Given the nature of Value Fencing's business, which is providing services that contains Personal Information (PI) to clients via various platforms and, storing this sensitive member information on our internal systems, we must comply with international legislation such as the Protection of Personal Information Act (POPIA), General Data Protection Regulation (GDPR) and Financial Regulatory requirements. This Policy, however, applies to any PI supplied to a third party for processing.
This legislation gives effect to the right to privacy and regulates the way PI may be processed by providing rights and remedies to protect PI. This applies not only to the processing of PI by a responsible person domiciled in the country, and where processing happens, but also to citizens of a different country/zone (for example EU citizens are protected by GDPR outside of the borders of the EU). Specific to POPI, the Act will override other legislation that contains inconsistent provisions relating to the processing of PI, and where other legislation provides for more extensive conditions for the processing of PI, the other legislation will prevail.
- Race, gender, pregnancy, marital status, national or ethnic origin, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language, and birth of a person.
- Collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation, or use.
- Dissemination by means of transmission, distribution or making available in any form.
- Merging, linking, as well a restriction, degradation, erasure, or destruction.
- Consent means any voluntary, specific, and informed expression agreeing to the processing of PI.
- Data Subject means the person to whom the PI relates.
PI must be collected for a specific, explicitly defined, and lawful purpose related to the function or activity of the responsible party. The data subject must be made aware of the purpose of the collection.
- Further retention is required by law.
- The responsible party reasonably requires keeping it.
- Retention is required by a contract between the parties.
- The data subject consents to further retention.
- The Accountability employee shall ensure that the information collected will not be used for any other purpose before obtaining the individual's approval unless the new purpose is required by law.
- The Accountability employee shall ensure that the person collecting PI will be able to explain to the individual why this is being done.
- The Accountability employee shall ensure that limited collection, limited use, disclosure, and retention principles are respected in identifying why PI is to be collected.
This document is valid from the last review date and authorized by the Management Representative and should be revised at least every twelve months or as required. This document replaces and supersedes all previous dated documents for this procedure, which are cancelled and destroyed.
- Value Fencing's Directors will be appointed as Information Officers and the Compliance Officers will serve as the deputies.
- All persons who collect, process, or use PI shall be accountable to the Information Officers/Deputies for such information.
- Any person suspecting that the information is being used for purposes other than that explicitly approved and collected for, may register a complaint with the Deputy Information Officer/s at email@example.com / firstname.lastname@example.org
- The Deputy Information Officer/s shall investigate the above complaint and inform the complainant of his/her findings and corrective action taken, if any.
- If the complainant is dissatisfied with the findings of the Deputy Information Officer/s, an appeal may be submitted to Value Fencing's Information Officers. The decision made by Value Fencing's Information Officer/s will be final.
- The Deputy Information Officer/s shall be responsible for giving training to all Value Fencing's employees and other Partner(s) who might collect, use, or retain PI.
- When collecting PI, the responsible party shall obtain consent from the Data Subject, to use, collect, retain, or disclose said PI.
- When collecting PI, the responsible party shall ensure that the Data Subject understands how the PI will be used.
- Express consent will be obtained from the Data Subject, unless it is in the Information Officer's opinion that implied consent will be acceptable. The consent must be clear and verifiable.
- The reasonable expectations of the Data Subjects will be respected.
- The Data Subject may, at any time, withdraw consent given, subject to legal and contractual restrictions by giving reasonable notice.
The Responsible Party shall ensure that PI will not be collected indiscriminately, but by fair and lawful means, and be limited to what is necessary to fulfil the specific purpose for which the PI is being collected.
- The data subject consents to the processing.
- Processing is necessary for the conclusion or performance of a contract to which the data subject is a party.
- The information is contained in a public record or has deliberately been made public by the data subject.
- The data subject has consented to the collection from another source.
- Collection from another source would not prejudice a legitimate interest of the data subject.
- Further processing must be compatible with the purpose for which it was collected unless the data subject gives consent to the further processing.
- Has given consent; or
- Is a member of the responsible party and if:
- The party responsible has obtained the contact details of the data subject in the context of the sale of a product or service.
- It is for marketing the responsible parties own related products or services; and
- If the data subject has been given a reasonable opportunity to object, free of charge, at the time the information was collected or on the occasion of each communication for the purpose of marketing.
The responsible party may only approach a data subject whose consent is required, and who has not previously withheld such consent, once, to gain consent and such consent must be in the prescribed manner and form.
A responsible party must take reasonably practical steps to ensure that PI is complete, accurate, not misleading and updated where necessary. The PI shall not be updated routinely unless it is required to fulfil the purpose for which the PI was collected.
A responsible party must secure the integrity and confidentiality of the PI in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss, damage or unauthorized destruction, unlawful access to, or processing of the PI.
- Anyone processing PI on behalf of a responsible party must:
- Treat the information as confidential and do not disclose it unless required by law.
- Apply the same security measures as the party responsible.
- The processing must be governed by a written contract ensuring safeguards are in place; and
- If domiciled outside the Republic of South Africa, comply with local protection of personal information laws.
- Correct or delete PI that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
- Delete or destroy PI that the responsible party is no longer authorized to retain.
- The Deputy Information Officer shall ensure that all employees and consultants know the importance of keeping PI confidential. The Deputy Information Officer shall ensure that care is taken when PI is disposed of or destroyed to prevent unauthorized parties from gaining access to it.
- The information being collected.
- The name and address of the Responsible Party.
- The purpose for which the information is being collected.
- Whether or not the supply of the information is voluntary or mandatory.
- The consequences of failure to provide the information.
- Any law authorizing the requirement of the collection.
- The right of access to, and the right to rectify, the information collected.
- The fact that, where applicable, the responsible party intends to transfer the information to a third country/international organization and the level of protection afforded by that third country / organization; and
- The right to object to the processing of the information.
The Deputy Information Officer/s shall, upon request, inform an individual whether Value Fencing holds PI about the requested party. If possible, the information source shall also be given. Value Fencing shall allow the individual access to the information.
Value Fencing shall also account for the use that has been made or is being made of this information and give an account to the third parties to whom it has been disclosed. (Note, if the Deputy Information Officer/s believes for valid reasons that access to PI should be denied, the Deputy Information Officer/s shall consult legal counsel before making such a decision.)
A person requesting individual PI may be required by the Deputy Information Officer/s to give sufficient information to permit Value Fencing to provide an account of the existence, use, and disclosure of PI. Information shall be used only for the purpose for which it was obtained.
The Deputy Information Officer/s shall ensure that Value Fencing responds to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be made available in a generally understandable form. For example, Value Fencing shall explain abbreviations or codes it uses to record information.
The Deputy Information Officer/s shall ensure that when an individual successfully demonstrates the inaccuracy or incompleteness of PI, Value Fencing shall amend the information as required. Depending on the information challenged, amendment involves the correction, deletion, or addition of information in question.
The Deputy Information Officer/s shall ensure that when a challenge is not resolved to the individual's satisfaction, Value Fencing shall record the unresolved challenge's substance. When appropriate, the unresolved challenge's existence shall be transmitted to third parties having access to the information in question.
All risks identified and associated with this policy/procedure are recorded on the Risk Management Register (IF-001-Risk Management Register) and managed according to the Risk Management Process (QP-007-Risk Management Process)
- Customer service delivery reports
- Customer Satisfaction survey results
- Minutes of customer meetings
- Follow up actions from previous management reviews
- IF-001-Risk Management Register
- Information Security Incident Management Reports