NOSA Protection of Personal Information Policy (POP 001)

The value statement of NOSA:

  • Honesty and integrity
  • Client focus
  • Accountability
  • Quality and excellence
  • Pride and respect
  • Safety and social responsibility
  1. Introduction

    The Company recognises the constitutional rights of a person/s to privacy and acknowledges that it is of the utmost importance, as required by law, to protect the personal information pertaining to the relevant parties concerned.

    The danger of invading a person’s privacy and the abuse of personal information has been considered and acknowledged internationally and precautionary measures to protect this confidential information has been documented to be of assistance in the regulation hereof. For this specific reason, Parliament established legislation to address this matter. The Company undertakes to respect and protect the privacy of all persons who are associated with this company whether they are employees of this company or persons who are business partners or other entities, who for various reason of interest, are related to the Company.

  2. Policy and scope

    The contents of this policy is applicable to all employees of the Company, and has been introduced in order to encourage the protection and confidentiality of all personal information that has been made available to the Company by employees or any consumer/client or any party who has disclosed any information of a private or business nature, for the sole intention of employment, business transactions, contracts or communication and will be deemed to be necessary for the records pertaining to the Company.

    The information officer is the custodian of this policy, as it is the responsibility of the information officer to ensure that this policy is incorporated and implemented in the various divisions of the Company, and that workshops and training is provided to all parties concerned regarding the contents of the Protection of Personal Information Act (PoPIA).

    This policy applies to all permanent and temporary positions held by persons within the Group and is applicable to all temporary and permanent employees. The Company will make employees aware of this procedure by discussing it during induction sessions, and by distributing it to the workforce by making it available on the Company’s electronic equipment and stored under the Q-drive.

    However, it remains the duty and responsibility of all employees to make themselves aware of, and to familiarise themselves with, the content and application of this document.

