PROTECTION OF PERSONAL INFORMATION ACT POLICY AND PROCEDURE (POPIA POLICY)

1. DEFINITIONS
1.1. “Contractors” shall include Contractors, Consultants, Freelance Facilitators, ETD Practitioners, Subject Matter Experts, Assessors and Moderators.
1.2. “Data Subject” shall be the person or entity to which the data relates which includes persons, businesses, clients and employees.
1.3. “Data Operator” processes personal information on behalf of a responsible party under the terms of a contact or mandate but who is not under their direct control.
1.4. “Employer/Company” shall mean The Impact Catalyst.
1.5. “Information Officer” shall mean the person registered as the information officer by the Company.
1.6. “Policy” shall mean the Protection of Personal Information Act Policy and Procedure.
1.7. “POPIA” shall mean the Protection of Personal Information Act 4 of 2013.
1.8. “Personal Information” shall be defined as information relating to an identifiable, living, natural person, and where applicable an identifiable excising juristic person.
1.9. “Processing of Information” shall include any operations, activities or sets of operations, including collection, receipt, recording, storage, updating or modification of personal information.
1.10. “Special Personal Information” is considered to be more sensitive in nature and relates among others to religious and philosophical beliefs, race, gender, sex life, health and criminal behaviour.

2. PURPOSE
‍2.1. The purpose of this policy is to comply with the conditions of the Protection of Personal Information Act, No. 4 of 2013 (“POPIA”). Also, personal information of clients and employees are considered valuable and rules will be set out to govern the use, storage and protection of the above-mentioned information.2.2. The following information is considered as personal information, but the list is not exhaustive:
2.2.1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
2.2.2. Information relating to the education or the medical, financial, criminal or employment history of the person;
2.2.3. Any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignments to the person;
2.2.4. The blood type or any other biometric information of the person;
2.2.5. Personal opinions, views or preferences of the person;
2.2.6. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
2.2.7. The views or opinions of another individual about the person; and
2.2.8. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

3. SCOPE
This policy applies to:
3.1. all personal information held and processed by the employer;
3.2. all employees and clients of the employer who are granted access to personal information;
3.3. all contractors, suppliers, partners and external collaborators and visitors who may be authorised to access the personal information held by the employer; and/or
3.4. all locations from which personal information is accessed including home and off‐site/remote use.

4. POLICY STATEMENT
The employer values the privacy of every individual’s personal information and is committed to the protection of personal information and will strive to:
4.1. promote an understanding and acceptance of the eight conditions for lawful processing of personal information as specified by POPIA throughout the organisation;
4.2. provide training and awareness about the protection of personal information;
4.3. handle complaints received in an efficient and appropriate manner; and
4.4. monitor compliance and keep the organisation informed of updates to the legislation and internal policies and procedures.

