Data Protection Policy
1. Introduction to the Data Protection Policy
Dupleix Institute is obligated to comply with the Protection of Personal Information Act 4 of 2013 (POPIA). POPIA requires the company to inform its stakeholders as to the manner in which their personal information is used, disclosed and destroyed.
Dupleix Institute guarantees its commitment to protecting its stakeholders’ privacy and ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws.
1.2. Purpose of the Data Protection Policy
The Policy sets out the manner in which the company deals with its stakeholders’ personal information and stipulates the purpose for which such personal information is used. The Policy is made available on the company website (www.dupleixinstitute.com) and by request from the head office.
The Policy applies to all employees, third parties, and all other users of Dupleix Institute ICT facilities and all forms of information resources.
1.4. Policy Review
The Policy will be reviewed annually. Stakeholders are advised to access the Institute’s website periodically to keep abreast of any changes to the Policy. Where material changes take place, stakeholders will be notified directly or changes will be updated on the website.
2. Protection of Personal Information in Terms of POPIA
2.1. Personal Information Collected
Section 9 of POPIA states that “Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.”
The Institute collects and processes personal information pertaining to the stakeholders needs. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Whenever possible, Dupleix Institute will inform the stakeholder as to the information required and the information deemed optional.
Website usage information may be collected using “cookies” which allows the Institute to collect standard internet visitor usage information.
2.2. The Usage of Personal Information
Personal Information will only be used for the purpose for which it was collected and as agreed.
This may include:
• Providing services to stakeholders and to carry out the transactions requested;
• For sharing with other third parties, if necessary;
• Processing applications for discretionary grants and accreditation of training services providers;
• Confirming, verifying and updating stakeholders’ details;
• For the detection and prevention of fraud, crime, money laundering;
• For audit and record keeping purposes;
• In connection with legal proceedings;
• Providing communication in respect of Dupleix Institute and regulatory matters that may affect stakeholders; and
• In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.
According to section 10 of POPIA, personal information may only be processed if certain conditions, listed below, are met along with supporting information for the processing of Personal Information:
• The stakeholder consents to the processing: – consent is obtained from stakeholders during the introductory, appointment and registration stage of the relationship;
• Processing complies with an obligation imposed by law on the Institute; and
• Processing protects a legitimate interest of the stakeholder.
2.3. Disclosure of Personal Information
The Institute may disclose a stakeholder’s personal information to any of its third-party service providers. The Institute has agreements in place to ensure compliance with confidentiality and privacy conditions.
The Institute may also share personal information with, and obtain information about stakeholders from third parties for the reasons already discussed above.
The Institute may also disclose a stakeholder’s information where it has a duty or a right to disclose in terms of applicable legislation, the law, or where it may be deemed necessary in order to protect its rights.
2.4. Safeguarding Stakeholders’ Personal Information
It is a requirement of POPIA to adequately protect personal information. The Institute continuously reviews its security controls and processes to ensure that personal information is secure.
The following procedures are in place in order to protect personal information:
(i) The Institute’s Information Officer is Mr Themba Mazibuko whose details are available below and who is responsible for the compliance with the conditions of the lawful processing of personal information and other provisions of POPIA;
(ii) This Policy has been put in place throughout the organisation and training on this Policy and the POPIA Act has already taken place;
(iii) Each new employee is required to sign an employment contract containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPIA;
(iv) Every employee currently employed within the Institute is required to sign an addendum to their employment contracts containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPIA;
(v) The Institute archived stakeholder information is stored on site which is also governed by POPIA, access is limited to these areas to authorised personal;
(vi) The organisation’s suppliers, insurers and other third-party service providers are required to sign a service level agreement guaranteeing their commitment to the Protection of Personal Information. This is however an ongoing process that is evaluated as needed;
(vii) All electronic files or data are backed up by the Institute which is also responsible for system security that protects third party access and physical threats. The Institute is responsible for Electronic Information Security; and
(viii) The Institute’s policies and procedures cover the following:
• Physical security;
• Computer and network security;
• Access to personal information;
• Secure communications;
• Security in contracting out activities or functions;
• Retention and disposal of information;
• Acceptable usage of personal information;
• Governance and regulatory issues;
• Monitoring access and usage of private information; and
• Investigating and reacting to security incidents.
Consent to process stakeholder information is obtained from stakeholders (or a person who has been given authorisation from the stakeholder to provide the stakeholder’s personal information) during the introductory, appointment and registration stage of the relationship.
2.5. Access and Correction of Personal Information
(i) Stakeholders have the right to access the personal information the Institute holds about them;
(ii) Stakeholders also have the right to ask the Institute to update, correct or delete their personal information on reasonable grounds;
(iii) Once a stakeholder objects to the processing of their personal information, the Institute may no longer process said personal information; and
(iv) The Institute will take all reasonable steps to confirm its stakeholders’ identity before providing details of their personal information or making changes to their personal information.
The details of the Institute’s Information Officer are shown below.
3. Retention & Confidentiality of Documents, Information and Electronic Transactions
3.1. Access to documents
(i) All personal information is dealt with in the strictest confidence and may only be disclosed, without fear of redress, in the following circumstances:
• where disclosure is under compulsion of law;
• where there is a duty to the public to disclose; and
• where the interests of the Institute require disclosure.
(ii) Disclosure to 3rd parties
All employees have a duty of confidentiality in relation to the Institute and stakeholders. In addition to the provisions of clauses above, the following are also applicable:
• Information on stakeholders: Our stakeholders’ right to confidentiality is protected in the Constitution and in terms of legislation. Information may be given to a 3rd party if the stakeholder has consented in writing to that person receiving the information;
• Requests for Institute information:
These are dealt with in terms of PAIA, which gives effect to the constitutional right of access to information held by the State or any person (natural and juristic) that is required for the exercise or protection of rights. The Institute may however refuse access to records if disclosure would constitute an action for breach of the duty of secrecy owed to a third party.
In terms hereof, requests must be made in writing on the prescribed form to the Information Officer in terms of PAIA. The requesting party has to state the reason for wanting the information and has to pay a prescribed fee.
The Institute’s manual in terms of PAIA, which contains the prescribed forms and details of prescribed fees, is available on the website.
• Confidential Institute and/or business information may not be disclosed to third parties as this could constitute industrial espionage. The affairs of the Institute are kept strictly confidential at all times.
• The Institute views any contravention of this policy very seriously and employees who are guilty of contravening the policy will be subject to disciplinary procedures, which may lead to the dismissal of any guilty party.
4. Destruction of documents
(i) Documents may be destroyed after the termination of the specified retention periods;
(ii) Each department is responsible for attending to the destruction of its documents, which must be done on a regular basis. Files must be checked in order to make sure that they may be destroyed and also to ascertain if there are important original documents in the file. Original documents are returned to the holder thereof, failing which, they are retained by the Institute pending such return; and
(iii) Documents may also be stored off-site, in storage facilities approved by the Institute.
5. Non-compliance with the Policy
Appropriate disciplinary action is taken against employees who contravenes this Policy.
6. Information Officer Details
Name Mr Themba Mazibuko
Telephone Number +27 87 985 0446
E-mail Address firstname.lastname@example.org