            Rights of Data Subjects. 10
6.            Accountability. 12
7.            Processing Limitation. 13
8.            Purpose Specification. 14
9.            Further Processing. 15
10.         Information Quality. 16
11.         Openness. 17
12.         Security Safeguards. 17
13.         Disclosure of Information. 19
14.         Data Subject Participation. 21
15.         Breach of Policy. 22
16.         Policy Maintenance. 23
Annexure A: Rights of Data Subjects. 24
Annexure B: Form 2. 25

 

  1. Introduction
  • Integrity Software is a software company, specialising in dynamic insurance management solutions. Integrity Software enters into data transactions which may include the processing, use, disclosure and collection of Personal Information about its employees, clients, customers, partners and members of the public. It is obligated to comply with POPI.
  • Integrity Software is committed to processing data, and specifically Personal Information, in an open, transparent and responsive manner.
  1. Purpose and Scope
    • This Policy applies to Integrity Software, all of its subsidiaries, affiliates, business partners, trade divisions and employees, including Operators.
    • The purpose of this Policy is to demonstrate Integrity Software’s commitment to safeguarding the Personal Information of all persons, including juristic persons, with whom it interacts and to ensure that Integrity Software and its employees comply with the requirements imposed by POPI.
    • In particular, the purpose is to establish an institution wide policy that will provide direction with respect to the manner of compliance, give effect to the right of privacy and at the same time, balance the right to privacy against other rights such as the right of access to information, the right to protect important interests such as the free flow of information, regulate the manner in which Personal Information may be processed and establish measures to ensure respect for, and to promote, enforce and fulfil the rights protected.
    • The Policy sets out the objectives and directives on applicable protocols within Integrity Software to maintain and uphold to the legal requirements and conditions as set out in Chapter 3 of POPI, including the safeguards pertaining to information transactions and specifically when processing Personal Information. Integrity Software has aligned and developed its data protection strategies with its statutory obligation to effectively implement the reasonable and necessary technical, structural and organisational measures and operational controls in accordance with the relevant national data legislation and internationally recognised information and communication technology (ICT) standards and recommendations.
    • Integrity Software is resolute in processing data in an open, lawful and transparent way. This Policy sets out the processes and procedures to align Integrity Software’s business strategy and the applicable national legislation, i.e. POPI, in terms of processing Personal Information when it is collected, stored, used, disclosed and destroyed.
    • Integrity Software will only Process data for the clear, precise and specific purpose for which it is collected from the Data Subject.
    • The Policy has application to all stakeholders. It applies to all employees, service providers and administrators and any person handling Personal Information of customers, suppliers and employees of Integrity Software.
    • The Policy has application to all information transactions where data is processed, including but not limited to data being exchanged and/or transmitted and which may constitute and/or include Personal Information.
    • Parties to an information transaction must therefore understand and comply with this Policy. In the event that a party to such a transaction does not understand any part of this Policy, or has any questions regarding data compliance protocols, that party must approach the Information Officer of the Integrity Software.
    • Data and Personal Information shall only be collected from Data Subjects who have business dealings with Integrity Software for, inter alia, administrative needs, conducting of business operations, and for legislative data compliance and risk analysis.
  2. Definitions

In this Policy:

  • “Consent” means any voluntary, specific and informed expression agreeing to the processing of Personal Information;
  • “Data Subject” means the person to whom the Personal Information relates and in relation to Integrity Software, Data Subject would include employees, customers and their clients, service providers and administrators and any other individual with whom Integrity Software may interact, from time to time, whether or not such person is a natural person or a juristic person;
  • “De-identify”, in relation to Personal Information of a Data Subject, means to delete information that:
    • identifies the Data Subject;
    • can be used or manipulated by reasonably foreseeable method to identify the Data subject; or
    • can be linked by a reasonable foreseeable method or other information that identifies a Data Subject,

and “De-identified” has a corresponding meaning;