5. CONDITIONS FOR LAWFUL PROCESSING OF PERSONAL INFORMATION
The following conditions for lawful processing of information are proposed as minimum standards to govern the appropriate protection of personal information.
5.1. Accountability:
5.1.1. The employer must and will ensure that the conditions for lawful processing of personal information set out in POPIA, and all measures required to give effect, are complied with.
5.1.2. All personal information will be identified internally. Accountability will commence from the time when the information is received or requested, the purpose for processing determined and will thereafter apply throughout the lifecycle of the processing, until the record has been destroyed.
5.2. Processing limitation:
5.2.1. Personal information must be processed lawfully and in a manner, that does not infringe the privacy of an individual who is the subject of personal data (“Data Subject”). Personal information may only be processed, given the purpose that it is adequate, relevant, and not excessive.5.2.2. Personal information may only be processed if:
5.2.2.1. the Data Subject or competent person where the Data Subject is a child has given consent, to the processing;
5.2.2.2. processing is necessary to carry out actions for the conclusion of the performance of a contract with the Data Subject;
5.2.2.3. processing is necessary to comply with a legal obligation;
5.2.2.4. processing is necessary to protect the legitimate interest of the Data Subject;
5.2.2.5. processing is necessary to pursue the legitimate interests of the employer; or
5.2.2.6. processing is necessary for the performance of a public duty by a public body.
5.2.3. The employer bears the burden of proof of consent.
5.2.4. The Data Subject can withdraw consent at any time, however, such withdrawal will not affect the lawfulness of the processing of the personal information that has been processed before the withdrawal.
5.2.5. Personal information will be collected directly from the Data Subject, unless:
5.2.5.1. the information is obtained from a public record;
5.2.5.2. the Data Subject consented or allowed the personal information to be collected from another person;
5.2.5.3. the processing and collection by a third party does not prejudice the legitimate interest of the Data Subject; or
5.2.5.4. the collection is necessary to comply with a legal obligation.
5.3. Purpose specification:
5.3.1. Collection of personal information must be for a specifically defined, lawful purpose related to a function or activity of the employer. 5.3.2. The Data Subject must be aware/informed of the purpose of processing information and why it is required.
5.3.3. The retention of personal information must not be for a period longer than necessary to achieve the purpose for which such personal information was processed.
5.3.4. Personal information can be retained for an extended period under the following conditions:
5.3.4.1. when the prolonged retention is reasonably required for specific lawful purposes;
5.3.4.2. when prolonged retention is required due to contractual requirements between parties; and
5.3.4.3. the Data Subject has consented to further retention of the information.
5.3.5. Furthermore, personal information may be kept in excess of a period longer than necessary to achieve the purpose for which such personal information was processed, if it is for historical, statistical or research purposes and the necessary safeguards have been established.
5.3.6. Destruction of personal information must be in a manner that prevents reconstruction in an intelligible form.
5.4. Further processing limitation:
5.4.1. Further processing of personal information must be in accordance with or compatible with the purpose for which it was collected.
5.4.2. Where further processing is not compatible with the original purpose, it will be allowed where:
5.4.2.1. the Data Subject has given consent to the further processing;
5.4.2.2. the information was derived from a public record;
5.4.2.3. further processing is necessary to comply with a legal obligation or legislation;
5.4.2.4. further processing is necessary to avoid serious harm or imminent threat to public health or safety;
5.4.2.5. the personal information is used for historical, statistical or research purposes and the employer can ensure that it will not publish the information in an identified form; or
5.4.2.6. further processing is in accordance with an exemption granted by the Regulator.
5.5. Information quality:
5.5.1. The employer will take reasonable steps to ensure that the personal information which is processed is correct, accurate, complete, reliable and updated where necessary.
5.5.2. The Data Subject must be informed of the right to update and correct any personal information belonging to them.5.6. Openness:5.6.1. Processing of personal information must be done in an open and transparent manner.
5.6.2. The employer will take reasonable steps to ensure that the Data Subject is aware of the type of personal information being collected, the purpose for which it is being collected, and if not collected directly from the Data Subject, from where it is being collected.
5.6.3. The employer will record and provide the following details to the Data Subject:
5.6.3.1. the name and address of the employer;
5.6.3.2. purpose of collection of the personal information and what it will be used for;
5.6.3.3. whether the supply of the information by the Data Subject is voluntary or mandatory;
5.6.3.4. the consequences of failure to provide personal information;
5.6.3.5. if the information will be transferred to another country; and
5.6.3.6. whether subsequent processing will occur.
5.7. Security safeguards:
5.7.1. All personal information held by the employer must be kept safe and secure.
5.7.2. The employer will ensure the integrity and confidentially of the personal information under its control, by taking appropriate, reasonable, technical and organisational measures to prevent loss, damage or destruction or unlawful access. This includes the following:
5.7.2.1. identify personal information (structured and unstructured) in all business processes;
5.7.2.2. identify business processing manual controls, application systems and IT process controls, including procedures supporting the complete and accurate processing of personal information;
5.7.2.3. identify all reasonable, foreseeable internal and external risks;
5.7.2.4. establish appropriate safeguards;
5.7.2.5. regularly verify that safeguards are effectively implemented;
5.7.2.6. maintain the capability to detect security breaches;
5.7.2.7. regularly review the contractual obligations of third parties; and
5.7.2.8. prohibit the processing of special personal information.
5.7.3. Where services of third-party operators are used, a written contract must be in place which ensures that the Operator establishes and maintains the security measures required under POPIA.
5.7.4. The employer has a duty should it become aware of, or where there are reasonable grounds to believe that the personal information of a Data Subject has been accessed or acquired by an unauthorised person, the employer will notify:
5.7.4.1. the Regulator; and/or
5.7.4.2. the Data Subject, unless the identity of the Data Subject cannot be established.
5.7.5. The notification must provide sufficient information to allow the Data Subject to take protective measures against any potential consequences of the leak or infringement.
5.8. Data Subject participation:
5.8.1. The employer will inform the Data Subject about the right to access personal information and the right to correct mistakes or inaccuracies.
5.8.2. The employer, following a request to correct personal information, must correct or delete any personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