  3. Purpose
    1. The purpose of this policy is to incorporate the requirements of the Protection of Personal Information Act (4/2013) (hereafter referred to as ‘PoPIA’) into the daily operations of the Company and to ensure that these requirements are documented and implemented in the business processes.
    2. The objective of this policy is to ensure the constitutional right to privacy, with regards to:
      1. the safeguarding of personal information;
      2. the regulation and processing of personal information;
      3. the execution of the prescribed requirements for the legal processing of personal information; and
      4. the protection of free flow of personal information.
    3. The Company and its employees shall adhere to this policy concerning the management of all personal information received from, but not limited to natural persons, employees, clients, suppliers, agents, representatives and partners of the Company, to ensure compliance is applied to this Act and the applicable regulations and rules relating to the protection of personal information is adhered to.
  4. Definitions
    Concept Definition
    Act Protection of Personal Information Act (4/2013)
    Automated Any equipment capable of operating automatically/independently in response to instructions being executed, for the purposes of processing information
    Company The NOSA Group consists of NOSA (Pty) Ltd, Aspirata, NAIS, NQA, NOSA Logistics
    Data subject The person to whom the personal information is relative to
    Direct marketing To approach/contact a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of – promoting or offering to supply, in the ordinary course of business, any goods or service to the data subject; or requesting a donation of any sort and for any reason from the data subject.
    Information officer The head of a private body as contemplated in Section 1, contained in the Promotion of Access to Information Act (PAIA)
    Personal information Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to – information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that would reveal the contents of the original correspondence; the views or opinions of another individual regarding the person; and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
    Record Any recorded information in whatever form in possession or under the control of the responsible party
    Regulator the information regulator established in terms of the Act
    Responsible party A public or private body or any other person which, independently or in conjunction with others, determines the purpose of and means for processing personal information (typically, but not always, the collector of information)
    PAIA Promotion of Access to Information Act (2/2000)
    PoPIA Protection of Personal Information Act (4/2013)
  5. Provision
    1. The Company acknowledges that it is mandatory to comply with the provisions of the Protection of Personal Information Act; (PAIA)
    2. There are eight (8) conditions that shall apply, and which are relevant for the lawful processing of personal information:
      1. i. Accountability;
      2. Processing limitation;
      3. Purpose specification;
      4. Further processing limitation;
      5. Information quality;
      6. Transparency (honesty and integrity);
      7. Security safeguards; and
      8. Data subject participation.
  6. Considerations
    1. Processing of Personal Information:
      1. The procedure of processing the personal information, refers to the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, including inaccessibility, erasure or destruction of personal information.
      2. Personal information collected by the Company and/or any of its representatives or subsidiaries, will not be collected directly from the data subject, unless:
        1. The information is contained or derived from a public record or has deliberately been made public by the data subject.
        2. The data subject or a competent person where the data subject is a minor, has consented, to the collection of the information from another source.
        3. Collection of the information from another source would not prejudice a legitimate interest of the data subject.
        4. Collection of the information from another source is necessary to avoid prejudice to the
          maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences; to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue; for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; in the interest of national security; or to maintain the legitimate interests of the Company or of a third party to whom the information is supplied.
        5. Compliance would prejudice a lawful purpose of the collection.
        6. Compliance is not reasonably practicable in the circumstances of that instance.
      3. Personal information must only be collected for a specific, explicitly, defined and lawful purpose, related to the function or activity of the Company.
      4. Ensure that the data subject is aware of what information is collected prior to the collection thereof.
      5. Ensure the data subject, or should the individual be a minor, a competent person in this instance then consents to the collection of personal information.
      6. Inform the data subject what the purpose is for the collection of this information and inform the data subject regarding:
        1. whether the information to be collected is a voluntary or mandatory function to be performed;
        2. the consequences of the matter for the data subject should they fail to provide the information;
        3. iii. whether it is ascertained that a legal authority requires the collection of the information for their records;
        4. whether this information needs to be transferred to another source;
        5. whether the Company intends to transfer the information to any other country outside the
          borders of the Republic of South Africa or international organisation and disclose the level of
          protection regarding the personal information which can be expected from this country or
          international organisation.
      7. Ensure that the personal information is complete, accurate, not misleading and is updated from time to time;
      8. Ensure that the information which is collected is not excessive. To collect solely the information which is necessary for the company, which it requires to execute its functions or in the interests of a third party, where the information will be provided to them;
      9. To undertake to regard personal information as strictly private and confidential and not to disclose it to any other party, unless required by law to take this course of action, or the consideration of the correct performance of the company’s duties and tasks;
      10. The Company, will take responsibility to keep on record all the appropriate documentation of all processing operations.
  7. Additional processing procedures regarding personal information:
    1. The Company undertakes to ensure that any additional processing of personal information will be in accordance for the purpose for which it was collected;
    2. To assess whether any additional processing is in accordance with the purpose of collection, the following detail should be considered:
      1. The relationship between the purpose of the intended additional processing and the purpose or intention for which the information was collected;
      2. The nature of the information concerned;
      3. The consequences of this action for the data subject regarding the intention of processing
        additional information;
      4. The manner/method in which this information was collected; and
      5. Any contractual rights and obligations between the parties.
  8. Retention and restriction of records
    1. Records of personal information should not be retained for longer periods than is necessary for achieving the purpose for which the information was collected, unless:
      1. the retention of a record is required or authorised by law;
      2. the Company, reasonably requires a record for legal purposes related to its functions or activities;
      3. retention of a record is required by a contract between the parties thereto; or
      4. the data subject or a competent person where the data subject is a minor and has consented to the retention of a record.
    2. The Company will destroy or delete a record of personal information as soon as it is reasonably practical once it has no further authority to retain a record for a further period;
    3. The deletion of a record of personal information should be processed in a manner that prevents its reconstruction in an intelligible/understandable form;
    4. In the event where the Company uses a record of personal information from a data subject to arrive at a conclusion regarding various aspect pertinent to the data subject, the following will be necessary:
      1. Retain the record for such period as may be required or prescribed by law or a code of conduct; or
      2. If there is no law or code of conduct prescribing a retention period, retain the record for a period that will afford the data subject a reasonable opportunity in which to request access to the record, taking all considerations relating to the use of the personal information into account.
    5. The Company will restrict the processing of personal information if:
      1. its accuracy is contested by the data subject, for a period enabling the Company to verify the accuracy of the information;
      2. the Company no longer requires the personal information for achieving the purpose for which it was collected or subsequently processed, but is required to maintain/retain it for purposes of proof or record keeping purposes;
      3. the processing is unlawful, and the data subject opposes its destruction or deletion and alternatively requests the restriction of its use; or
      4. the data subject requests that the personal data be transmitted or transferred to another automated processing system.
    6. Personal information that has been restricted may only be processed for purposes of proof, or processed with the data subject’s consent, or with the consent of a competent person where the data subject is a minor, or for the protection of the rights of any other natural or legal person, or if such processing is in the public interest.
    7. Where personal information is restricted, the Company will inform the data subject prior to the termination of the restriction.
  9. Security Safeguards
    1. The Company will secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information; and unlawful access to or processing of personal information;
    2. The Company will take responsible measures to:
      1. identify all reasonable predictable internal and external risks to personal information in its possession or under its management;
      2. establish and maintain appropriate safeguards against the risks identified;
      3. regularly verify that the safeguards are effectively implemented; and
      4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguarding methods.
    3. The Company will have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
  10. Security compromises
    1. Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the information officer should be contacted immediately.
    2. The information officer is required to notify the information regulator and the data subject.
    3. The notification of a breach of confidentiality should be declared as soon as is reasonably possible upon the discovery of the compromise.
    4. The information officer needs to provide sufficient information to the data subject which will enable the data subject to take protective measures against the potential consequences of the compromise.
  11. Rights of the data subject
    1. The data subject, or competent person where the data subject is a minor, may withdraw his, her or its consent to procure and process his/her or its personal information, at any time, providing that the processing of the personal information was performed legally, prior to the request for the withdrawal.
    2. A data subject, having provided adequate proof of identity, has the right to:
      1. request the Company to confirm, free of charge, whether it holds personal information regarding the data subject; and
      2. request from the Company a record or a description of the personal information relevant to the data subject held by the Company, including information regarding the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
    3. This must be processed within a reasonable period, at a fee prescribed as determined by the Information Officer, in a reasonable manner and format and in a form that is generally understandable.
    4. A data subject may request the Company, to correct or delete personal information in its possession or under its management which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or has been obtained illegally.
    5. A data subject may request the Company to destroy or delete their record of personal information. This must be processed only if it is permissible and has been approved by the Information Officer.
  12. Monitoring and enforcement
    1. All employees will be responsible for administering and overseeing the implementation of this policy including the supporting of guidelines, standard operating procedure, notices, consents and appropriate related documents and processes.
    2. Employees who violate the guidelines and standard operating procedures of this policy may be subjected to disciplinary action, being taken against him/her.
    3. The point of contact for requests, disclosures, questions, complaints and any other inquiries relating to the processing, collection, or re-identifying of personal information shall be directed to the information officer or deputy information officer(s).
  13. Specific information pertaining to this policy
    1. The Company must ensure that the disciplinary code (reference code LRP 001) is amended accordingly to include any violation of this policy.
    2. The Company must appoint an information officer and a deputy officer/s who will be responsible for the management of this division.
    3. The Company will ensure that the information officer and the deputy information officer/s receive the appropriate training with regard to the execution of their duties and responsibilities, in terms of the provisions of PoPIA and PAIA.