  • “Information Officer” in accordance with section 1 of PAIA means, in respect of Integrity Software:
    • the chief executive officer or equivalent officer of Integrity Software or any person duly authorised by that officer; or
    • the person who is acting as such or any person duly authorised by such acting person;
  • “Integrity Software” means Integrity Software (Pty) Ltd, registration number 2021/872826/07, and includes any and all of Integrity Software’s affiliates, business partners, Operators, subsidiaries and trading divisions;
  • “Operator” means a person who processes Personal Information for or on behalf of Integrity Software in terms of a contract or mandate, without coming under the direct authority of Integrity Software;
  • “PAIA” means the Promotion of Access to Information Act;
  • “Personal Information” means information that could be used to identify a Data Subject and includes:
    • race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language;
    • education, medical history, financial history, criminal history, employment history;
    • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to a person (such as postal address);
    • biometric information, including physical, psychological or behavioural characterisation including blood typing, finger printing, DNA analysis, retinal scanning and voice recognition;
    • opinions, views, preferences of the Data Subject and opinions or views of another person about the Data Subject;
    • correspondence; and
    • a name;
  • “Policy” means this Data Privacy Policy;
  • “POPI” means the Protection of Personal Information Act, 4 of 2013;
  • “Processing”, as it relates to processing of Personal Information, means any operation or activity, whether or not by automatic means, including:
    • collecting, receipt, recording, organising, collating, storage, updating, modification, retrieval, alteration, consultation or use;
    • dissemination by means of transmission, distribution, or making available in any form;
    • merging, linking, degrading, erasure or destruction;

and “Process” shall have the corresponding meaning;