6. SECURITY AND DATA PROTECTION MEASURES
6.1. The Company manages projects on SharePoint and word as well as other electronic and manual record keeping tools
6.2. SharePoint and word as well as other electronic and manual record keeping tools are deemed to be a secure system which uses proven transport layer security (TLS) technology from trusted providers to encrypt all data transmission between devices and servers.
6.3. SharePoint and word as well as other electronic and manual record keeping tools allows the management of privileges on the system and each user is allocated appropriate privileges according to the operational requirements of their position.
6.4. Limited sharing and downloading of files are allowed according to allocated privileges.
6.5. No employee may share the personal information of any data subject without the consent of the data subject.
6.6. The Company Building at the CSIR is accessed controlled and secure.
6.7. All laptops must be password protected.
6.8. Staff will not use automated passwords.
6.9. When travelling with laptops or other devices employees will ensure that these are not visible from outside of their vehicles.

7. MAINTENANCE
7.1. Physical security is maintained at all times by full access control of the premises.
7.2. Digital data protection maintenance is done by frequent password changes.
7.3. Employees are trained on the requirements of the protection of personal information and made aware of the importance of adherence to data protection policies.

8. RETENTION AND DESTRUCTION
8.1. Retention and Destruction applies to all records of information, whether in manual or electronic format.

Lifecycle of records
8.2. The employer acknowledges that records have a lifecycle and that, if they have come to an end of their retention period, a decision should be made regarding archiving or destroying them.
8.3. The records management life cycle is as follows:
8.3.1. The origination of the record is determined either by the creation of the record by the employer, or the receipt of the record by the employer from a compliant third party.
8.3.2. Once a record is created or received, it is used, updated, modified, stored, maintained and / or protected by the employer on a day-to-day basis.
8.3.3. At the end of the useful life of the record in question, or when required by relevant and applicable legislation, the employer must evaluate whether such record should be archived or destroyed.

Retention of records
8.4. As there may be different retention periods depending on the nature of the record, the information set out below will assist in determining the applicable retention period for a record:
8.4.1. In the event that a minimum retention period is prescribed by legislation, then the retention period set out in such legislation applies.
8.4.2. In the event that there is no legislated retention period, the retention period shall be 5 (five) year.
8.4.3. Should a specific retention period be prescribed by any specific applicable contract or agreement , that retention period shall apply.Destruction
8.5. The destruction of records is not the same as the disposition of records
8.6. The disposition of records refers to the wide range of actions undertaken to manage records over time, which may include the transfer of records to archival storage.
8.7. The destruction of a record is the act of destroying a record permanently by obliterating such record, so that the information stored in it can no longer be physically or electronically reconstructed or recovered. Any decision to destroy a record must be formally approved by the CEO in writing.8
.8. Where the retention period for a record has expired, a decision must be made to either continue to retain the document (if permitted by law), transfer the record to archival storage, or destroy the record. Some of the factors that will influence this decision are:
8.8.1. whether the record reached its useful life;
8.8.2. could there be a future challenge where the record is needed in a civil or criminal case; and
8.8.3. does the record need to be retained for commercial or business purposes?
8.9. The abovementioned decision must be formally made and must be properly documented. Such decision must be in writing and must be signed off by the CEO.Destruction of paper records
8.10. Where a formal decision has been made to destroy employer records, the destruction must be done securely. Paper records must either be shredded by the employer or placed in confidential bins to be removed by a reputable third-party provider.
8.11. Paper records must not be discarded in trash cans or destroyed by other unsecured methods.Destruction of electronic records
8.12. Before electronic records are destroyed, archiving the records should be considered. If the decision is made to destroy the record, then one of the following techniques must be used:
8.12.1. Overwriting: Overwriting is an effective method of destroying electronic records. This method involves the use of software that overwrites the record multiple times (up to 10 (ten) times) with strings of “1’s” and “0’s”. This makes the possibility of recovering the record much more remote.
8.12.2. Physically destroying storage media: Physically destroying the storage media or record must be used where Personal Information, and / or sensitive or confidential information of the employer is stored on a record. This is also the most appropriate method of destroying records stored on portable media, such as hard drives, and shredding CDs and DVDs.