  • “Record” means any recorded Personal Information, regardless of its form or medium, including any writing, electronic information, label, marking, image, film, map, graph, drawing, tape and that is in the possession, or under control, of a Responsible Party, irrespective of whether it has been created by the Responsible Party or not and regardless when it came into existence;
  • “Regulator” means the information regulator established in terms of section 39 of POPI;
  • “Responsible Party” means Integrity Software, or an Operator, who engages in the act of Processing Personal Information;
  • “Software” means the program known as “The Integrity System”, which is a customer relations management system developed by Integrity Software for data processing by short-term insurance brokers;
  • “Special Personal Information” means personal information concerning:
    • the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a Data Subject; or
    • the criminal behaviour of a Data Subject to the extent that such information relates to:
      • the alleged commission by a Data Subject of any offence; or
      • any proceedings in respect of any offence allegedly committed by a Data Subject or the disposal of such proceedings; and
    • “Unique Identifier” means any identifier that is assigned to a Data Subject and is used by Integrity Software for the purposes of its operations and which uniquely identify the Data Subject in relation to Integrity Software.
  1. Lawful Processing of Information
    • Integrity Software collects and receives information from a number of sources, including the following:
      • directly from the Data Subject;
      • from Integrity Software’s clients, being predominantly insurance brokers;
      • during the course of Integrity Software’s interactions with the Data Subject, including when the Data Subject interacts with the Software and provides Integrity Software with its clients’ personal information;
      • when the Data Subject visits and/or interacts with Integrity Software’s website(s) or any other social media platforms or IT services;
      • from publicly available sources; and
      • from a third party who is authorised to share that information.
    • Personal Information may also be generated in the course and scope of Integrity Software’s operational activities and in the fulfilment of obligations and duties as specified in contracts with its customers, service providers, business partners and if applicable, any other party, including Operators, to an information transaction where Personal Information is being transferred. Integrity Software’s processing protocols are aligned with the conditions set out in Chapter 3 of POPI.
    • Integrity Software may Process the Personal Information for, inter alia, the following purposes:
      • to resolve any issues a customer may experience when using software developed by Integrity Software;
      • to verify the Data Subject’s identity;
      • to assess, enter into and/or perform a contract with the Data Subject, including for the purpose of resolving any issues relating to the Software;
      • for training and assessment purposes;
      • for audit and record-keeping purposes;
      • to confirm the Data Subject’s credit worthiness and suitability as a customer or supplier;
      • to comply with legal, regulatory and/or contractual obligations;
      • to undertake security and monitoring the measures;
      • to provide advertising, marketing and the media services to the Data Subject;
      • to defend any legal claims in connection with the Data Subject contract with Integrity Software or for Integrity Software to establish, bring or pursue a claim against the Data Subject; or
    • Where it is lawful and practicable for Integrity Software to allow it, the Data Subject has the right not to identify himself when dealing with Integrity Software. However, if the Data Subject does not provide Integrity Software with his/her Personal Information, it may impact Integrity Software’s ability to engage with the Data Subject and/or provide services to the Data Subject.
    • Chapter 3 of POPI stipulates 8 (eight) provisions for the lawful Processing of information namely accountability, processing limitation, purpose specification, further processing, information quality, openness, security safeguards and Data Subject participation.
    • Any employee, service provider or administrator must ensure that:
      • all Personal Information of employees, service providers and stakeholders is Processed in accordance with the 8 (eight) standards for the lawful Processing of information; and
      • no Special Personal Information or Personal Information concerning a child is Processed unless the express prior consent of a competent person is first obtained. In the event that either of these categories of information is required to be Processed and it is not possible to first obtain prior written consent, the matter shall be referred to the Information Officer for direction.
    • Failure to adhere to these provisions may result in disciplinary or other action being taken.
    • In the course of information transactions, certain information may be collected by Integrity Software which may be held and labelled as Special Personal Information. Special Personal Information will only be collected where necessary for the purpose for which it is being collected and with the Data Subject’s Consent, unless such collection is demanded and/or authorised by law.
  2. Rights of Data Subjects
    • Integrity Software respects a Data Subject’s right to have his or her or its Personal Information Processed lawfully.
    • Data Subjects have the right:
      • to be notified that Personal Information about him, her or it is being collected or that his, her or its Personal Information has been accessed or acquired by an authorised person;
      • to establish whether Integrity Software holds Personal Information of that Data Subject and to request access thereto;
      • to request, where necessary, the correction, destruction or deletion of his, her or its Personal Information;
      • to object, on reasonable grounds relating to his, her or its particular situation to the Processing of his, her or its Personal Information;
      • to object to the Processing of his, her or its Personal Information at any time for the purposes of direct marketing;
      • not to be subject, under certain circumstances, to a decision which is based solely on the basis of automated Processing of his, her or its Personal Information intended to provide a profile of such a person;
      • to submit a complaint to the Regulator regarding the alleged interference with the protection of his, her or its Personal Information; and
      • to institute civil proceedings regarding the alleged interference with the protection of his, her or its Personal Information.
    • To the extent that the legal basis for Integrity Software to process a Data Subject’s Personal Information is informed consent, the Data Subject has the right to withdraw such consent at any time. If the Data Subject’s consent is required for further transactions, then such a request must be clear, concise and specific to the use of the service or product for which it is provided.
    • Consent, whenever it is obtained, should cover all Processing activities carried out for a specific purpose or purposes. When the Processing has multiple purposes, Consent should be given for each such purpose.