9. DATA BREACHES AND RECOVERY PLAN
9.1. An employee who becomes aware of a data breach undertakes to notify their direct supervisor as soon as possible.
9.2. The supervisor shall notify the information officer as soon as possible.
9.3. The Information Officer shall notify the regulator of any data breaches.
9.4. Data subjects shall be notified as soon as possible by the sending of an email or placing a notice on the employer website.
9.5. Where electronic information is accessed by unauthorised parties subject matter experts will be notified to secure the environment and mitigate the risk.
9.6. Recovery plans will be determined based on the data breach and method of access where physical security is compromised.
‍
10. EXCLUSIONS
POPIA does not affect or apply to the processing of personal information:
10.1. carried out in the course of a purely personal or household activity.
10.2. that has been deleted to the extent that it cannot be recovered or where such information has been de-identified
10.3. held or used by or for the State, if it involves national security, defence, public safety or the prevention of crime;
10.4. held and used for exclusively journalistic purposes, by media companies that are subject to a code of ethics that has safeguards for the protection of personal information;
10.5. held or used by Cabinet, Provincial Executive Councils, and Municipal Councils;
10.6. if it relates to the exercise of judicial functions; or
10.7.        if it has been specifically exempted under POPIA; in cases where other legislation regulates the processing of that information.

11. RESPONSIBILITIES
The employer recognises its responsibility under POPIA as the Responsible Party. An information Officer will be appointed and registered with the Regulator to achieve these goals.
11.1.         The Information Officer
11.1.1. The Information officer is responsible for:
11.1.1.1. providing advice, guidance, and training on information protection responsibilities and compliance with this policy;
11.1.1.2. administering subject access requests;
1.1.1.3. liaising with the Regulator;
11.1.1.4. preparing and submitting reporting requirements
11.1.1.5. co-ordinating the development and delivery of training materials;
11.1.1.6. recording any incidences of breach of this policy.1
1.1.2.  Each Employee is responsible to take every reasonable step to ensure that the processing of personal information complies to this Policy and POPIA.
11.1.3. Information Officer Details:
Name and Surname: Rory Baker
Email Address: rbaker@impactcatalyst.co.za
Contact Number: 072 023 117
11.2. Employees
11.2.1. All Employees must
11.2.1.1. adhere to the conditions of this policy;
11.2.1.2. ensure that all personal information entrusted to them is kept securely;
11.2.1.3. ensure no personal information is disclosed to any unauthorised third party; and
11.2.1.4. ensure that their own personal data held by the employers are kept up to date.1
1.3. Vendors, Contractors, and Suppliers
11.3.1. The employer is responsible for the use made of personal information by anyone working on its behalf. Employees and contractors, who employ vendors, contractors and/or suppliers, must ensure that they:
11.3.1.1. adhere to the terms of this policy;
11.3.1.2. do not have access to personal data beyond that required for the work to be carried out; and
11.3.1.3. return or destroy personal data on completion of the work.