    • Withdrawal of Consent will not affect the lawfulness of Processing which occurred prior to such withdrawal.
    • All Data Subjects participating in information transactions with Integrity Software are entitled to exercise any of their rights by clear, concise communication by email to the Information Officer.
    • Data Subjects furthermore have the right to object to Processing of their Personal Information for scientific or historical research purposes or statistical purposes on grounds relating to such Data Subject’s situation or circumstances, unless the Processing is necessary for the performance of a task which is carried out for reasons of public interest.
  3. Accountability
    • Integrity Software holds ultimate responsibility to ensure that the provisions of POPI are complied with for the collection, retention, dissemination and use of the Personal Information.
    • This places substantial and ultimate accountability on Integrity Software, employees, service providers and administrators to ensure that Personal Information is processed in a lawful manner.
    • Integrity Software remains responsible for the Processing of information regardless of whether or not the information is passed on to a third party (such as an administrator) or not; provided that agreements must be concluded with those third parties in terms of which they agree to be bound by and comply with the requirements of this Policy and of POPI. Notwithstanding this, Integrity Software’s website may contain links to other websites. Integrity Software will not be held liable for the privacy controls of third-party websites. Data Subjects may be associated with a unique identifier, which may leave traces which, when combined with other information received by the third-party websites, could be used to create profiles of the Data Subjects and identify them.
    • In order to ensure that the provisions of POPI are adhered to by employees, service providers and Operators, Integrity Software will appoint an Information Officer, and register the Information Officer with the Regulator.
    • A substantial amount of Personal Information is in electronic form. Employees, service providers and administrators of Integrity Software are responsible for information technology and providing the tools to manage and safeguard information.
    • Employees, managers, supervisors, service providers and administrators are accountable to Integrity Software to report any breaches in data security and to ensure that any risks of breaches are identified and reported.
  4. Processing Limitation
    • The Personal Information must be processed lawfully and in a reasonable manner, which does not infringe the privacy of the Data Subject.
    • The notion of reasonableness incorporates the requirements of balance and proportionality. Employees, service providers and administrators must therefore take into account the interests and reasonable expectations of Data Subjects as well as all of the provisions which are incorporated in these conditions.
    • The Processing must be adequate, relevant and not excessive given the purpose for which it is processed.
    • Subject to the provisions of section 11(1) of POPI, the Data Subject must consent to the processing of the Personal Information. The consent must be voluntary and clear, however, it does not have to be in writing. Employees, service providers and administrators must ensure that the Data Subject has provided consent when they request Personal Information.
    • The Data Subject may at any time withdraw consent, on reasonable grounds, to the processing of its Personal Information.  If a Data Subject withdraws consent, the Personal Information must be deleted or De-identified so that it will no longer be associated with that Data Subject.
    • The Processing must be necessary to carry out the actions for the conclusion or performance of a contract to which the Data Subject is a party.
    • The Processing must protect a legitimate interest of the Data Subject, and the Processing must be necessary for pursuing the legitimate interest of Integrity Software.
    • The Personal Information must be collected directly from the Data Subject, except if:
      • the Personal Information is a matter of public record;
      • the Data Subject has consented to the collection of the Personal Information from another source;
      • the collection of the Personal Information from another source would not prejudice a legitimate interest of the Data Subject;
      • the collection of the Personal Information is necessary by law;
      • compliance would prejudice a lawful purpose of the collection; or
      • compliance is not reasonably practicable in the circumstances.
  1. Purpose Specification
    • The collection of the Personal Information must be for a specific expressly defined purpose, such as for Processing a potential employee or customer’s application, and further examples of which are recorded in clause 3 above.
    • The purpose of the collection and Processing of Personal Information influences every aspect of the processing of the information, the manner of its collection, periods of retention, further processing, disclosure to third parties and any further issues which may apply.
    • While Integrity Software will have a duty to notify the Regulator of its purposes and functions, the factor determining the purpose for the collection of Personal Information will always be the specified purpose communicated to the Data Subject.
    • The Data Subject must be made aware of the purpose. This enables the Data Subject to make an informed decision as to whether the Personal Information should be made available to the Responsible Party. The purpose for the collection of the Personal Information should be explained to the Data Subject, either telephonically or by the relevant inclusion in the customer application form and/or trading terms and conditions. Examples of the purposes for which Personal Information is obtained are recorded in clause 3 above.
    • Records of Personal Information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or Processed. Integrity Software will determine, with regard to the circumstances surrounding the collection of the Personal Information, the length of time personal records are to be kept for and implement procedures in order to ensure that records are destroyed or De-identified when no longer required.
    • The Data Subject must consent in the event that the Personal Information is kept for a period which is longer than necessary for achieving the purpose for which the information was collected. This can be done by way of a contractual arrangement such as provision to this effect in the customer application form and/or trading terms and conditions.
    • Where Personal Information is disclosed to Operators as referred to in clauses 3 and 13.4 below, such disclosure will only be insofar as is reasonably necessary for the maintenance and completion of business and operational functions.
    • Integrity Software will ensure that its Vendor Application Process document and Customer Contracts are in compliance with the contents of this Policy and the relevant data legislation.
  2. Further Processing
    • Any further processing of the Personal Information must be compatible with the purpose for which the Personal Information was initially collected.
    • For example, if Integrity Software collects Personal Information for the purposes of providing services to a customer, the information cannot be Processed further for the purpose of profiling and marketing products to that customer. The only exception to this is if the Data Subject consents to such use.
    • To assist in determining whether further Processing is compatible with the initial purpose of collection, the employee, service provider or administrator must take account of:
      • the relationship between the purpose for which the Personal Information was originally collected and the intended purpose of any further Processing;
      • the nature of the Personal Information concerned;
      • the consequences of further processing;
      • the manner in which the Personal Information was collected; and
      • contractual rights and obligations between the parties.
    • Personal Information may be Processed by Integrity Software where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for such Processing is the Responsible Party’s legitimate interest in the protection and assertion of the Responsible Party’s rights, a Data Subject’s rights and the legitimate interest(s) of any other person(s).
    • Personal Information may be Processed by Integrity Software where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for such Processing is the legitimate interest of Integrity Software in diligently protecting its business from risk.
    • Financial transactions relating to the Integrity Software websites and services may be handled by its payment service providers such as recognised financial institutions. Integrity Software will share transaction data with such service providers only to the extent necessary for the purposes of processing payments, refunding of payments, and dealing with complaints and queries relating to payments and refunds.
  3. Information Quality
    • The employee, service provider or administrator responsible for the Processing of the Personal Information must take reasonable steps to ensure that the Personal Information remains complete, is accurate, is not misleading and is updated where necessary.
    • In essence, this condition requires that appropriate Personal Information security measures safeguarding the integrity of the Personal Information be employed.
  4. Openness
    • The Personal Information must be Processed in a transparent and fair manner.
    • The Data Subject must be provided with information which allows the Data Subject to be aware that Personal Information is being collected, the identity of the Responsible Party, the purpose for the collection of the information and whether the supply of the information by the Data Subject is voluntary or mandatory.
    • Further, the party responsible for the Processing of the information, whether it be the employee, service provider, Operator or administrator, must maintain all documentation of the Processing operations.
  5. Security Safeguards
    • Integrity Software, as well as all Responsible Parties, undertake to ensure that the appropriate controls are in place to ensure that confidential, internal and Personal Information is disclosed only to those who are authorised and who have a legitimate business related need for such access.
    • Integrity Software will take all reasonable steps to establish and maintain sufficient security controls, technological and organisational, to ensure that all Personal Information which is Processed by Integrity Software is protected against unauthorised alteration, destruction and/or access that may change the integrity of the Personal Information and that it is backed up and stored in a format which is readily accessible by Integrity Software.
      • The back up solution utilised by Integrity Software is designed and based on the principles of lawful Processing and retention policies as set out in the relevant data legislation.
      • The IT Backup Policy and Privileged Account Management Policy sets out the processes and procedures for authorised access to information. These policies are in compliance with the relevant data legislation and adherence thereto will be strictly enforced.
      • Integrity Software furthermore has made provision for procedures and responses in the event of data breach incidents in its IT Disaster Policy.
    • The party responsible for the Processing of the Personal Information, if not Integrity Software (but an Operator), must ensure that the integrity of the Personal Information remains secure against loss, destruction or unlawful access.
    • Any service provider, administrator or third-party Processing Personal Information for Integrity Software, must do so only with the knowledge and express authorisation of Integrity Software and must treat the Personal Information as strictly confidential.
    • Employees, managers, supervisors, service providers and administrators have a duty to ensure that Personal Information is not mislaid or inadvertently disclosed by, for example, leaving it displayed on a computer screen or leaving printouts at the printer.
    • Any Personal Information which is Processed or accessed outside the office premises of Integrity Software must be encrypted to guard against theft.
    • Where Personal Information is to be moved to another country in order for business activities to be conducted, the interested and/or authorised parties must consult with their departmental manager, the Data Subject(s) concerned, as well as the Information Officer in order to ensure compliance with POPI and any further applicable legislation, with particular reference to Consent and jurisdictional complications.
    • Should Integrity Software receive unsolicited Personal Information, it will assess whether it is Personal Information which it is entitled or authorised to collect and Process. If the Personal Information is that which Integrity Software is authorised to collect and Process, it will treat this Personal Information in accordance with the principles set out in this Policy. If the Personal Information is not capable of being collected and Processed by Integrity Software, it shall destroy or De-Identify the Personal Information as soon as is practicable.
    • Integrity Software’s automated information technology back-up solution is designed and implemented in accordance with accepted and effective security standards and controls and daily monitoring alerts. In the event of data which is no longer to be retained, and when lawfully able to do so, it will be destroyed and De-Identified as soon as practicably possible and/or upon specific request by completion of the requisite Form 2, a copy of which is attached to this Policy as Annexure D.
    • All hard copies of documents must be shredded once the documents are no longer required.
    • Once the Personal Information is no longer required or no longer authorised, the records must be destroyed, deleted or De-identified. Records may be kept longer for historical, statistical or research purposes and the appropriate safeguards must be implemented against the use of the records for any other purposes, provided that the consent of the Data Subject is obtained.
  6. Disclosure of Information
    • The Responsible Parties shall make all reasonable efforts to ensure that the parties to information transactions agree on non-disclosure provisions and consent to transactions which are within the scope of his/ her/ its specific mandate.
    • Integrity Software will not use or disclose Personal Information for purposes other than the purpose for which it was collected (the “Primary Purpose”) unless:
      • the Data Subject has consented to the use or disclosure;
      • the secondary use or disclosure is related to the Primary Purpose, in the case of Personal Information which is not Special Personal Information, or is directly related to the Primary Purpose, in the case of Personal Information which is Special Personal Information; or
      • it is otherwise required or authorised by or under law or a court/tribunal order.
    • It may at times be necessary for Integrity Software to disclose Personal Information to third parties, including Operators and/or service providers and as may be permitted or required by law. Where this is the case, Integrity Software will enter into a written agreement with the Responsible Party and/or third party.
    • An agreement such as that referred to in clause 3 must contain an assurance from the Operator or service provider, as the case may be, that such Operator or service provider will, at a minimum, subscribe, match and adhere to the same prescriptions and restrictions pertaining to the processing of Personal Information as is required by the relevant data legislation and this Policy, and that it has adequate or equivalent infrastructure and organisational measures in place which are in accordance with accepted industry standards, and that it will Process Personal Information in strict accordance with an issued mandate and specified instructions from Integrity Software only.
    • Integrity Software reserves the right to disclose Personal Information to any member of the group of companies which comprises Integrity Software, together with all of its subsidiaries, partners and affiliates.
    • If the recipient of Personal Information is not Integrity Software (including its related entities, subsidiaries and trading divisions) then such recipient must be verified as a legitimately interested party and confirm whether the Personal Information is required for the legitimate performance of tasks within the competence of the recipient. The grounds for the request must be verified by Integrity Software, as well as the recipient’s competence to receive the Personal Information.
    • The necessity of the transmission of Personal Information as referred to in clause 5 will be evaluated together with the recipient’s organisational and technical security safeguards and measures as required by law and by this Policy.
    • Integrity Software may disclose Personal Information to its insurers and/or professional advisors insofar as is reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
    • Operators must enter into a data transfer agreement which is subject to limitations on the condition of further Processing and secondary Processing regarding the obtaining of Consent from the Data Subject.
    • All requests for confidential, internal or Personal Information which originate from a person or entity outside of Integrity Software must be forwarded to the Information Officer or any such duly authorised and appointed representative.
    • All requests for confidential, internal or Personal Information which fall outside of the standard business practice or procedure, and which originate from an employee of Integrity Software, must be forwarded to the human resources department of Integrity Software for employee authentication and thereafter to the Information Officer and/or the employee’s line manager as may be necessary for final authorisation.
    • Requests referred to in clause 10 must be reasonably considered by the Information Officer and/or the employee’s line manager, as the case may be, and further directives must be issued on the approval thereof.
  7. Data Subject Participation
    • The Data Subject has the right to request Integrity Software to confirm, free of charge, whether Integrity Software holds Personal Information about the Data Subject.
    • The Data Subject may request Integrity Software to provide it with a description of the Personal Information held by it or by a third party within a reasonable time. Any fees charged for providing the Data Subject with the information required shall not be excessive. Integrity Software should also advise the Data Subject that the Personal Information may be corrected upon request.
    • The Data Subject has a right to access the Personal Information and request a correction or deletion of the Personal Information. Integrity Software, employees, service providers and administrators each have a duty to investigate the request and to respond thereto. Any such request must be forwarded to the Information Officer or his or her duly authorised representative.
    • Where the Data Subject is an employee, any requests to correct Personal Information must be directed at the Data Subject’s line manager, the human resources department of Integrity Software and the Information Officer.
    • If there are circumstances where Integrity Software believes that the information is accurate and no agreement between the Data Subject and Integrity Software can be reached to amend the information, Integrity Software is obliged to link the Personal Information in dispute in such a manner that it will always be read with an indication that the correction of the Personal Information has been requested by the Data Subject, but has not been made.
    • In instances where changes have been made which may impact on decisions taken using Personal Information, POPI imposes a duty on Integrity Software to advise, if reasonably practical, any third parties to whom the information may have been disclosed.
    • Integrity Software shall not use any Personal Information for direct marketing purposes.
  8. Breach of Policy
    • Failure to comply with the rules and standards set out in this Policy, and those policies which have been incorporated by reference herein, may be regarded as a transgression of company policy and must be reported to the relevant Information Officer.
    • Incidents of any breach of this Policy must be reported immediately to the relevant Information Officer by email or logged on the Integrity Software IT Helpdesk. The Information Officer must investigate the breach as soon as practically possible and notify the Regulator as may be appropriate, necessary and applicable.
    • Where there are reasonable grounds to believe that Personal Information has been accessed, acquired, destroyed or altered by any unauthorised person, the Responsible Party must notify the Regulator and the Data Subject(s), unless the identity of the Data Subject(s) cannot be established.
    • Where there are reasonable grounds to believe that Personal Information has been accessed, acquired, destroyed or altered by any unauthorised person, notifications will be actioned and sent to the Data Subject(s) concerned, unless the identity of the Data Subject(s) cannot be established, in which case a notification shall be published on Integrity Software’s website and sent to all employees, customers and Operators. Such notification must be sent via email, as soon as is reasonably possible after discovery of the compromise and to enable a Data Subject to take pre-emptive measures as may be available and/or appropriate, taking into account the legitimate needs of law enforcement and any measures which may be necessary to determine the scope of the compromise and to restore the integrity of the Responsible Party’s Records.
  9. Policy Maintenance