12. HANDLING AND PROCESSING REQUESTS FROM DATA SUBJECTS
12.1. No information will be provided by the employer unless
12.1.1. the Data Subject has requested this in writing,
12.1.2. the Data Subject has been properly identified, and
12.1.3. all other provisions set out in this Policy have been complied with.
12.2. Any Employees, contractors, visitors and/or other persons authorised to access and use the employer’s systems who receive a written request in respect of data held by the employer in relation to POPIA must forward it to the information officer of the employer immediately.
12.3. A Data Subject has a right to request this information.Processing the request from the Data Subject
12.4. Natural Person Data Subject requesting information
12.4.1. The natural person Data Subject must request in writing whether the employer processes any of their Personal Information, and a record of such Personal Information. This written request must be sent to the Information Officer.
12.4.2. The Information Officer will request:
12.4.2.1. a certified copy of the individual’s ID or passport, and
12.4.2.2. proof of residence.1
2.4.3. Once this has been received and verified, the Information Officer will then be authorised to release the Personal Information in question (unless the employer cannot release such information for good reason, such as if granting the Data Subject access would interfere with the privacy of others or would result in a breach of confidentiality by the employer).1
2.4.4. The employer will always provide the Data Subject with written reasons if this is the case.
12.4.5. The Information Officer must:
12.4.5.1. record the Data Subject request on the employer’s request system; and
12.4.5.2. safely store the certified copy of the ID and passport, and proof of address, either in a file in a locked cupboard (if these are in paper format) or online in an encrypted folder which cannot be accessed by an unauthorised party.
12.5. Juristic Person requesting information
12.5.1. The Juristic person in question must request in writing whether the employer processes any of its Personal Information, and a record of such Personal Information. This written request must be sent to the Information Officer.
12.5.2. The Information Officer must then request an appropriate document to identify such juristic person. For a Company this will be certified copies of the following:
12.5.2.1. CIPC documents;
12.5.2.2. FICA documents for the Company (including proof of business premises); and
12.5.2.3. Directors details and copies of all director’s ID’s or passports.
12.5.3. Once such documents have been received, the Information Officer will then be authorised to release the personal information to the individual (unless the employer cannot release such information for good reason, such as if granting the Data Subject access would interfere with the privacy of others or would result in a breach of confidentiality by the employer).
12.5.4. The employer will always provide the Data Subject with written reasons if this is the case).
12.5.5. The Information Officer must:
12.5.5.1. record the Data Subject request on the employer’s request system; and
12.5.5.2. safely store the certified copies of all of the above documents either in a file in a locked cupboard (if these are in paper format) or online in an encrypted folder which cannot be accessed by an unauthorised party

Update the information of the Data Subject
12.6. The Data Subject may request the employer to correct or delete and of his / her / its Personal Information if it is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been obtained unlawfully, or destroy such record of Personal Information.
12.7. If such a request is made, the employer must send this request to the Information Officer, who will then decide what action to take in respect of such Personal Information.
12.8. If the information is destroyed or deleted, the Data Subject must be provided with credible evidence that this has been done.
12.9. If instructed to do so by the Information Officer, the User in question must advise the Data Subject of any adverse consequences of deleting of destroying any Personal Information, including whether this will have an impact on the employer’s ability to provide goods and / or services to the Data Subject, if this is applicable in the circumstances.Timeline
12.10. As soon as a request for information has been received in writing and the Data Subject has been properly identified and verified, the employer will have 20 (twenty) working days to provide the Data Subject with the information in question.Cost of providing information12.11. Data Subjects have the right to contact the employer to ask the employer to:
12.11.1. confirm that the employer holds the Data Subject’s Personal Information at no charge;
12.11.2. provide the Data Subject with access to any records containing the Data Subject’s Personal Information or a description of such Personal Information that the employer holds, subject to payment of a prescribed fee under POPIA; and / or
12.11.3. confirm the identity or categories of third parties who have had, or currently have, access to the Data Subject's Personal Information, also subject to payment of a prescribed fee under POPIA.

Delivery method of the information
‍
12.12. Information may be shared with the Data Subject under this policy in the following ways:1
2.12.1. The information may be provided to the Data Subject in person, provided that the Data Subject must sign for the information received; or
12.12.2. The information may be provided to the Data Subject to the email address that such Data Subject has chosen in writing. Any information provided by email must be password protected with an 8 (eight) character password that must contain at least one upper case and lower case character, and at least one numeric and one special character; provided that the password:
12.12.3. must not be sent in the same email as the information; and
12.12.4. must be sent via a different application, preferably WhatsApp. This will prevent an unauthorised individual having access to the email address being able to open the file without also having the password.
‍
13. RIGHTS RESERVED BY THE EMPLOYER/COMPANY
13.1. The employer reserves the right to monitor, audit, screen, and preserve employer information as the employer deems necessary, in its sole discretion, in order to maintain compliance with this policy and, by extension, all relevant provisions of POPIA.
13.2. Any dissemination, unauthorised use or benefit from any employer information by a User in contravention of this policy may result in disciplinary action being taken against such User by the employer.
13.3. Furthermore, the use of any account or system in such a way that breaches any of the provisions of this policy will be reported to the appropriate supervisor or manager of the employer, which may lead to further disciplinary action being taken.