Integrity Software shall review this Policy at least every 3 (three) years or more frequently as needed to respond to changes in the regulatory and legislative environment, as well as technological advancement in privacy protection.

Annexure A: Rights of Data Subjects

Section 5 of POPI states that a Data Subject has the right to have his, her or its Personal Information Processed in accordance with the conditions for the lawful Processing of Personal Information, including the right:

  • to be notified that:
  • Personal Information about them is being collected as provided for in terms of section 18; or
  • their Personal Information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
  • to establish whether a Responsible Party holds Personal Information of that Data Subject and to request access to their Personal Information as provided for in terms of section 23;
  • to request, where necessary, the correction, destruction or deletion of their personal information as provided for in terms of section 24;
  • to object, on reasonable grounds relating to their particular situation to the processing of their personal information as provided for in terms of section 11(3)(a);
  • to object to the processing of their personal information:
  • at any time for purposes of direct marketing in terms of section 11(3)(b); or
  • in terms of section 69(3)(c);
  • not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
  • not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of their personal information intended to provide a profile of such person as provided for in terms of section 71;
  • to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any Data Subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
  • to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.

Annexure B: Form 2

FORM 2 

REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013) 

REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018

[Regulation 3]

Note:

  1. Affidavits or other documentary evidence as applicable in support of the request may be
  2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each
  3. Complete as is

Mark the appropriate box with an “x”.

Request for:

Correction or deletion of the personal information about the data subject which is in possession or under the control of the responsible party.

Destroying or deletion of a record of personal information about the data subject which is in possession or under the control of the responsible party and who is no longer authorised to retain the record of information.

A DETAILS OF THE DATA SUBJECT
Name(s) and surname / registered name of data subject:
Unique identifier/ Identity Number:
 

Residential, postal or business address:

Code (        )
Contact number(s):
Fax number / E-mail address:
B DETAILS OF RESPONSIBLE PARTY
Name(s) and surname / registered name of responsible party:
Residential, postal or business address:
Code (       )
Contact number(s):
Fax number/ E-mail address:
C INFORMATION TO BE CORRECTED/DELETED/ DESTRUCTED/ DESTROYED
D

REASONS FOR *CORRECTION OR DELETION OF THE PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24(1)(a) WHICH IS IN POSSESSION OR UNDER THE CONTROL OF THE RESPONSIBLE PARTY ; and or

REASONS FOR *DESTRUCTION OR DELETION OF A RECORD OF PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24(1)(b) WHICH THE RESPONSIBLE PARTY IS NO LONGER AUTHORISED TO RETAIN.

(Please provide detailed reasons for the request)

 

Signed at …………………………………… this …………………. day of ………………………20…………

 

 

…………………………………………………………………

Signature of data subject/ designated person

(Note: this is not a submittable form. Please print and complete)